CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

Dejan Kosutic

Should your company go for the ISO 27001 / ISO 22301 certification?

Author: Dejan Kosutic

If your company is in the process of ISO 27001 or ISO 22301 implementation, you are probably wondering whether to go for the certification. And, as you probably know, certification is not mandatory – so you have to ask yourself one important question: Do you really need it?

Many organizations have implemented the standard(s) without going for the certification – one obvious example is banks and other financial institutions. Regulations in most countries are such that they had to implement very strict information security and business continuity procedures and safeguards, and the majority of them did that that using ISO 27001 and ISO 22301. But, very few of them got certified – they concluded that there was no business reason for them to do it.

And this is exactly what you need to do – consider carefully if you need the certificate. Here are the potential reasons why you might find the certification useful:

1) Marketing. You can use the certificate to get some new clients (because of, e.g., tenders), or to stay in the business (e.g., all your competitors already have the certificate).

2) Compliance. In rare cases some regulations will require you to implement ISO 27001 or ISO 22301, but you may have cases where you will sign contracts with clients which oblige you to implement information security or business continuity compliant with these standards. And instead of having to stand the auditors from each of your clients who want to check whether you complied with the contract, you can have the certification auditor do the job, and then show everyone else the certificate.

3) Internal pressure. In some companies, these kinds of projects will never finish unless there is powerful pressure – e.g., a clear deadline. So, if you agree with the certification body on a fixed date for the certification audit, both your management and your employees will have a much stronger sense of urgency for implementation.

4) Objective inputs. If you want your business continuity to be at a really high level, it is good to call in people with high experience and who know how you can benchmark with the best in the industry. Certification auditors will be more than happy to audit someone who is trying really hard and will provide inputs on what you could improve.

If you didn’t find yourself in any of these bullets, you probably don’t need the certificate at all – you can be one of those many companies that have implemented ISO 27001 and/or ISO 22301 because they understood the biggest value is in the methodology these two standards provide.

To learn more, check this free webinar  ISO 27001/ISO 22301: The certification process.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.