You have an important project to develop, and you need to hire some external partner, e.g., a SaaS company, to make it to the end. You’ve determined information security to be one of the top-priority criteria that should be fulfilled when deciding which vendor to select for your screening process.
In this case, one of your requirements might be certification with the leading information security standard ISO 27001, but how do you know if the company on the other side of the process is actually ISO 27001 certified?
And, just as importantly, how do you know that this certification is issued by an accredited certification body? Find out in this article.
Request the certification from the vendor
Most companies that are certified will advertise this on their website and in their product/service documentation. This information alone isn’t enough, though. You need to verify a few essential factors of this certification, so the first step is to request this certification from the vendor.
Essential information on the certificate
Every certification body has its own layout and format of the certificates they issue, but there are a couple of key pieces of information on every certificate. I chose the order below not based on how it is reflected on the certificates, but on how much time and effort it will take to verify. After all, there is no reason to verify every aspect only to find out the certificate expired a long time ago.
Relevance and usage
Now you know the key aspects to check on a certificate, but what is the relevance of this information, and how can you use it to ensure validity?
- The first point is obvious, but I didn’t want to omit this step. Your requirement is ISO 27001 certification, so ensure that you did (Read more...)
*** This is a Security Bloggers Network syndicated blog from The ISO 27001 & ISO 22301 Blog – 27001Academy authored by The ISO 27001 & ISO 22301 Blog – 27001Academy. Read the original post at: https://advisera.com/27001academy/blog/2019/10/01/how-to-check-iso-27001-certified-companies/