Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

Leadership

Meet the MetaCompliance Leadership Team

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Are Your Vendors Really ISO 27001 Certified?

Iso20071

about the author

Share this post

Security and privacy are watch-words of the modern era. With every new high-profile breach, and with the rise of Data Protection laws globally, the onus is on every business and organisation to demonstrate that they are taking reasonable steps to protect the personal information they use. This is where security standards, such as ISO 27001, have an important role.

What is ISO 27001 ?

ISO 27001 provides a way for you to show that you have analysed your businesses, identified risks, acted to minimise the likelihood and/or impact of these risks, and that you’ve then had an independent outside party check that everything you’re doing is reasonable. As this check happens every year, it’s an ongoing commitment to compliance.

When selecting vendors, whether it’s an outsourcer who will process your paper work, or a SaaS vendor who will process information in the cloud, or any other service where you will be relying on their security standards to protect your data and reputation, ISO 27001 is a valuable certification. But how can you be sure that the business you are dealing with has a valid certification?

ISO 27001 Compliant vs ISO 27001 Certified

Well, the first thing to do is to ask for a copy of the ISO certificate. It is common to find vendors who proudly claim that they are “aligned to ISO 27001” however think about what this means. Aligned and certified are very different things. If a company is doing all the hard work to “align” with the ISO standard, why not take the final step and become certified? Or, have they been previously certified and had it removed for failing to meet the required standards?

The Scope of ISO 27001

Once you receive the certificate, the next thing to check is that it is valid and that it covers the areas that you intend to use the vendor for. So, the first step here is to check the expiration date of the certificate. If it has expired, it isn’t valid. Next, check that the body who issued the certificate is accredited. The IAF Member List clearly documents who is authorised to accredit certification bodies. For example, in the UK it is UKAS. Then check that the body who has accredited the vendor’s certificate is listed on the specific country’s site.

We now know that the certificate is valid, but we’re not done yet. Next, we need to check that the certificate covers the activities we want the vendor to undertake at the sites where the work will take place. ISO 27001 allows you to select what you will be certified on and the specific sites that it applies to. This is the scope of the certification.

For example, let’s say a firm that deals with the secure disposal of paperwork expands its operations into a new site. They have an ISO certification for their original site. The certification does not cover the new site until it completes the certification process for it. Now a certification can cover multiple sites, but only if it is explicitly stated. Or what if the same company decided to purchase a SaaS payroll provider? The ISO certificate is only for the secure disposal of paperwork, it doesn’t cover the SaaS operation.

Finally, once you are satisfied that the certificate covers the scope you require, you need to check the controls the vendor has in place to make sure they meet your requirements and expectations. ISO certification is an ongoing and evolving process. As the nature of risks and customer requirements change, so do the controls. So, check your vendor controls, if they don’t meet your requirements, then insist that further controls are put in place. This will give you the peace of mind you need, while at the same time making re-certification easier for the vendor, as they can demonstrate that they are actively assessing the controls they use and update them as required.

How you select vendors and assess them is an important aspect of maintaining your own ISO 27001 certification, so remember these three steps:

First – check that the vendor’s certificate is valid.

Second – check that the scope is applicable.

Finally – check that the controls meet your needs and expectations.

MetaCompliance is proud to be ISO 27001 compliant. At MetaCompliance, we have always strived to provide our customers with the strongest information-security infrastructure. This certification guarantees that our products are set to the highest standards via approved and documented processes and that we are committed to the highest standard of information security. For more information, get in touch

Other Articles on Cyber Security Awareness Training You Might Find Interesting