Compliance, Certification & Accreditation
There has recently been a number of organisations promoting to be certified against certain ISO standards such as the ISO 27017:2015, ISO 27018:2019 and ISO 27701:2019. It is essential to understand that although there are independent third parties that offer this certification service, only accredited bodies are capable of certifying you. Let us begin with understanding the difference between compliance, certification and accredited certification.
Being ISO compliant implies that an organisation is adhering to the requirements defined by the ISO standard. Compliance can be achieved internally by performing a self-assessment and without a formal certification process or a series of external audits to validate. Therefore, an organisation is internally attesting that they are meeting these requirements. As a result, any organisation that implements the ISO standard can claim to be compliant.
Being ISO certified implies an organisation is engaged with an independent third party or certification body to validate their conformance to a certain ISO standard. This process entails a series of audits by external parties to validate that the standard has been effectively implemented. The organisation is then provided with a certificate stating that they meet the requirements defined by the standard. Essentially what ISO certification means is that an organisation has secured a written statement or assurance from an independent third party or certification body. This indicates that the organisation had proved its conformance through an external audit, inspection of processes, products or services in alignment with the specified requirements.
Being accredited is the recognition and approval of a certification body by an independent accreditation party, officially recognising that the certification body works in accordance with international standards. Accreditation is an independent third-party endorsement of the certification. Certification bodies must get a license to conduct certification audits and issue certificates. Hence, certification bodies secure their licenses through accreditation. Accreditation bodies are required to be compliant with ISO 17011. Simply put, ISO accredited certification is issued when an organisation has fulfilled the requirements of an ISO standard, following an accreditation process by a certification body. Although both accreditation and certification are globally recognised, some regulatory bodies and clients may request an accredited certification.
Not every standard has an accredited certification available. Which brings us back to the claims of being certified against ISO 27017:2015 and ISO 27018:2019. There are currently no accredited certifications being issued for these standards. This is important for companies looking to get certified as well as those who are reviewing suppliers who claim to be certified. There are some companies, not accredited by notable accreditation bodies, that will offer unaccredited certifications against any standard.
In the United States there are currently six certification bodies that are accredited by ANAB. These certification bodies can certify against ISO 27701:2019. However, in some cases certain requirements need to be met. For example, A-LIGN can certify organisations against ISO 27701 as a standalone certification, but there is a requirement to be compliant with ISO 27001. At the moment, certifying against ISO 27017 and ISO 27018 cannot be performed, however they can be treated as an “add on” to the 27001 certification. There is yet to be any real guidance around the ISO 27017 and ISO 27018 certifications. The process behind it will most likely be up to the discretion of the certification body.
On the other hand, in the United Kingdom, UKAS is in in the process of providing the capability for certification bodies to become accredited to provide the ISO 27701 certification to clients. Having that said, clients need to obtain a UKAS accredited ISO 27001 certification prior to pursuing the ISO 27701 certification. Currently there are no certification bodies that are accredited to provide the ISO 27701 under UKAS. However, there are a couple of certification bodies going through the process of becoming accredited. As for the ISO 27017 and ISO 27018, you cannot be UKAS accredited since they consider these to be guidelines and not controls that are certifiable.
The IAF maintains a database of accreditation bodies around the world. The following are a few notable accreditation bodies:
- ANAB: ANSI-ASQ National Accreditation Board (North America)
- UKAS: United Kingdom Accreditation Service
- JAB: Japan Accreditation Board
- JAZ-ANZ : Australia and New Zealand Accreditation
- DAkkS: German Accreditation
Prior to engaging with an independent body or third party, it is essential to perform due diligence and verify their standing, whether they are listed with an accreditation body or if they are a member of the International Accreditation Forum (IAF). Confirming that a certification body is accredited will ensure that they are regulated, impartial and trustworthy as they are periodically subject to quality audits.
How can CyberCX help?
Our experienced team would be happy to help if you have any questions around compliance, certification and accredited certification.
Contact us for independent advice on the most appropriate route for your organisation.