top of page

ISO 27001 readiness firm vs. ISO 27001 certification body: What's the difference?

Hello all and welcome back to Bits and Bytes! Have you heard of ISO 27001? It’s the only international accepted information security standard certification that provides guidelines for Information Security Management Systems (ISMS). I know, I know, it sounds boring. But trust me, it’s important. In today's world where cyber threats are an hourly occurrence, it's essential to have proper information/cyber-security measures in place. That's where ISO 27001 comes in. But wait, there's more! There are two types of providers that can help you with ISO 27001: readiness firms and certification bodies. So, what's the difference? Let's find out together.

First things first, an ISO 27001 readiness firm is a company that helps organizations prepare for ISO 27001 certification. They assess organization policies, procedures, and controls to identify gaps, and help the certifying organization implement changes to meet the ISO 27001 requirements. Some of them can even perform risk assessment, internal audit, and even policy development. Think of them as a personal trainer for your information security management system. They get you in shape for the big certification exam.

On the other hand, an ISO 27001 certification body is an organization that issues ISO 27001 certifications to organizations that have met the requirements. The certification bodies (CB) get their authority from accreditation bodies (AB) such as ANAB, ANSI, or UKAS. Some examples of CB’s are Coalfire, Schellman, or SRI. Think of them as the examiners who administer the final exam to determine if you have met the spirit and intent of that international standard. If you pass, they issue you an ISO 27001 certificate that proves your organization has implemented and maintains an information security management system that meets the requirements of the standard.

Now, you may be thinking, "But wait, isn't the readiness firm preparing you for the certification exam?" Yes, you're right, but they can't issue you a certificate. That's where the certification body comes in. They are the only ones who can issue ISO 27001 certificates. However to remain objective they cannot consult or provide policy development risk assessment or internal audits.

Another important thing to note is that certification bodies must be accredited by an independent accreditation body. Accreditation ensures that certification bodies follow strict standards, procedures, and are competent to issue certificates. Think of it as a quality assurance check on the certification body to ensure they are doing their job correctly.

Lastly, it's important to understand that certification is not a one-time event. Organizations must continually maintain and improve their information security management system to retain their certification. Therefore, it's crucial to choose a readiness firm and certification body that you trust and can work with long-term.

In conclusion, ISO 27001 readiness firms and certification bodies have different roles in the ISO 27001:2022 lifecycle. Readiness firms help prepare organizations for the certification process, while certification bodies administer the final exam and issue the certificates. Remember, certification bodies must be accredited by an independent accreditation body to ensure they are competent to issue certificates. Most importantly, maintaining certification requires ongoing effort and improvements in your information security management system. Now that you know the difference, you're one step closer to a more secure organization. Keep calm and ISO on!

Until next time,


8 views0 comments


bottom of page