Difference Between Certified and Compliant ISO 27001 ISMS
TRENDING
PUBLISHED on
27
July
2022
SUMMARY
There is some confusion about the difference between having an information security management system (ISMS) which is certified to ISO 27001 and one which is compliant or aligned to the Standard.
There are many articles and opinions on whether an organisation should certify its ISMS or align it against the Standard. A commonly held view is that “we will save money by aligning to ISO 27001 and avoid the unnecessary hassle and burden of certification”.
This view, in URM’s opinion, is flawed in that there is a significant risk that aligning will actually incur more time and money and, more significantly, you will miss the benefits and business opportunities presented by certification.
Compliant or aligned management system
Complying with the requirements of ISO 27001 implies that an organisation is using the Standard as a guiding model for its ISMS and its information security governance. Such a statement has some validity, as there is an indication that the organisation has put thought into its approach. However, when scrutinised/investigated, we find this approach often falls short in a number of areas, e.g., scope and continual improvement. When you state that you are compliant, who is that according to – the organisation itself?
If so, you won’t gain the kudos attached to a specialist and independent third party assessing the effectiveness of your ISMS, e.g., assessors with greater impartiality, less conflict of interest and who bring industry knowledge/insight and a fresh perspective.
Certified management system
A certified management system is independently assessed and is subject to a three-year auditing cycle to demonstrate ongoing commitment and continual improvement. A key aspect of certification body audits is the focus on continual improvement and revisiting corrective action plans from previous audits to address any identified issues.
You can be sure that one of the first items an external assessor will be checking is whether all actions have been completed and, if not, justification as to why they haven’t been completed, supported ideally by a risk assessment and a risk acceptance at an appropriate level. Would you get such rigour with an internal compliance approach? It’s unlikely and, in our opinion, crystallizes the difference between compliance and certification.
When we talk about certification, there is a very important differentiation to make, i.e., certification carried out by bodies which are accredited by the United Kingdom Accreditation Service (UKAS) and those that aren’t. A UKAS accredited certification body (CB) goes through a stringent assessment at the outset and is assessed on an annual basis through reviews of sample reports.
So, if you are going to be independently certified, ensure you’re certified by a CB who is subject to the same rigorous approach as you are! And yes, certification is challenging, as is anything with an element of external or third-party assessment. Yes, it expects you to justify the approach you have taken and provide evidence to demonstrate that.
Yes, it expects you to know whether your approach is effective and whether what you have done is delivering the intended outcome. But when you step back, isn’t that a good thing? How else can you provide effective assurance to your key stakeholders other than with an independent, rigorous, third-party assessment?
How URM can help?
Consultancy
Do you need any help with your ISO 27001 auditing programme?
Having been involved in over 450 successful ISO 27001 certifications, URM is ideally placed to advise you on the essential activities and tasks you will need to carry out in order to maintain and improve your ISO 27001 auditing function and programme
Read more
Consultancy
Do you need any help with ISO 27001 certificate?
URM can help you achieve ISO 27001 certification
Read more
Consultancy
Assess Your DORA Compliance Readiness
Unsure whether your ICT risk framework meets DORA standards? Our experts will carry out a detailed gap analysis and provide clear, prioritised steps to help you achieve full compliance.
Read more
We will ensure you never become a ‘slave to the Standard’ and your ISMS is something which can easily be maintained and improved.
Find out more
related BLog posts
Information Security
Published on
18/7/2022
What are the ‘Real World’ Benefits of Implementing ISO 27001?In this blog, we want to dig a bit deeper into the benefits that are gained from implementing the Standard and from achieving certification...
Read more
Information Security
Published on
27/7/2022
How Secure is Zoom?Many organisations have had to adapt very quickly to the rapidly changing restrictions brought in across the globe to help combat the spread of COVID-19.
Read more
Information Security
Published on
27/7/2022
Should You Start Your ISO 27001 Programme with a Gap Analysis or a Risk Assessment?The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when.
Read more
Our experience with URM was all around great and seamless, starting with our account manager who organised everything and was very accommodating, working around our schedule and fitting us in as soon as we wanted. This continued with our assessor for the CE questionnaire part; he was very helpful, taking the time to explain some aspects that were a bit unclear to me and guiding me the whole way through. The same was true of our assessor for the CE+, who took the time to answer any questions I had beforehand and guide me through elements that I was unfamiliar with. During the assessment, he was very helpful, made the process very easy and guided me through some points that needed some additional set up in order to ensure a successful process. This was our first year working with URM and I am sure we’ll be talking again next year. Thank you for all your help!
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.