As the number of cyber attacks continues to grow, many companies are adding ISO 27001 certification as a requirement on their supplier set-up forms. This is a good idea, especially as the forthcoming General Data Protection Regulation (GDPR) focuses on vendor management. If a vendor has an ISO 27001-compliant information security management system (ISMS) in place, this provides concrete evidence that the organisation is in a strong place with regards its GDPR compliance.
We are often asked on our ISO 27001 Certified ISMS Lead Implementer Course how you can validate an ISO 27001 vendor, so we have decided to share our guidance in this blog.
How to validate an ISO 27001 vendor
Unfortunately, there is no central register of all ISO 27001-certified companies in Ireland.
This means that confirming the validity of a certificate requires a little legwork, but the good news is that it is 100% guaranteed to determine whether the claim of certification is valid and whether the certificate is issued from an accredited certification body.
- Request a copy of the vendor’s certificate, including any annexes that are issued with it (the annexes may include further detail on the scope, locations that are covered, etc.).
- Identify the name of the certification body that issued the certificate and the national accreditation body that accredited the certification body – this is likely to be in the form of a logo such as NSAI, UKAS, etc.
- Check that the accreditation body subscribes to the IAF (iaf.nu).
- Contact the certification body to ask them to confirm the validity of the certificate. Some certification bodies do this through their website, whereas others check that their client is happy to share this information.
If all of this works out and you are assured the certificate was issued under the accredited certification scheme, the last things to check are the same as discussed on the ISO 27001 ISMS Lead Implementer Course:
- The scope of the certification – Check that it covers all of the supplier’s business processes and locations that you are entrusting with your information. Many organisations restrict the scope to save on the cost of implementation or even the certification audit. As a result, this can compromise the extent of assurance that the certificate provides.
- The date of issue and the date of expiry of the certificate – This gives you an idea of how mature the ISMS should be. It is worth periodically confirming that the certificate is still valid because it can be withdrawn if the ISMS is not maintained appropriately.
- The reference to the Statement of Applicability (SoA) – There should be a reference to the specific version of the SoA that your supplier was audited against, and you can request a copy. Some organisations exclude controls that you might expect to be in place and you will not be aware of this without reviewing the SoA. If the organisation has excluded controls, you should probe to find out which compensatory controls are in place to provide the same assurance and a residual risk that hopefully satisfies your needs. The certification body should confirm the scope, dates and version of the SoA in the information you request.