Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Are Your Vendors Really ISO 27001 Certified?


about the author

Security and privacy are watch-words of the modern era. With every new high-profile breach, and with the rise of Data Protection laws globally, the onus is on every business and organisation to demonstrate that they are taking reasonable steps to protect the personal information they use. This is where security standards, such as ISO 27001, have an important role.

What is ISO 27001 ?

ISO 27001 provides a way for you to show that you have analysed your businesses, identified risks, acted to minimise the likelihood and/or impact of these risks, and that you’ve then had an independent outside party check that everything you’re doing is reasonable. As this check happens every year, it’s an ongoing commitment to compliance.

When selecting vendors, whether it’s an outsourcer who will process your paper work, or a SaaS vendor who will process information in the cloud, or any other service where you will be relying on their security standards to protect your data and reputation, ISO 27001 is a valuable certification. But how can you be sure that the business you are dealing with has a valid certification?

ISO 27001 Compliant vs ISO 27001 Certified

Well, the first thing to do is to ask for a copy of the ISO certificate. It is common to find vendors who proudly claim that they are “aligned to ISO 27001” however think about what this means. Aligned and certified are very different things. If a company is doing all the hard work to “align” with the ISO standard, why not take the final step and become certified? Or, have they been previously certified and had it removed for failing to meet the required standards?

The Scope of ISO 27001

Once you receive the certificate, the next thing to check is that it is valid and that it covers the areas that you intend to use the vendor for. So, the first step here is to check the expiration date of the certificate. If it has expired, it isn’t valid. Next, check that the body who issued the certificate is accredited. The IAF Member List clearly documents who is authorised to accredit certification bodies. For example, in the UK it is UKAS. Then check that the body who has accredited the vendor’s certificate is listed on the specific country’s site.

We now know that the certificate is valid, but we’re not done yet. Next, we need to check that the certificate covers the activities we want the vendor to undertake at the sites where the work will take place. ISO 27001 allows you to select what you will be certified on and the specific sites that it applies to. This is the scope of the certification.

For example, let’s say a firm that deals with the secure disposal of paperwork expands its operations into a new site. They have an ISO certification for their original site. The certification does not cover the new site until it completes the certification process for it. Now a certification can cover multiple sites, but only if it is explicitly stated. Or what if the same company decided to purchase a SaaS payroll provider? The ISO certificate is only for the secure disposal of paperwork, it doesn’t cover the SaaS operation.

Finally, once you are satisfied that the certificate covers the scope you require, you need to check the controls the vendor has in place to make sure they meet your requirements and expectations. ISO certification is an ongoing and evolving process. As the nature of risks and customer requirements change, so do the controls. So, check your vendor controls, if they don’t meet your requirements, then insist that further controls are put in place. This will give you the peace of mind you need, while at the same time making re-certification easier for the vendor, as they can demonstrate that they are actively assessing the controls they use and update them as required.

How you select vendors and assess them is an important aspect of maintaining your own ISO 27001 certification, so remember these three steps:

First – check that the vendor’s certificate is valid.

Second – check that the scope is applicable.

Finally – check that the controls meet your needs and expectations.

MetaCompliance is proud to be ISO 27001 compliant. At MetaCompliance, we have always strived to provide our customers with the strongest information-security infrastructure. This certification guarantees that our products are set to the highest standards via approved and documented processes and that we are committed to the highest standard of information security. For more information, get in touch

you might enjoy reading these