(270) 506-5140 CONTACT US

What Are ISO Certifications and Should Your Vendor Have One?

Jun 26, 2019 by Aaron Kirkpatrick

ISO certifications, specifically ISO/IEC 27001:2013, will inform you on a vendor’s information security. They’re a great indicator of internal process maturity at an organization. The result of the organization’s audit is a certificate containing:

  • The ISO revision, currently 2013
  • Original Issue Date
  • Issue Date
  • Expiration Date
  • Services in Scope

The certification is completely voluntary; therefore, you may only come across an ISO 27001 certification in due diligence if a vendor says they’re certified. If they indicate company certification, then you’ll want to request proof since they’re sharing that they’ve taken extra security precautions by implementing an Information Security Management System (ISMS). This can be a great addition to a company’s security posture and make them stand out, so you just want to verify.

Check 2 Things on the ISO 27001 Certification

Be sure to check for the following two things when receiving the certification document:

  1. That the expiration date has not passed. If it’s close to expiration, we encourage you to reach out to confirm a new report will be issued.
  2. Verify that your consumed service is addressed and key departments are in scope.

ISO 27001 vs ISO 27002

These two standards are often confused with each other. They both cover information security within an organization, but there are differences:

  1. ISO 27001 is for creating an ISMS making up the base of information security to build on.
  2. ISO 27002 contains the controls to put in place once the ISMS is in place. Only ISO 27001 is available for an organization to achieve a certificate as ISO 27002 is not a management standard, so a certificate is unavailable.

Why ISO Certifications Don’t Tell the Whole Story

The downside with an ISO certification is that you’re unable to know whether controls are still in place and operating effectively during the three-year period that the certificate covers. However, this is sometimes reflected in updates to the Statement of Applicability (SoA); therefore, it’s recommended that the SoA be viewed as well.

The SoA contains confidential internal control design, so it’s unlikely a copy will be provided, but the company may share it during an online meeting such as WebEx, or if you’re physically on-site. The SoA contains the entire listing of controls, including what was determined to be out of scope. You’ll want to focus on these and ensure you agree or understand why they were scoped out.

Understanding the ISO Certification

In short, you’ll want to look for three things:

  1. Original and Expiration Dates – Is it expired?
  2. Services in Scope – Would these cover your expectations?
  3. Controls scoped out of the Statement of Applicability – If viewable, review all scoped out controls.

Should Vendors Be ISO 27001 Certified?

As no regulations require the successful passing of an ISO 27001 audit, fewer organizations will have taken the time to plan and implement a functional ISMS as required. Larger organizations are more likely to be certified and many organizations simply follow ISO 27001 as guidance while building their own ISMS.

Protect your organization against cyber risks. Learn how by and download this infographic. 


Aaron Kirkpatrick

Written by Aaron Kirkpatrick

Aaron is a Certified Information Systems Security Professional (CISSP) who has acquired a wide range of organizational, technical and compliance knowledge, applying it within data center and financial institution services sectors. He’s created and successfully led security, risk and audit programs, including SOC engagements, for data centers and a financial application company, transitioning to Internal Audit at one of the largest financial system providers. He has paired a technical degree in Network Administration and Engineering with a Bachelor’s degree in Management Information Systems. Relevant professional certifications include: Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), GIAC Certified Incident Handler (GCIH) and GIAC Critical Controls Certification (GCCC). He is a member of ISACA and (ISC)2.

Follow Aaron Kirkpatrick

Subscribe to the Venminder Blog