Compliance/Certification
Self Compliance
Formal Certification (and the benefits it brings)
Benefits of Certification
What is Accreditation?
What does ISO stand for?
What is ‘Self Compliance’ and how is this different than Formal Certification?
Self Compliance
An organisation can claim ‘self compliance’ to the standard which means it operates an ISMS but it is not intending to gain formal certification, however, it may be subject to audit by customers or clients who have imposed the requirement to be compliant through a contractual clause. These types of audits are known as 2nd party audits as there are two parties involved 1) the organisation that is claiming compliance and operating a formal ISMS and 2) the organisations customer or client who may check (audit) that they are operating the ISMS as agreed in the contractual agreement.
By operating an ISMS and claiming self compliance it provides:
- A common basis for developing organisational security standards;
- An effective security management practice; Confidence in inter-organisational dealings.
Formal Certification (and the benefits it brings)
Formal certification is awarded by independent third party certification bodies some of the more well known bodies include the British Standard Institute, SGS, LRQA and Bureau Veritas. When these bodies conduct a certification audit it is in fact a 3rd party audits as there are three parties involved 1) The organisation operating the ISMS 2) The Certification body e.g. the BSI and 3) The organisations customers.
By being certified an organisation is subject to continual 6 monthly surveillance audits and a full re certification audit every 3 years this adds pressure and cost onto an organisation but ensures the organisation is continually monitoring and improving it’s ISMS in order to maintain its certified/certificated status.
Historically 3rd party certification audits came about in order to negate the need for 2nd party audits as there is no need for the organisations customer to conduct it’s own audit if an independent 3rd party body has issued a certificate confirming they are compliant to ISO 27001:2005.
Benefits of Certification
By having formal documented ISMS which has been independently assessed, an organisation can demonstrate to its customers and clients that it is committed to security, and has the ability to handle information in a secure manner. Equally customers and clients gain confidence in the organisation thereby increasing trust in its brand and/or image.
Regular assessments performed by certification bodies encourage organisations to continually use, monitor and improve their information security management system and processes obviously maintain a higher level of vigilance. Independent assessment brings rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires management approval which is an advantage in security awareness terms if nothing else.
The reputation of ISO and the certification against the internationally recognised ISO 27001:2005 security standard enhances an organisations’ credibility and may lead to an increase in its market share.
Certification is optional but is increasingly being demanded from suppliers and business partners by organisations that are concerned about information security to meet customer requirements, as well as overall performance and an organisation will also most likely gain a significant improvement in staff motivation, commitment and understanding of their responsibility for information security if formal certification is gained rather than and organisation merely claiming compliance to the standard.
What is Accreditation?
Too often there is confusion between Accreditation and Certification when discussing the audit. Accreditation bodies regulate Certification bodies. Each country has its own Accreditation body. The Accreditation body in the United Kingdom is UKAS, the United Kingdom Accreditation Service. This body issues Accreditations to Certification bodies for each standard that the certification body wishes to offer Certification services for. The Certification bodies therefore are accredited by UKAS with the power to issue certifications. The diagram below highlights the relationship between the bodies (it shows some of the more well known Certification bodies in the UK) and Sapphires certification to ISO 27001:2005 which is maintained with SGS. UKAS therefore regulates certification bodies (through auditing the auditors) to ensure the certification bodies are awarding certification only to organisations that have clearly established compliant managements systems.
What does ISO stand for?
The international body which issues international standards is the International Organisation for Standardisation (IOS). However ISO is taken from the Greek word "isos", meaning equal. The reason for this is that the IOS realised that their acronym would not clearly translate into some foreign languages and therefore this would cause confusion hence the word ISO was adopted. An organisation who is awarded and ISO certification is equal to the standard and therefore compliant.
Please download the NatCen Case Study for further information on how Sapphire guided NatCen to achieving ISO27001 Compliance.
“Throughout every stage of this process we have been able to go to Sapphire and ask them for their expert advice. An example of the level of service they offer is that I am able to ring them up with queries outside of the ISO27001 compliance issue and get their opinion on what we should be doing as an organisation.” Stuart Chapman, Director of Facilities and IT, NatCen
