2008-05-20 17:31:23 by Posted By: Carsten Casper, Research Director in IT Leaders - Security and Risk Management
Everybody has heard of the international standard ISO 27001 (or at least of its U.K. predecessor, BS7799-2). Now, more and more people wonder: How do I get a certificate for my organization? While in some countries (such as the U.K. and Germany), it's more common to get a certificate, in the U.S. it's not. Well, there are two ways to approach this: Find an accredited auditor (person), or find an accredited certification body (organization).
Auditors must be accredited by the International Register of Certificated Auditors (IRCA), so www.irca.org is a good starting point. For example, you'll find 40 auditors in the U.S. who are accredited for ISO 27001. They work for large consultancies or system integrators, but also for some smaller companies. Alternatively, you can look for an organization that issues certificates. Unfortunately, there is no international register for them; you'll have to look for a certifying organization that is accredited by a national accreditation body (for example, UKAS in the U.K. or TGA in Germany). These bodies maintain a list of accredited organizations (see http://www.ukas.com/about_accreditation/accredited_bodies/certification_body_schedules.asp and http://www.tga-gmbh.de/scopes/index.php?id=0051). For other countries, see the member list in http://www.iaf.nu. In the U.S., ANSI is in charge and has delegated this responsibility to ANAB (American National Standards Institute - American Society for Quality National Accreditation Board). However, the corresponding database (see http://www.anab.org/Directory/Certs_Search.asp) lists only two accredited organizations. The better way is probably to either look at the U.K. register (because many organizations can issue certificates for companies in the U.S. as well) or have a look at the unofficial register of ISO 27001 certificates (see http://www.iso27001certificates.com). There, you'll find a list of certified companies and the corresponding body that issued the certificate.
No matter which entry point you choose, the list of auditors, the list of certifying organizations or the list of issued certificates - the names that come up are often the same: BSI Management Systems, one of the TÜV companies, PricewaterhouseCoopers, Bureau Veritas and Atsec.
Auditors must be accredited by the International Register of Certificated Auditors (IRCA), so www.irca.org is a good starting point. For example, you'll find 40 auditors in the U.S. who are accredited for ISO 27001. They work for large consultancies or system integrators, but also for some smaller companies. Alternatively, you can look for an organization that issues certificates. Unfortunately, there is no international register for them; you'll have to look for a certifying organization that is accredited by a national accreditation body (for example, UKAS in the U.K. or TGA in Germany). These bodies maintain a list of accredited organizations (see http://www.ukas.com/about_accreditation/accredited_bodies/certification_body_schedules.asp and http://www.tga-gmbh.de/scopes/index.php?id=0051). For other countries, see the member list in http://www.iaf.nu. In the U.S., ANSI is in charge and has delegated this responsibility to ANAB (American National Standards Institute - American Society for Quality National Accreditation Board). However, the corresponding database (see http://www.anab.org/Directory/Certs_Search.asp) lists only two accredited organizations. The better way is probably to either look at the U.K. register (because many organizations can issue certificates for companies in the U.S. as well) or have a look at the unofficial register of ISO 27001 certificates (see http://www.iso27001certificates.com). There, you'll find a list of certified companies and the corresponding body that issued the certificate.
No matter which entry point you choose, the list of auditors, the list of certifying organizations or the list of issued certificates - the names that come up are often the same: BSI Management Systems, one of the TÜV companies, PricewaterhouseCoopers, Bureau Veritas and Atsec.
