A couple of weeks ago I was discussing the nature of my work with a friend. The primary topic was the certification audits in which I am involved. When we had discussed the process of certification including scope selection, accreditation and the various standards, his final reply was “Damn, your work is really weird”. Given the unclarity in the certification business I cannot disagree with him and hope that this post will provide some insight in the peculiarities of certification so that any organization pursuing certification can make a well thought decision.
Being accredited (or not)
Let me start with the statement that anyone can certify anything. Just so that there is no misunderstanding about this. It is possible to certify the quality of processes or the color of a pen being blue. The latter obviously being completely useless but still, it is possible. This is also one of the reasons why my friend replied that my work is weird, to which I fully agree, this is one of the weirder parts of my work.
The same applies to certification against standards such as ISO27001 (information security) and other local, European or International standards. Any organization can perform an assessment to determine if your company operates according to the requirements stated in such standards. Once the assessment is completed, a certificate can be provided which states the aforementioned and has a nice company logo, reference to the standard and other relevant references. The main difference is found in certification under accreditation. An accreditation logo may only be placed on the certificate if the organization providing the certificate is accredited. But what exactly is accreditation and why is this such an important aspect?
There is a worldwide network of accreditation firms such as the IAS (United States), UKAS (United Kingdom) and the RVA (Dutch). These accreditation firms have made certain agreements on the requirements for an organization to become accredited. This provides a level of assurance on the quality of the accredited organization, its staff and its processes for performing certification activities. Furthermore it provides a level of assurance on impartiality and independence of the certification body and its staff.
This should be one of the main reasons why an organization that wants to become certified, should always pursue certification under accreditation.
International versus local standards
One of the other choices to make for an organization pursuing certification is whether to select International (ISO/IEC), Regional (e.g. EU) or Local (e.g. NEN) standards. In this section I will explain the differences by using an example of the Dutch Health care version of ISO27001, the NEN7510.
The NEN7510 standard is a very peculiar one given that it is primarily focused on Information Security in the Health Care sector. Although selecting such a specific standard may provide an organization the benefit of specific fit for purpose, I would recommend against this specific standard at least. Instead I would recommend organizations selecting the Internationally recognized ISO27001 standard instead and there are several reasons.
NEN7510 is based on the older ISO27001:2005 standard
One of the cons of having standards being based upon one another, is that once the ‘parent’ (ISO27001) is updated, so should the ‘child’ (NEN7510). Although the local NEN7510 standard is only released in 2011, it is based upon the fairly old (and already replaced) ISO27001:2005 version. This means that certain control elements are not yet adopted which were either too new or non-existent in 2005. Topics such as outsourcing which are considered ‘new’ in the 2013 standard may not yet be addressed in the local NEN standard as this is based on the older version.
ISO27001 is internationally recognized and understood
Opposed to the NEN7510 standard which is a local standard, ISO27001 is internationally understood and recognized. Regardless of which Information Security professional is working on the management system and controls applied, they are easily understood. Furthermore the way ISO27001 is setup, it allows for inclusion of the NEN7510 specific requirements by means of adding control requirements on a risk based approach. This makes it easy to include NEN7510 into ISO27001 and by becoming ISO-certified, showing proof of NEN7510 compliance at the same time.
As an advisor I would always ask them to carefully consider if they really should be going with a more narrow localized focus instead of selecting the international recognized standards.
There may of course be other reasons why an organization would either select a local or international standard or choose for an unaccredited certification. These choices are completely up to the organization. Since there are still many people out there who do not know the difference or simply do not care, this will remain an uphill battle for accredited certification-bodies. What choice would you make for your organization?