Tips from URM – What’s the difference between a certified and a compliant ISO 27001 management system?
This is the question of the week, what is the difference between a
certified and a compliant ISO 27001 management system?
There is some confusion about the difference between having an information security
management system (ISMS) which is certified to ISO 27001 and one which is compliant
or aligned to the Standard. This week’s top tip looks at some of the key differences and
help you understand some of the implications of each.
There are many articles and opinions on whether an organisation should certify its ISMS or align it against the Standard. A commonly
held view is that “we will save money by aligning to ISO 27001 and avoid the unnecessary hassle and burden of certification”. This view,
in URM’s opinion, is flawed in that there is a significant risk that aligning will actually incur more time and money and, more significantly, you
will miss the benefits and business opportunities presented by certification.
Compliant or aligned management system
Complying with the requirements of ISO 27001 implies that an organisation is using the Standard as a guiding model for its ISMS
and its information security governance. Such a statement has some validity, as there is an indication that the organisation has
put thought into its approach. However, when scrutinised/investigated, we find this approach often falls short in a number of areas,
e.g. scope and continual improvement. When you state that you are compliant, who is that according to – the organisation itself?
If so, you won’t gain the kudos attached to a specialist and independent third party assessing the effectiveness of your ISMS, e.g.
assessors with greater impartiality, less conflict of interest and who bring industry knowledge/insight and a fresh perspective.
Certified management system
A certified management system is independently assessed and is subject to a three year auditing cycle to demonstrate ongoing
commitment and continual improvement. A key aspect of certification body audits is the focus on continual improvement and
revisiting corrective action plans from previous audits to address any identified issues. You can be sure that one of the first items
an external assessor will be checking is whether all actions have been completed and, if not, justification as to why they haven’t
been completed, supported ideally by a risk assessment and a risk acceptance at an appropriate level. Would you get such rigour
with an internal compliance approach? It’s unlikely and, in our opinion, crystallizes the difference between compliance and
When we talk about certification, there is a very important differentiation to make, i.e. certification carried out by bodies which are
accredited by the United Kingdom Accreditation Service (UKAS) and those that aren’t. A UKAS accredited certification body (CB)
goes through a stringent assessment at the outset and is assessed on an annual basis through reviews of sample reports. So, if you
are going to be independently certified, ensure you’re certified by a CB who is subject to the same rigorous approach as you are!
And yes, certification is challenging, as is anything with an element of external or third-party assessment. Yes, it expects you to justify
the approach you have taken and provide evidence to demonstrate that. Yes, it expects you to know whether your approach is effective
and whether what you have done is delivering the intended outcome. But when you step back, isn’t that a good thing? How else can you
provide effective assurance to your key stakeholders other than with an independent, rigorous, third-party assessment?