The first blog in this series hopefully provided a brief overview of the ISO27001 accreditation. In this post we shall deal with some more specifics of this certification and explain what your hosting provider will have done to earn this recognition.
You should first ensure that an organisation is fully accredited to the ISO27001 standard by checking the organisation’s’ ‘certificate of registration’ which should have been issued by an umbrella body of auditors on behalf of UKAS.
UKAS stands for the United Kingdom Accreditation Service and you will need to check that the ‘Certificate of Registration’ is UKAS approved.
UKAS is the sole national accreditation body recognised by UK government to assess, against internationally agreed standards.
Accreditation by UKAS demonstrates the competence, impartiality and performance capability of these evaluators.
Verifying the UKAS ISO27001 accreditation should be simple, as accredited organisations should have the UKAS logo, the name of the auditors and the unique certificate number clearly printed on any literature.
Using the unique certificate number and the details of the umbrella body auditors, it should be relatively simple to confirm the validity of the accreditation, as most reputable bodies will allow you to validate a certificate via their website.
‘Scope of activities’
Every ISO certificate of registration requires a “statement of scope”.
This explains what operations, departments, physical locations, individuals and business practices are included as part of the external audit.
Some organisations may choose only to include a limited aspect of their business operations in to this statement of scope. Obviously in relation to physical and logical security relating to information from a service provider this may be a cause for serious concern.
It might be that an information processing facility is included within the scope and is assessed to meet the standard but that the support, sales and operations departments of an organisation are purposefully left out of the statement and therefore may represent a serious vulnerability or risk to information assets.
To this end it is critical that the scope of the hosting provider’s certificate of registration is inclusive of all aspects of the organisation’s operations.
Keep your eyes peeled for our third and final blog in this series, where we will be explaining how to ensure that your organisation is as compliant as possible with the ISO27001 standard even if you have not received this accreditation.