Within this blog post, we will discuss the importance of knowing how to read an information security standard ISO certificate received from an ISO-certified entity. The knowledge gained from this blog will assist readers in determining that the certificates they obtain are valid. Receipt of a valid ISO certification certificate from a vendor or subservice provider, depending on the standard it represents, may serve to reduce components of risk and support doing business with that entity.
What Are ISO Standards?
In order to understand the ISO Standards, a little background on ISO, the International Standards Organization (ISO), is required. ISO is an independent, non-governmental international organization. The primary goal of ISO is to bring experts together to share knowledge in an effort to create relevant international standards that support process revolution and provide solutions to problems in all industries around the world. As of 2022, ISO is a federation of national standards and organizations with involved members from 167 countries (each country has one representing member). ISO currently has 804 technical committees and subcommittees concerned with standards development.
The ISO standards that have been developed by ISO, in conjunction and cooperation with other national standard organizations around the world, are internationally recognized and agreed upon and describe the best way to do a specific activity, covering many various industries. The ISO has developed over 24,676 standards as of February 2023, and these standards cover topics such as manufactured products, technology, food safety, agriculture, and healthcare.
The ISO created information security standards as a guide for companies to maintain a safe environment for information assets, and the information security standards are the focus of this blog. The ISO produces standard categories (ISO 9000, ISO 27000, ISO 14000, etc.) that provide a wealth of information and implementation support to its users. The specific standards that end in “1” are the standards that ISO makes it possible to certify in (9001, 27001, 14001, etc.).
Examples of ISO information security standards that an entity may be ISO certified upon include the following:
- ISO/IEC 9001 – A standard for general quality management systems (QMS)
- ISO/IEC 27001 – A standard for Information Security Management Systems (ISMS)
- ISO/IEC 27701 – A standard for Privacy Information Management Systems (PIMS)
- ISO/IEC 14001 – A standard for Environmental Management Systems (EMS)
*Note that the ISO/IEC standard titling showcases that the ISO standards cover a broad range of topics that are not always related specifically to electrical systems. The IEC standards are specific to electrical and electronic technologies. Therefore, ISO cooperates with the International Electrotechnical Commission (IEC) to assist in authoring the international standards for all electrical, electronic, and related technologies.
If you or a member of your compliance group would like assistance with understanding the ISO certificate validation process in more detail, reach out to us to schedule time with an ISO subject matter expert that can assist with this or other ISO questions you may have.
ISO Accreditation versus ISO Certification
Organizations that are considering ISO standards and determine to formalize this with a third-party audit may question whether they are working to become ISO accredited versus ISO certified.
ISO provides the definition for each to assist entities with the differentiation:
- “ISO Certification – the provision by an independent Certification Body of written assurance (a certificate) that the product, service or system in question meets specific requirements.”
- “ISO Accreditation – the formal recognition by an independent body, generally known as an Accreditation Body, that a Certification Body operates according to international standards.”
Therefore, based on these definitions, organizations considering getting recognition for their application of the ISO standards via a third party are looking to become ISO Certified. These entities would receive a certification and a certificate to give to their users.
Accreditation is applicable to organizations that desire to become Certification Bodies.
ISO Certificate Key Data Points
An ISO certificate provided by an organization to showcase its ISO certification is required to include important key data points. These are required data points within the certificate that a user of the company’s services will deem relevant and necessary to assess the validity of the certificate.
The primary key data points used for the validation of the certificate include:
- Certificate Number – The certificate number is a reference number that is tied directly to that entity, and is a unique number associated with their certificate and may be used for searching validity.
- Standard(s) being Certified – The certificate should clearly indicate the standard the entity is being certified upon: for example, ISO/IEC 27001.
- Scope being Certified – The scope outlines the locations and business operations that are covered by the certification.
- Expiration Date – An ISO certification is valid for up to three years, and is subject to required annual surveillance audits.
- Accreditation Body Name and/or Logo – This is the identification of the national accreditation authoritative body that provided the accreditation to the certification body for the certification body to be eligible to conduct the certification procedures.
- Certification Body Name and/or Logo – This is the identification of the third-party auditor that assessed whether the organization complied with the appropriate ISO standard(s).
With these data points, the users of the certificate now have the ability to research and perform independent analysis that the certificate is a valid, current certificate issued by an accredited certification body and an associated responsible accreditation body such that it is an internationally recognized certification.
Can You Verify An ISO Certification Online?
To determine if the certification body is an accredited certification body, a user of the certificate can verify online. In order to perform iso certificate verification online, individuals should visit the national accreditation body in that entity’s country or visit the International Accreditation Forum (IAF) and perform a certification body search. The IAF currently aggregates data from 75 Accreditation Bodies and 1,362 Certification Bodies, which enables users to fairly easily identify the validity of the AB and CB.
Note that “accreditation is not compulsory and/or required, and non-accreditation does not necessarily mean the certification body is not reputable.” However, one of the many benefits of an accredited certification body is that they will appear in the IAF, and they are subject to an independent confirmation of the Company’s competence.
Purpose of ISO/IEC 17021-1:2015 Standard
In order for a certification body to become an accredited certification body, it must show adherence and competence with the ISO/IEC 17021-1:2015 standard. This standard “contains principles and the requirements for the competence, consistency, and impartiality of bodies providing audit and certification of all types of management systems.” Certification bodies operating under ISO/IEC 17021-1:2015 do not need to offer all the ISO management system certifications, they are required to specify the specific systems they will certify, and that is included in their assessment.
“Certification of management systems is a third-party conformity assessment activity and bodies performing this activity are therefore third-party conformity assessment bodies.” When a company is trying to become an accredited certification body, a process review and assessment is conducted in accordance with the relevant CASCO standards for the certifications that the company intends to offer its clients.
ANSI is the American National Standards Institute (ANSI), a regulatory body that governs standards in the United States, and the ANSI National Accreditation Board (ANAB), a non-governmental organization that is a wholly-owned subsidiary of ANSI, is one of a few specific organizations that can accredit a certification body. After the accreditation process is completed, a Company will then have the ability to issue accredited ISO certifications. Until the process is completed, any certificates issued by that company would be considered non-accredited ISO certificates, but eligible for conversion when the accreditation process is completed.
Non-Accredited ISO Certifications
When a user of a certificate is attempting to validate an ISO certificate received from an organization, the user may find that the certificate received does not have the logo of the certification body (CB) and/or the accreditation body (AB). If the certificate does not have the logo of the AB, it is considered to be a non-accredited certificate. A non-accredited certificate, even if it is considered legally valid, would not be part of the international system and the certification agency is not under any existing oversight. A non-accredited ISO certification is a certification issued by a non-accredited Certification Body.
It is important to point out that there are consequences to consider when a certification body is not accredited by any of the recognized accreditation bodies throughout the world. As mentioned previously, there is no certification oversight. Therefore, if something goes wrong with the certification, there is no higher authority to take concerns to.
Also, an entity may decide to switch between certification bodies at some stage. The process of switching between certification bodies is very simple if both bodies are accredited. However, if you are switching from a non-accredited body to an accredited certification body, your previous certification will not be recognized. Lastly, as a non-accredited certification is not regulated, there is a chance they may not be providing what was promised, may not operate under industry requirements, and/or with the scrutiny and testing considerations that the standard and processes demand.
Determining an ISO Certificate is Valid
With so many different ISO certifications, it can be a struggle to determine the validity of an ISO certificate. However, if you adhere to the key data points discussed above and perform due diligence procedures on each point, you can be sure that the certification is valid.
- Find the certificate number and use it as a search mechanism on the IAF tool.
- Identify the standard being addressed and determine if that standard is the relevant standard required to address your business concern or consideration.
- Identify the locations and business areas being included in the scope of the certificate and determine that your area of use for that entity is included.
- Determine that the ISO certificate is not expired. If it is mid-period, determine that surveillance audits have successfully taken place and the certificate has not been revoked or suspended.
- Inspect for the accreditation body name or logo and determine that it was accredited by an entity with the appropriate accreditation authority.
- Inspect for the certification body name or logo and determine that the certification body is accredited. If they are not, determine what steps your entity deems necessary to place reliance upon the certificate, as appropriate.
- Perform any other due diligence steps that may be required by your organization as a part of your compliance evaluation processes
Summary
In summary, ISO certifications can provide a best practice framework for establishing information security management systems. When deciding to rely on an organization’s ISO certificates, execute appropriate due diligence to gain comfort with the validity of the certificate. Of course, we only covered the basics in this blog on ISO certificate validity, so if you find you have more questions about ISO in general, are interested in your company becoming ISO certified, or are interested in understanding where Linford and Company currently sits in the accreditation process, please reach out!
Rhonda is a Partner at Linford & Co. delivering risk services including service organization control (SOC) engagements, and Internal Audit services (IT and Business process audits). Rhonda has her CPA, CISSP, PMP, and CISA certifications and delivers leading-edge client service. Previously, Rhonda was a Managing Director at Deloitte, and brings a wealth of expertise in the areas of risk management and compliance.