CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

ISO 27001 certification for persons vs. organizations

Author: Dejan Kosutic

Very often when I deliver free webinars on the topic of ISO 27001 certification, I notice that quite many people expect help with their personal certification related to ISO 27001 while the webinar is focused on certification of organizations.

This kind of misunderstanding is not entirely unexpected since many certifications in the security domain (e.g. CISSP, CISA, CISM) are focused on the certification of persons, and have nothing to do with organizations.

So, is ISO 27001 certification intended for organizations or persons? Actually, both.

Certification of organizations

ISO 27001 is a management standard that was initially designed for the certification of organizations. The system works like this: companies (or any other type of organization) develop their Information Security Management System (ISMS) which consists of policies, procedures, people, technology, etc. and then invite a certification body to check our whether their ISMS is compliant with the standard – this check is done during the so-called certification audit.

If the certification audit is successful, the certification body will issue a certificate which will state that the organization in question is compliant with ISO 27001.

In this case the employees working at that organization are not certified, although it has been confirmed they behave according to the standard. To read more about certification of organizations read this article Becoming ISO 27001 certified – How to prepare for certification audit.

Certification of persons

However, the whole industry related to ISO standards (certification bodies, consultants, training institutions, etc.) soon realized that if there are no qualified employees who would develop and maintain the management system, the whole concept would fail.

Therefore, very much like ISO 9001, ISO 14001 and other management standards, various trainings have been developed for individuals that need to get education for ISO 27001. There are now dozens of different trainings for individuals lasting from a few hours to a few weeks – for an overview read this article: How to learn about ISO 27001 and BS 25999-2. The most recognized trainings are ISO 27001 Lead Auditor Course and ISO 27001 Lead Implementer Course, but only for the former an internationally recognized certificate is issued (under the accreditation of institutions like IRCA or RABQSA).

This way the individuals that attend the training and pass the exam obtain the certificate that is issued to their name. But even if all the employees at a company were certified, this still doesn’t mean that the company itself would get the certificate – there is quite a big difference between certification of persons and organizations.

So ISO 27001 does offer various possibilities for certification, unlike any other standard in the security domain. The best, of course, would be to pursue both certifications – certify your personnel so that they can help your organization develop and maintain an adequate level of security, and certify your company so that the training of the individuals is done systematically and according to realistic security needs.

Check out this ISO 27001 Lead Implementer Online Course that explains every step in the ISO 27001 implementation.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

2 responses to “ISO 27001 certification for persons vs. organizations”

  1. Malcolm says:

    how can i have a personal home ISO certification standards for my family?

    • Rhand Leal says:

      How said we cannot drive a family as we do an organization? You
      questions is interesting in the fact we really can apply ISO principles
      for a family unity.

      Considering the scenario you presented, I suggest you to
      take a look at ISO 9001 principles, detailed in this paper:
      Quality management principles –

      In a general manner, you may consider the quality management
      principles for your family this way:
      QMP 1 – Customer focus: As parents and children, you should
      seek to understand each other’s needs and focus on serving
      them (e.g., parents should protect their children, and
      children should study hard to value their parents effort).

      QMP 2 – Leadership: As parents you should inspire your children by given
      them a clear purpose and support for achieving that purpose
      (give an allowance for them to administrate to buy something
      you and them consider important)

      QMP 3 – Engagement of people: Your children should be empowered in
      levels proper to their age so they can have a sense of
      responsibility and commitment with the activities and results they
      have to devliver (e.g., let them make their own study schedule)

      QMP 4 – Process approach: Understand and plan your activities
      before engage on them so you can spent less effort (e.g., plan the
      weekly activities so all house duties and studies can be performed
      and you have time for fun too).

      QMP 5 – Improvement: Teach them and yourselves that everything can
      be improved over time, and what is not improved will not be useful
      in the future (e.g., because they’ve got an A on a exam does not
      mean that if they study the same way will work on the future, and
      for yourselves if you do not attend courses related to your
      profession you will fall behind regarding new methods and

      QMP 6 – Evidence-based decision making: every decision should be
      made based on facts instead of perceptions, because they are more
      likely to be the right one, as well as are easier to explain
      (e.g., if school grades are repeatedly low, the chances are
      greater they will not pass)

      QMP 7 – Relationship management: a family does not sustain itself
      without interacting with neighbours, teachers, friends, and other
      people. You and your children should consider maintaining good
      relationships with all people.

Leave a Reply

Your email address will not be published. Required fields are marked *

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert, Advisera


Upcoming free webinar
Writing a business continuity plan according to ISO 22301
Wednesday – September 11, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.