When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
A question we’re often asked by customers is “how do we find an auditor to get us certified?”. This is an important question because your choice could affect how soon your organization becomes certified, how much it costs you and how much weight your certificate carries with your customers, regulators or other stakeholders.
There are many companies that offer certification audits and your choice will obviously depend upon a variety of factors including where in the world you are based. However, there are a few general things you need to be aware of before you sign up with any particular auditor.
The first is to emphasize the fact that ISO standards are not legal documents; the creation, maintenance and adoption of ISO standards is a voluntary exercise that is co-ordinated by the ISO. Yes, ISO owns the copyright and sells standards for cash both directly and through third parties, but rest assured that you won’t be breaking any laws if you don’t quite implement a standard in full. And the same goes for declaring compliance with ISO standards. You have a choice.
You could simply tell everyone you deal with that you meet the requirements of a particular ISO standard. That’s it – no audit fees or uncomfortable visits from men in suits. Just say that you comply. The trouble with this is that if everyone did it, there would be no way of telling the difference between good organizations that really had done it properly and less conscientious ones that just paid the standard lip service. It only takes a few bad apples to spoil it for everybody. The people that matter to you (e.g. your customers or regulators) may simply not believe you meet the requirements without the certificate.
So instead you may decide to get a third party to test your implementation of a standard and testify that you’ve done it properly. This is where Registered Certification Bodies (RCBs) come in. An RCB is a company that has the expertise and resources to check that you do indeed meet the requirements of the standard and is willing to tell others that you do. But hold on, how do your customers know that the RCB itself can be trusted to have done a good job of the audit?
What’s needed is another organization that is trusted to check the auditors and make sure that they are doing a good job. But how do we know they can be trusted? And so it goes on. What we end up with is a chain of trust similar to the way that Public Key Infrastructure works (if you’re reading this with a view to becoming certified to the ISO27001 standard you will know what I mean by that, if you’re not then I apologize for the Geek Speak).
At this point we need to introduce you to a few important definitions:
“certification” – this is what happens when you are audited against a standard and you (hopefully) end up with a certificate to put on the wall (as in “we are certified to ISO/IEC 27001”)
“Registered Certification Body (RCB)” – An RCB is basically an auditing company that has been accredited to carry out certification audits and issue a certificate to say you are compliant with a particular standard. Some operate in a single country and some in a lot of countries. This is what you, as an organization wanting to become certified, need to choose
“accreditation” – this is what the auditors go through to become an RCB and allow them to carry out certification audits
The words certification and accreditation are often used interchangeably, but they don’t mean the same thing and it’s important to know the difference.
Ok, now we’ve got those definitions out of the way we need to talk about who actually does the accrediting. There are basically two levels, international and national. To use a football/soccer analogy, think of it in the same terms as FIFA and the national Football Associations, but hopefully without as much scandal.
International Accreditation Forum – based in Quebec, Canada, the International Accreditation Forum (www.iaf.nu) is the worldwide body that represents the highest level of trust concerning accreditation of RCBs. They have lots of strict rules that national accreditation bodies must agree to, embodied in a charter and a code of conduct. All of the national accreditation bodies are members of the IAF.
ANAB – as if there weren’t enough acronyms in the world, here we have an acronym within an acronym. ANAB stands for the ANSI-ASQ National Accreditation Board (www.anab.org). ANSI is the American National Standards Institute and deals with standards in the USA. ASQ is the American Society for Quality and although based in the USA, has a more international reach than ANSI. So put them together and you get ANAB which is the national accreditation body for the USA and therefore a member of the IAF.
UKAS – the United Kingdom Accreditation Service (www.ukas.com) is the body in the United Kingdom that accredits RCBs. It is effectively the UK representative of the IAF.
JAS-ANZ – the Joint Accreditation Service of Australia and New Zealand (www.jas-anz.org) is the IAF member for these countries.
Other IAF Members – there are over 60 other members of the IAF which provide accreditation services for their respective countries and a full list can be found on the IAF website so when you have a moment why not look up the member organization for your country.
If you’re still with me at this point, well done. The core message here is that whichever RCB you choose to carry out your certification audit, make sure they are accredited by the IAF member for your country. So for the UK that means UKAS-accredited, the USA ANAB-accredited and so on. Most auditing companies display the logo of the organization that they are accredited by fairly prominently on their website so it should be easy to tell.
There are companies out there who will offer cut-price certification services who are not accredited by an IAF member organization. In our opinion a certificate from such companies will not carry the weight of one from an IAF-accredited RCB so our advice is to think very carefully before using them. Remember this is all about reputation and credibility; make sure your certificate stands up to scrutiny from your customers and regulators, otherwise you will have wasted your time and money.
So you’ve checked that the audit companies you’re considering are accredited, but what other factors come into play when making your decision? In our experience asking the following questions will help you to choose:
Check the RCB has the capability to audit the standard you are going for and if so how many customers they have for that standard. How long have they been auditing the standard and how many qualified people do they have? Do they use their own people or contract auditors? Try to avoid having to describe what your company does to a new auditor every visit as this soaks up time that you are paying for.
There’s no point in considering an RCB that can’t cover the geographical area(s) you need. This is particularly relevant if you need to have more than one office audited, possibly in different countries. They may cover one country but not another. It’s worth checking whether they feel an onsite visit is needed to all of the offices in scope before you dismiss them.
Officially there is a formula that should be used when calculating how many days an audit should take. This takes into account variables such as number of locations and employees and which standards are involved. However there is some flexibility in how the formula is applied so you may get differing estimates from RCBs on how many days will be needed, which will obviously affect the cost.
This follows on from the question about time as most RCBs charge by the hour or day but rates can vary significantly so a longer audit could actually be cheaper. Take into account the ongoing certification fees as well as the cost for the stage one and stage two audits. Some charge an additional annual maintenance fee, some don’t.
Auditors are generally busy people so if you’re in a hurry to get your organization certified then their availability will be an important factor. How soon can they do a stage one and when can they come back for the stage two?
Even amongst accredited RCBs, there are more and less well-known names. Since a lot of the reason for going for certification is to gain credibility with your customers and perhaps regulators, consider which RCB would carry most weight with them.
A lot of the frustration we see with RCBs is not due to the quality of their auditors but their administration processes. You need an auditing company that will arrange the audits professionally and issue your certificate promptly, providing additional materials to help you advertise your certification. When you contact them initially, do they return your call and sound knowledgeable?
Some RCBs and auditors specialize in particular industries and build up a strong knowledge of the issues relevant to their customers. This can be helpful during the audit as basic industry concepts and terms will be understood and time will be saved. Check whether they have audited similar organizations in your industry.
Making a good choice of RCB based on the above factors can’t guarantee that the certification process will run smoothly, but by having a good understanding of the accreditation regime and by asking the right questions early on you will have given yourself the best chance possible to have a long and happy audit relationship.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. Editor’s note: The original post was published in September 2017, and updates have been made in March 2022 for accuracy and comprehensiveness.
CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO standard of your choice, go to our guidance pages where you can find more specific information about each standard and more downloadable resources.