Compliance, Certification and Accreditation

Governance Risk and Compliance

There has recently been a number of organizations promoting to be certified against certain ISO standards such as the ISO 27017:2015, ISO 27018:2019 and ISO 27701:2019. It is essential to understand that although there are independent third parties that offer this certification service, only accredited bodies are capable of certifying you. Let us begin with understanding the difference between compliance, certification and accredited certification.

ISO Compliance

Being ISO compliant implies that an organization is adhering to the requirements defined by the ISO standard. Compliance can be achieved internally by performing a self-assessment and without a formal certification process or a series of external audits to validate. Therefore, an organization is internally attesting that they are meeting these requirements. As a result, any organization that implements the ISO standard can claim to be compliant.

ISO Certification

Being ISO certified implies an organization is engaged with an independent third party or certification body to validate their conformance to a certain ISO standard. This process entails a series of audits by external parties to validate that the standard has been effectively implemented. The organization is then provided with a certificate stating that they meet the requirements defined by the standard. Essentially what ISO certification means is that an organization has secured a written statement or assurance from an independent third party or certification body. This indicates that the organization had proved its conformance through an external audit, inspection of processes, products or services in alignment with the specified requirements.


Being accredited is the recognition and approval of a certification body by an independent accreditation party, officially recognising that the certification body works in accordance with international standards. Accreditation is an independent third-party endorsement of the certification. Certification bodies must get a license to conduct certification audits and issue certificates. Hence, certification bodies secure their licenses through accreditation. Accreditation bodies are required to be compliant with ISO 17011. Simply put, ISO accredited certification is issued when an organization has fulfilled the requirements of an ISO standard, following an accreditation process by a certification body. Although both accreditation and certification are globally recognized, some regulatory bodies and clients may request an accredited certification.

Staying Informed

Not every standard has an accredited certification available. Which brings us back to the claims of being certified against ISO 27017:2015 and ISO 27018:2019. There are currently no accredited certifications being issued for these standards. This is important for companies looking to get certified as well as those who are reviewing suppliers who claim to be certified. There are some companies, not accredited by notable accreditation bodies, that will offer unaccredited certifications against any standard.

In the United States there are currently six certification bodies that are accredited by ANAB. These certification bodies can certify against ISO 27701:2019. However, in some cases certain requirements need to be met. For example, A-LIGN can certify organizations against ISO 27701 as a standalone certification, but there is a requirement to be compliant with ISO 27001. At the moment, certifying against ISO 27017 and ISO 27018 cannot be performed, however they can be treated as an “add on” to the 27001 certification. There is yet to be any real guidance around the ISO 27017 and ISO 27018 certifications. The process behind it will most likely be up to the discretion of the certification body.

On the other hand, in the United States, USAS is in in the process of providing the capability for certification bodies to become accredited to provide the ISO 27701 certification to clients. Having that said, clients need to obtain a USAS accredited ISO 27001 certification prior to pursuing the ISO 27701 certification. Currently there are no certification bodies that are accredited to provide the ISO 27701 under USAS. However, there are a couple of certification bodies going through the process of becoming accredited. As for the ISO 27017 and ISO 27018, you cannot be USAS accredited since they consider these to be guidelines and not controls that are certifiable.

Moving Forward

The IAF maintains a database of accreditation bodies around the world. The following are a few notable accreditation bodies:

Prior to engaging with an independent body or third party, it is essential to perform due diligence and verify their standing, whether they are listed with an accreditation body or if they are a member of the International Accreditation Forum (IAF). Confirming that a certification body is accredited will ensure that they are regulated, impartial and trustworthy as they are periodically subject to quality audits.

How can CyberCX help?

Our experienced team would be happy to help if you have any questions around compliance, certification and accredited certification.

Contact us for independent advice on the most appropriate route for your organization.

Ready to get started?

Find out how CyberCX can help your organization manage risk, respond to incidents and build cyber resilience.