Any organization seeking certification will want to be sure that there is a cultural fit between itself and its supplier of certification services, and there will certainly be all the normal issues of ensuring that there is alignment between the desires of the buyer and the offering, including pricing and service, of the vendor. It is completely appropriate to treat the selection of a certification body with the same professionalism as the selection of any other supplier.
There are two key issues that do need to be taken into account when making this selection: the first is relevant to organizations that already have one or more externally certified management systems in place; and the second applies specifically to organizations tackling ISO 27001.
It is essential that your ISMS is fully integrated into your organization; it will not work effectively if is a separate management system and exists outside of and parallel to any other management systems. Logically, this means that the framework, processes and controls of the ISMS must, to the greatest extent possible, be integrated with, for instance, your ISO 9001 quality system; you want one document control system, you want one set of processes for each part of the organization, etc. Clearly, therefore, assessment of your management systems must also be integrated: you only want one audit, that deals with all the aspects of your management system. It is simply too disruptive of the organization, too costly and too destructive of good business practice, to do anything else. You should take this into account when selecting your ISO 27001 certification body, and ensure that whoever you choose can and does offer an integrated assessment service.
The second issue that you should take into account when selecting your supplier of certification services is their approach to certification itself. An ISMS is fundamentally designed to reflect the organization’s assessment of risks in and around information security. In other words, each ISMS will be different. It is important, therefore, that each external assessment of an ISMS takes that difference into account so that the client gets an assessment that adds value to its business, rather than one that is merely a mechanical comparison of the ISMS against the requirements of ISO 27001
In the UK, the United Kingdom Accreditation Service (UKAS) operates under a Memorandum of Understanding from the Department of Trade and Industry. UKAS accredits the competence of certification bodies – both inside and outside the UK - to perform services in the areas of product and management system approval.
The organization should use only an accredited certification body when seeking ISO 27001 certification. A list or organizations that have achieved BS 7799-2 or ISO 27001 certification, together with the scope of each certificate, can be reviewed at the website of the international user group, on www.xisec.com. A certificate is usually valid for up to three years.