CHAPTER 4: CERTIFICATION PROCESS

ISO27001 provides a specification against which an organisation’s ISMS can be independently audited by an accredited certification body. If the ISMS is found to conform to the specification, the organisation can be issued with a formal certificate confirming this.

Certification bodies

Certification is carried out by independent, accredited certification bodies. These are called different things in different countries, including ‘registration bodies’, ‘assessment and registration bodies’, ‘certification/registration bodies’ and ‘registrars’. Whatever they are called, they all do the same thing and are subject to the same requirements.

An accredited certification body is one that has demonstrated to a national accreditation body (such as, for example, UKAS – the UK Accreditation Service) that it has fully met the international and any national standards set down for the operation of certification bodies. These standards usually restrict the capacity of an accredited certification body to provide consultancy services in relation to a standard for which it also provides certification services.

Organisations that are seeking independent certification of their ISMS should always go to an accredited certification body. Their certificates are usually valid for three years and are subject to periodic maintenance visits by the certification body; they have international credibility and will be issued in line with an approved system for the issue and maintenance of such certificates. An approved version of the scheme’s certification symbol may be used in the organisation’s marketing material.

There is a list of some accredited certification anzd other bodies in the links pages of www.itgovernance.co.uk/web_links.aspx.