Last updated: 
6 days 10 hours ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

How to check the validity of an ISO certificate

Friday, April 7, 2017 - 13:05

Many organizations want to check that their suppliers and partners are managing information security risk, and possession of an ISO 27001 certificate is often the preferred way to evidence this. If you are reliant upon the assurances that an ISO certificate can provide, checking that the certificate is valid is an important but not particularly difficult process.

Is the certificate the one you expected?

Check that the certificate is actually the one you asked for. If you want to know if the organization is managing information security risk, an ISO 14001 certificate (environmental management) is no use.

Is the certificate issued to the correct organization?

Make sure that the name on the certificate is what you expected. There can legitimate reasons for it to be different – many companies have quite complex structures – but you should understand the relationship between the name you expected, and the name on the certificate.

Does the certificate scope cover the activities you are interested in?

Not all certificates cover all activities conducted by their organization. If you are interested in buying networking equipment from a supplier, a certificate that only covers photocopier maintenance services doesn’t provide you with the right assurances.

Is the certificate in-date?

Certificates always come with an expiry date, usually at most three years from when the certificate was issued. Check that the certificate is still valid at the current date. If an expiry date is missing, there is also a problem.

Is the certificate issued by a recognized certification body?

Any organization can issue certificates but it is impractical to keep track of the competencies of different certification bodies. Instead check the organization that has accredited the certification body. Each country normally has a single recognized accreditation body - in the UK this is UKAS. You should then check that this accreditation body is a member of the International Accreditation Forum (IAF). It is usual for a company to use a local certification body, and for a certification body to use a local accreditation body, but this is not strictly necessary.

Unless you have the resources to check the competencies of certification bodies, this should be the primary method of recognizing a certification body. It is important to stress that possession of a certificate not recognized through this method is not evidence that the organization does not conform to the standard.

Finally

If a certificate has passed all these checks then you can be reasonably sure that it is a valid certificate. This does not take into account the possibility that the certificate presented to you is not authentic. To check the authenticity of a certificate, contact the certification body. To check the authenticity of a certification body’s accreditation, contact their accreditation body.