Ensuring Vendor ISO 27001 Certification
- Home
- Blog
Categories
Latest Post
ISO 14001 Lead Auditor Course
ISO 14001 Foundations Course
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
You have an important project and need to hire an external partner, such as a SaaS company. Information security is a top priority for your screening process. One of your requirements might be certification with the leading information security standard, ISO 27001. But how can you verify if the company is ISO 27001 certified and if the certification is issued by an accredited body?
Request the Certification from the Vendor
Most companies that are certified will advertise this on their website and in their documentation. However, this information alone isn’t enough. You need to verify a few essential factors. Start by requesting the certification from the vendor.
Essential Information on the Certificate
Every certification body has its own layout and format, but some key pieces of information are common to all certificates. Here’s what to check:
ISO 27001 Certification: Ensure the certificate is indeed for ISO 27001. Sometimes, filenames can be misleading.
Expiration Date: Check the expiration date to ensure the certification is still valid.
Company Name and Address: Verify the certification applies to the specific location relevant to the services or products you will receive.
Scope of the ISMS: Ensure the documented scope covers your requirements and that the services or products delivered are within the ISMS scope.
Verifying the Certification
Certification Body: On the certification body’s website, you can usually find a tool or list of all issued certificates. Use the certificate number to verify it.
Accreditation Body: Check if the certification body is accredited. The accreditation body is listed on the certificate. Each country has its own accreditation body, and the IAF maintains a list of these bodies.
Steps to Verify Accreditation
Visit the IAF Member List: Find the applicable country to see a list of accreditation bodies.
Check the Accreditation Body: Ensure the accreditation body listed on the certificate is on this list.
List of Certification Bodies: Accreditation bodies have lists of certification bodies. For example, UKAS has a search functionality for accredited organizations.
Verify the Certification Body: Ensure the certification body is listed and accredited.
Assessing the Statement of Applicability (SoA)
The SoA shows which of the 114 security controls in ISO 27001 Annex A are selected and how they are implemented. This document helps you verify if the vendor aligns with your security requirements.
Vetting Your Vendor
Vetting your vendor helps you understand their security stance and alignment with your security management system. This process also helps you maintain your own ISO 27001 certification. Document your process and decisions.
Finding gaps between your vendor’s controls and your internal requirements is normal and doesn’t have to be a red flag. It allows you to start a discussion and control your risks by recording them in your risk register and responding appropriately.
