If your organization is preparing to implement an Information Security Management System (ISMS) and pursue ISO/IEC 27001 certification, one of the most important early decisions you'll make is choosing the right certification body. This isn’t a mere administrative step—it’s a strategic choice that directly impacts the credibility, recognition, and long-term value of your certification.
Why Who You Pick Matters So Much
- They Need to Follow the Rules of the Road. The most important rulebook they have to follow is called ISO/IEC 17021-1. It's the standard that lays out how certification bodies should do their job—from how they conduct audits to how they train their people. On top of that, there's a specific set of rules for information security audits, called ISO/IEC 27006. You want to make sure the company you're considering follows both of these, so you know the audit will be fair and done by people who really know their stuff.
- They Need to Be Backed by an Official Body. This is a big one. You want your certification body to be accredited. Think of an accreditation body as an official overseer, like UKAS in the UK or ANAB in the U.S. These organizations are part of a global network called the International Accreditation Forum (IAF). If your certification body is accredited by an IAF member, it means they've been vetted and approved. This gives your certificate global credibility, so you won't run into problems with international clients who need to trust your security.
Depending on how your company is set up, a few other things can make a difference.
- For Multi-Site Companies: If you have offices in lots of different places, ask if they follow IAF MD 1. This document gives them the rules for how to do an audit across multiple locations without having to check every single one.
- For Remote Teams: If your team works from home or you do a lot of business over video calls, ask about IAF MD 4. This guide explains how they can use technology to do a good portion of the audit remotely, which can save a lot of time and hassle.
- For Extra Transparency: A great sign of a modern certification body is if they follow IAF MD 28. This new rule requires them to upload your certificate info to a public database called IAF CertSearch. This means anyone can easily look up and verify your certification online, which builds even more trust.
A Few Final Pointers Before You Start
When you’re ready to get quotes from a few companies, here are a few things to keep in mind:
- Ask for proof that they're accredited by an IAF member.
- Make sure they'll follow both the general ISO/IEC 17021-1 and the specific ISO/IEC 27006 standards.
- Find out about their experience. Have they audited other companies in your industry? Do they have a good reputation?
- Ask to see the résumés of the people who will actually be doing your audit. You want to make sure they're experts.
Getting certified is a big deal, and it all starts with picking the right partner. When you find a credible, accredited certification body, you're not just getting a certificate—you're building trust with everyone you work with, from your customers to your partners and beyond.
