How to validate an ISO 27001 vendor

An important question that often comes up on our ISO 27001 training courses is “How can I validate a vendor’s ISO 27001 certification claims?”

Unfortunately, because there is no central register of ISO certificates that you can check claims against, this can be hard to do.

What is ‘accredited’ certification?

Accredited certification bodies have been assessed by the relevant national authority to demonstrate competence, impartiality and performance capability in a conformity assessment.

It’s important to ensure that the certification body you use is accredited by the official national accreditation body, and that the national accreditation body is a member of the IAF (International Accreditation Forum), such as the NABCB (National Accreditation Board for Certification Bodies) in India and the DSM (Department of Standards Malaysia) in Malaysia.

Find out more about accredited certification >>

How you can validate an ISO 27001 certificate

Confirming the validity of an ISO 27001 certificate does require some work, but by following the steps below, it is possible to determine whether the claim of the certificate is valid and whether it was issued by an accredited certification body.

You should:

  1. Request a copy of the vendor’s certificate and any annexes issued with it;
  2. Identify the name of the certification body; and
  3. Check that the accreditation body subscribes to the IAF.

Once assured that the certificate was issued under the accredited certification scheme, you should check:

  • The scope of certification: Check that the certificate covers all the supplier’s business processes and locations that you are dealing with. A growing number of organisations restrict the scope to save on the cost of implementation or the certification audit, but this can compromise the extent of assurance that the certificate provides.
  • The certificate’s date of issue and expiry: This will give you an idea of how mature the ISMS (information security management system) should be. A tell-tale sign that a certificate is not issued by an accredited certification body is that it is valid for more than three years.
  • The reference to the SoA (Statement of Applicability): The certificate should contain a reference to the specific version of the SoA that it was audited against. You can request a copy of the SoA to review and ensure it satisfies your needs.

Gain an understanding of ISO 27001

To help you gain the knowledge and skills required to plan, implement and audit your own best-practice ISMS in your organisation, book a place on one of our globally recognised ISO 27001 training courses.

Ranging from Foundation level to Advanced, and available in a number of learning formats, our practical training courses are the perfect next step for your career.

Book your course now >>