Choosing the Right ISO 27001 Certification Body

Gaining ISO 27001 certification evidences that your organisation has implemented a robust information security management system (ISMS). A key decision to make on your ISO 27001 journey is selecting which certification body to work with for the formal certification process. Here are some tips on choosing the best ISO 27001 certification body for your needs:

Make Sure They Are UKAS Accredited

The United Kingdom Accreditation Service (UKAS) provides oversight to certification bodies operating in the UK. Confirm that potential certification partners hold current UKAS accreditation for providing ISO 27001 certification, without this accreditation youor certification is not recognised by the ISO. UKAS vetting helps ensure certification bodies meet standards for independence, competency, and impartiality. Preferring a UKAS-accredited provider supports the credibility of your eventual ISO 27001 certification.

Check Their Information Security Expertise

Look for a certification body with in-depth expertise in information security specifically. They should demonstrate technical knowledge spanning key control areas addressed in ISO 27001 like access controls, encryption, and incident management. Prior experience auditing organisations in your industry is also valuable. The competency of their auditors directly impacts the quality of your ISO 27001 audits and learning value derived from them.

Assess Their Customer Service Record

Speak to a few of the certification body’s prior clients to solicit feedback on their services or if an organisation you know has ISo27001, ask who they use for their certification and how happy they are with them. Key areas to investigate are responsiveness to client needs, flexibility around audit scheduling, and the extent of post-audit support they provide. A customer-centric focus and stellar client reviews are indicators of a quality certification partner.

Compare Cost Structures

Pricing tends not to vary much between the certification bodies, but it is worth gathering multiple quotes as you may be able to negotiate with a preferred provider. Make sure, you know exactly which services are covered under proposed contracts. Besides the obvious cost factor, also weigh their relative strengths and weaknesses in other areas, for example, can they meet your timetable. Avoid choosing certification partners solely based on price alone.

Payment Terms

Usually as soon as you have agreed to work with a certification body they will invoice you for 50% of the fee, with the remainder due before the certification audit. After each annual audit, they are keen to get you booked in for the next one as they get 50% of their money straight away. Be aware of this from a budgeting perspective.

It’s like football, there is a transfer fee

Once you have chosen a certification body, it is very hard to move from that one to another. There is a transfer fee to close business with one provider and open with another. So don’t expect to chop and change providers on a regular basis, We’ve found that the transfer fee usually outweighs any financial benefit but it might be worth changing if you are very unhappy with your certification body.

Conclusion

Choosing the right ISO 27001 certification body requires balancing factors such as accreditation status, topic expertise, great customer service and value for money. Investing effort upfront to vet potential providers will pay dividends throughout your information security audit experience.

If you want to talk to us about how to choose a certification body please book a call here