How to know which firms are ISO 27001 certified

You have an important project to develop, and you need to hire some external partner, e.g., a SaaS company, to make it to the end. You’ve determined information security to be one of the top-priority criteria that should be fulfilled when deciding which vendor to select for your screening process.

In this case, one of your requirements might be certification with the leading information security standard ISO 27001, but how do you know if the company on the other side of the process is actually ISO 27001 certified?

And, just as importantly, how do you know that this certification is issued by an accredited certification body? Find out in this article.

Request the certification from the vendor

Most companies that are certified will advertise this on their website and in their product/service documentation. This information alone isn’t enough, though. You need to verify a few essential factors of this certification, so the first step is to request this certification from the vendor.


Essential information on the certificate

Every certification body has its own layout and format of the certificates they issue, but there are a couple of key pieces of information on every certificate. I chose the order below not based on how it is reflected on the certificates, but on how much time and effort it will take to verify. After all, there is no reason to verify every aspect only to find out the certificate expired a long time ago.

How to check ISO 27001 certified companies

Relevance and usage

Now you know the key aspects to check on a certificate, but what is the relevance of this information, and how can you use it to ensure validity?

  1. The first point is obvious, but I didn’t want to omit this step. Your requirement is ISO 27001 certification, so ensure that you did receive an ISO 27001 certificate. It could happen that the filename accidentally contains ISO 27001, although the content is for a different ISO scheme.
  2. The expiration date, or “valid between” date, shows how long the certification is valid. If this date is expired, it clearly raises a flag and should be verified before continuing to invest time in your verification process.
  3. The company name and, especially, the address, are a key part to verify. Certification is location-specific and does not apply to other locations of the vendor. When a vendor relocates the certificate, it is not automatically valid for the new location. Do verify that the services or products your company will receive are delivered by, or manufactured at, that specific address.
  4. Every certificate contains the scope of the ISMS. Verify if the documented scope covers your requirements, i.e., that the services or products delivered by the vendor are within the scope of the ISMS.
  5. Now that you have verified that the ISMS and certification are within expectations, you should verify the certificate with the certification body. On the website of the certification body, you can usually find an online tool or a list with all issued certificates.
  6. Use the certificate number to search using the tool/website of the certification body (see previous step).
  7. After you verified the certificate was indeed issued by the certification body, and it is still active, you should check if the certification body is accredited by an accreditation body. The accreditation body is listed on the certificate. Every country has its own accreditation body and maintains a list with accredited certification bodies (we will come to this in the next section).
  8. Now that you’ve verified the certificate is issued by an accredited certification body, and that all other aspects were also in order, you might have reconsidered your list of vendors already. However, the last check might be the most important one: assessing the SoA (Statement of Applicability). This document will show you which of the 114 security controls in ISO 27001 Annex A, and possibly additional controls, are selected (applicable) and how they are implemented. At this stage you will be able to fully ascertain if the vendor is aligned with your security requirements. For more information on the importance of the SoA, read the article Statement of Applicability in ISO 27001 – What is it and why does it matter?

Accredited certification body

How do you ensure that your certificate is issued by an accredited certification body?

  1. The “International Accreditation Forum” (IAF) maintains a list of all international accreditation bodies that are members of the IAF. This list can be found here: IAF Member List.
  2. From there, you can select the applicable country to then see a list of all accreditation bodies.
  3. The accreditation body listed on the certificate should be listed here as well; go to the listed website.
  4. Every accreditation body has a list of certification bodies; the “hardest” part is to look for the correct section on the website of your choice. So, your next step is to go to the list of certification bodies. Looking at the website from UKAS (United Kingdom Accreditation Service), for example, you will immediately see a link to the “search” functionality for accredited organizations.
  5. Look for and select the certification body in scope.

If you want to know more about accredited vs. non-accredited certification, read the article Accredited ISO certification versus non-accredited: What it means and why it matters.

Vetting your vendor helps you maintain your own certification

Performing your due diligence in vetting your vendor will help you tremendously in understanding your vendor’s security stance and how it is aligned with your security management system. This will also help you pass or maintain your own ISO 27001 certification, so make sure you document your process and decisions!

It will also help you find gaps/risks between your vendor’s controls and your internal requirements. Finding gaps is expected and doesn’t have to be a red flag; it puts you in a position to start a good discussion, and it enables you to be in control of your own risks by recording them in your own risk register and responding appropriately.

To learn about the ISO 27001 certification process, download this free white paper: What to expect at the ISO certification audit: What the auditor can and cannot do.

Advisera Tom van der Stoop
Author
Tom van der Stoop
Tom van der Stoop is a Senior Privacy and Information Security Consultant based in the Netherlands, specializing in Privacy (GDPR), Information Security (ISO 27001), Quality (ISO 9001), and process optimization. He has over 20 years of experience in IT covering a wide range of industries, from banking to fashion, and from automotive to food. Amongst his vast experience and many qualifications, he is a certified ISO 27001 Lead Auditor, ISO 27001 Lead Implementer, ITIL Expert, Certified Information Privacy Professional – Europe (CIPP/E), and Certified Information Privacy Manager (CIPM), and he also earned the distinct designation “IAPP Fellow of Information Privacy” (FIP) recognizing his outstanding work as a privacy professional.