ISO 27001 Certification vs Compliance
Is a certificate worth the paper it’s written on?
Organisation’s that are new to information security management systems often ask about the difference between ISO 27001 compliance and ISO 270001 certification.
In simple terms, compliance might mean that the organisation is following the ISO 27001 standard (or parts of it).
However, Trust is low nowdays, so switched on powerful stakeholders don’t automatically believe compliance is enough. They want to see certification!
Not all certificates are the same. A consultant, software service provider or your own information security officer could neatly present their own certificate! Some consultants and software providers still do this today, simply certifying their own work, but it’s really not worth the paper it is written on. Customers that understand this subject will want to see some form of independent certification.
The most recognised and acceptable independent certificates are issued by UKAS certified auditors (their logo shown in the image to the right) known as Certification Bodies (and their equivalent internationally). They are organisations that have been evaluated by UKAS to be competent in delivering an independent external audit to an agreed standard and are authorised to issue ISO certificates that can be trusted.