Get 4 FREE months of Conformio to implement ISO 27001

Accredited ISO certification versus non-accredited: What it means and why it matters

“What’s the difference between accredited ISO certification versus the plain ISO certification or ISO compliance?” This is a question I hear often. It might sound like a mere choice of words, but the difference can have a big impact on your company, and whether you need to get certified to some of the most-used ISO standards like ISO 27001 (Information Security) and ISO 9001 (Quality), or to another of the more than 22,500 standards that the ISO has developed.

So, what is the difference between being ISO Compliant, ISO Certified, and Accredited ISO Certified? Learn in this article.

The difference matters

This is an interesting question – not only for companies looking into getting certified, but also for those companies, and their legal and procurement departments, that require their vendors and partners to be certified. This is especially true when ISO compliance is sought/required throughout the whole supply chain. None of these are wrong or better than one another. Whether “ISO Compliant,” “ISO Certified,” or “Accredited ISO Certified” meets your needs really depends on the requirements that you and your customers have.

Knowing the difference could save you valuable time and money and even (potential) customers, as accredited certification can be an expectation or even a legal or contractual requirement.

Let me jump to the answers first, and then discuss the issue in greater depth later.

ISO Compliant can be a self-proclaimed title, when the company in question has implemented all requirements to its best ability and claims that it is being fully or partially compliant, but it has no independent assurance.

ISO Certified means there is an independent certification body that provides written assurance of compliance with the specific ISO standard.

Accredited ISO certification or, to be more precise, certification by an accredited certification body, means that an independent certification body, recognized by an independent accreditation body, issued a certificate to provide written assurance of compliance.

Please note that although there is a clear difference between “ISO certification” and “accredited ISO certification,” people (including contract language) usually talk about, and expect, “accredited certification” when mentioning ISO certification.

Accredited ISO certification – Why does it make a difference?

 

What does the International Organization for Standardization say?

To put this in the right context, I’ll explain how the ISO defines “Certification” and “Accreditation”:

  • Certification – a written guarantee (a certificate) stating that the management system in scope meets specific requirements provided by an independent body.
  • Accreditation – the recognition and approval of a certification body by an independent accreditation body, officially recognizing that the certification body works in accordance with international standards.

Read more about these differences in the article Accreditation vs. certification vs. registration in the ISO world.

OK, so now you know the difference, but I imagine there still are questions open – new questions, even. Let me start with the ISO (International Organization for Standardization) itself. The ISO is an international organization, independent and non-governmental, with a membership structure. Currently, there are 164 members from different countries around the world. All members are “national standards bodies” and work together to develop new and existing international standards.

Although the ISO organization develops standards, they do not certify companies or issue certificates. It is also important that, within the ISO organization, there is a “Committee on Conformity Assessments” (CASCO) that develops standards (yes, that is what they do best at ISO!) related to the certification process used by certification bodies.

Accredited ISO certification versus non-accredited: What it means and why it matters - Advisera

Not every standard has accredited certification available

At the beginning of the article, I stated that there are 22,761 ISO standards, but now that we have a bit more background, I want to introduce a bit of nuance. Not all 22,761 ISO standards are covered by the CASCO standards and, without these standards, there is no specific accreditation available for the independent certification bodies. That means that not every standard has accredited certification available. What does this mean? And why does it matter? It matters especially in situations where there are legal or contractual requirements to be compliant with a certain standard, like ISO 27001 (Information Security) – you can’t expect your customers to accept a statement from you or your vendors that the service or product is “ISO 27001 Compliant” and leave it at that.

However, you (and your supply chain) might be ISO 27001 certified and under the impression that you are fully compliant with all contractual terms, only to find out that the certification body that assessed your ISO 27001-based Information Security Management System (ISMS), or your vendor’s, was not accredited for this specific certification.

Although the certification body can be really good in assessing your ISO compliance, you and your customer(s) are not assured of their competence and impartiality. Which, in turn, means that you are at risk and exposed to any terms and clauses you have in your contract related to that specific ISO 27001 compliance. At the very least, you have to have that difficult discussion with your customer that you are in breach of your contract and will have to invest additional time and resources to correct the situation. The worst-case scenarios, however, are fines or even your customer leaving!

How to insure yourself

So, now that you know the differences and why it matters, you probably have a new question:

“How do I ensure that my certificate is issued by an accredited certification body?”

Luckily, this is a relatively easy process, especially with the background information you now have. Follow these steps:

  1. The “International Accreditation Forum” (IAF) maintains a list of all international accreditation bodies that are members of the IAF. This list can be found here: IAF Member List.
  2. From there, you can select the applicable country to then see a list of all accreditation bodies and their scopes. (Their scope is based on the CASCO standards previously discussed.)
  3. Select an accreditation body with the correct scope.
  4. Every accreditation body has a list of certification bodies; the “hardest” part is to look for the correct section on the website of your choice. So, your next step is to go to the list of certification bodies. Looking at the website from UKAS (United Kingdom Accreditation Service) for example, you will immediately see a link to the search functionality for accredited organizations.
  5. Select a certification body.

To learn more about the selection of a certification body, read the article How to choose a certification body.

Do your due diligence

It could be that you already have a certification body in mind, in which case you could check the “about” section or perform a search on the word “accreditation” or “accredited” on the certification body’s website of choice.

From there, you can do your due diligence and check if they are (currently) listed with the accreditation body and, finally, if the accreditation body is a member of the IAF.

If you need help to find the right certification body, download this free List of Questions to ask an ISO 27001 or ISO 22301 certification body.

Advisera Tom van der Stoop

Tom van der Stoop

Tom van der Stoop is a Senior Privacy and Information Security Consultant based in the Netherlands, specializing in Privacy (GDPR), Information Security (ISO 27001), Quality (ISO 9001), and process optimization. He has over 20 years of experience in IT covering a wide range of industries, from banking to fashion, and from automotive to food. Amongst his vast experience and many qualifications, he is a certified ISO 27001 Lead Auditor, ISO 27001 Lead Implementer, ITIL Expert, Certified Information Privacy Professional – Europe (CIPP/E), and Certified Information Privacy Manager (CIPM), and he also earned the distinct designation “IAPP Fellow of Information Privacy” (FIP) recognizing his outstanding work as a privacy professional.
Read more articles by Tom van der Stoop