Embarking on the journey towards ISO 27001 certification is an endeavor filled with opportunities for driving business growth and advancement. You may have taken the first step towards your ISO 27001 journey and understanding the numerous benefits including safeguarding your business, your clients, your reputation and your bottom line. The next step is to understand how your business will get through the process. This involves choosing the right implementation partner and certifying body.
Many of our clients ask the all-important question about a certifying body ‘Why does the certifying body matter?’ The answer is because you want to ensure your ISO 27001 certification is valid and has been awarded by a properly vetted organisation.
Let’s take a step back to ask another question – how do you know your ISO certification body is credible? When it comes to information security, you want to ensure that you are ISO 27001 UKAS certified.
In this article we explain what UKAS ISO 27001 accreditation is and why we strongly recommend UKAS as your ISO certification body.
What is UKAS accreditation?
UKAS is the National Accreditation Body. It is the governing body for ISO standards in the UK and has been appointed by the government to make sure that certifying bodies are up to standard. UKAS regulates the quality of the certification process and the audits to ensure the ISO certification you achieve really does help you have a robust and rigorous system in place to deal with (in the case of ISO 27001) cyber threats.
Once you’ve achieved your ISO 27001 certification, your business will appear on the UKAS website where potential clients and other stakeholders can find you and verify your certificate, adding another level of credibility to your security posture and capabilities.
That said, there are organisations out there offering ISO 27001 (and other) certifications that are not UKAS accredited. The risk of using one of these organisations is that even if you do achieve your ISO certification, it may not be recognised by your customers and stakeholders and will affect your RFPs, supplier evaluations and client relationships, especially if you work with government, or in the public sector, where the UKAS ISO certification is a necessity.
How to get a UKAS accreditation for ISO 27001
The first thing to do is choose your implementation partner. This should be based on their experience with ISO 27001 and experience with businesses similar to yours. Expertise also plays a huge role. At RightCue we follow and implement information security management systems (ISMSs) according to the rigorous standards set out by UKAS. We have an in-depth understanding of the ISO 27001 certification, as well as the broader landscape. Our highly professional team keeps on top of changes and trends, including preparing the latest versions of the ISO 27001 standards as they are released. We also offer expert consultancy across areas such as:
Choosing a UKAS accredited ISO certification body
The next step in your journey is selecting the right ISO certification body. As mentioned, a UKAS accredited ISO certifying body means your ISO 27001 certification will be UKAS accredited. You should check the credentials of certifying bodies to make sure they are UKAS accredited.
You can also work with your implementation partner to choose an ISO 27001 certification body because they have the knowledge and expertise not just around the certification bodies and certification, but also how the process aligns to your business.
We help our customers choose the right certifying body – one that is UKAS accredited. We also look at other factors such as the body’s rigour to audit, customer service, cost, location and onsite visits.
How are ISO audit days calculated?
Another consideration – and also a question we regularly hear from our customers – is around audit time. The number of audit days needed impacts your budget and resourcing, customers want to understand how ISO audit days are calculated, and how many will be needed.
Audit days are calculated based on the size and complexity of your organisation – i.e. the larger and more complex, the more days may be needed. Other factors such as the scope of the ISO certification, your processes and industry-specific requirements will also affect the calculation.
However, your number of audit days may reduce depending on a few things. Just as a more complex and larger organisation will require more days, less complex or smaller organisations could mean a reduction in audit time. Another factor is effective number of staff. This encompasses employed staff and contractors covered by the certification scope, but doesn’t necessarily mean all staff, dependent on their roles. Once the relevant staff members have been included / excluded, it is easier to determine the number of days needed. If in doubt, this is something that your implementation partner can help you with.
How can RightCue help you on your ISO 27001 UKAS journey?
There are several moving parts in the pursuit of ISO 27001 UKAS certification, from finding a trusted partner to guide you through the process and dispense valuable advice, identifying a legitimate UKAS ISO 27001 certification body, understanding the process itself, and passing the audit.
At RightCue, we are that trusted partner to a host of organisations that have undergone ISO 27001 UKAS certification, including PRD Technologies, award-winning providers of ‘Intelligent Billing’ software, and legal software firm Zylpha.
