Attesting to ISO 27001 compliance
Assign topic to the user
However, many folks I work with often inquire about or request some form of attestation of compliance (e.g. not certification, but some form of attestation that they are compliant with the standard). My inquiry was more about that… Can anyone attest to 27001 compliance (internally or via a third party)? Perhaps a bit of a grey area…
Answer: Internal audit is mandatory according to ISO 27001, so this is something you must do - however this internal audit has no relevance for the outside world. For the third parties, only the ISO certificates issued by certification bodies are recognized.
Here are a couple of articles about the internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
I’m guessing in such cases it really boils down to the ‘opinion’ of the person / party providing the attestation and their willingness to stake their reputation on such a claim. Correct?
Answer: I would say this is primarily a question of credibility - if the "certificate" is issued by a company that has no license for performing the certification, who would trust them?
Comment as guest or Sign in
Oct 22, 2016