CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

Dejan Kosutic

How to choose a certification body

Author: Dejan Kosutic

If you are implementing ISO 27001 or ISO 22301 (or any other ISO management standard), you’re probably wondering which certification body to hire. What are the criteria you should apply when making the decision?

Is only the price important?

Of course price is the main criteria, and of course you should ask a couple of certification bodies for their proposals and see what they include.

However, the price is not all – here are some other things you should consider when choosing which to work with:

  • Reputation. If you want to use your certificate for marketing purposes, you probably don’t want to get the certificate from a body that is known to give them away with no criteria whatsoever. You should choose a certification body with a solid – if not perfect – reputation.
  • Accreditation. Actually, anyone can give you a piece of paper saying that you are ISO 27001 certified; but not anyone is accredited (i.e. licensed) to do so – therefore, you need to check whether that certification body has accreditation, that is, if they have the license from the local government body in your country. For example, in the United Kingdom this body is UKAS; in United States it is ANAB.
  • Specialization. If you are a bank, it is actually not a very good idea to have a certification body that has until now certified only manufacturing companies. This auditor may have a lot of experience in business continuity, but if he has audited only manufacturing companies by now, you will lose too much time explaining to him how the bank works – as a result, he will be learning much from you than you will from him.
  • Experience. Even if you might wish to choose an auditor with low experience to get by easily, it is actually in your best interest to have an experienced auditor because you might miss some valuable insight. So, do not be afraid to ask which auditor will audit you; ask for his CV and/or a list of companies he has audited.
  • Integrated audit. You may be starting only with ISO 27001, but if you also plan to implement ISO 22301, ISO 9001 and other standards, you can actually ask your certification body to do a so-called integrated audit. This means you won’t have to go through separate audits for each and every system (and pay the full fee for each of them), but you can do one audit for all these systems together – not only will you save time (an integrated audit takes less time than several separate audits), but also – yes, you will pay less.
  • Flexibility. If the certification body has to fly in the auditor from another continent (because they don’t have anyone locally), it will be very difficult for you to change the date of the audit (e.g. you didn’t finish your project, or some problem has happened) since all the travel arrangements have been made already.
  • Language. Even though the certification body might provide a translator if necessary, still the audit will go much smoother if the auditor speaks your language. He will read your documents much more easily, and you will be able to develop a better relationship with him if there is no language barrier.

Think about the total value

So there it is – like with any other supplier, you will have to do your homework and choose the best one for you. And remember, you have to think about the total cost of the service you’re receiving and the price of lost opportunity – low-cost provider might take too much of your time, and provide little value in return.

This article is an excerpt from the book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. Click here to see what’s included in the book…

To learn more register for this free webinar: ISO 27001/ISO 22301: The certification process.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

3 responses to “How to choose a certification body”

  1. Ady says:

    please suggest few ISO 27001 – Lead auditor certification bodies you recommend for IT professionals in Cyber security.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.