Getting started with the International Organization for Standardization (ISO)

It all began with ISO (International Organization for Standardization), an international non-governmental organization founded in 1947. ISO develops and publishes “voluntary” international standards in a wide range of fields, including information security (ISO/IEC 27001), quality (ISO 9001), the environment (ISO 14001), and more.

We say voluntary because ISO doesn’t certify anyone or impose anything.

It simply draws up the standards. It is then up to member countries to decide how they wish to integrate these standards into their own systems: some adopt them as they stand, others translate, adapt or modify them slightly to reflect local realities.

Although ISO/IEC 27001 is an international standard, some countries publish equivalent national versions (such as CAN/CSA-ISO/IEC 27001 in Canada or JIS Q 27001 in Japan), sometimes accompanied by local annexes or specific recommendations. The core of the standard remains the same, however, to guarantee international recognition of the certification.

international – Photo by Engin Yapici on Unsplash

What is an Accreditation Body (AB)?

Accreditation bodies verify and validate the competence of certification bodies. They act as supervisors of the entities issuing certifications. To be credible, they must themselves comply with rigorous requirements, notably the ISO/IEC 17011 standard governing ABs.

These ABs often exist at national level:

  • Canada: Standards Council of Canada (SCC)
  • United States: ANAB (ANSI National Accreditation Board)
  • United Kingdom: UKAS (United Kingdom Accreditation Service)

Who supervises accreditation bodies? IAF

At the top of the pyramid is theInternational Accreditation Forum (IAF). This is the international organization that oversees accreditation bodies worldwide. It sets the rules for mutual recognition between ABs. In other words, if your CB is accredited by an IAF member AB, its ISO certificate is recognized in all other member countries.

The IAF is not dependent on ISO, but the two work closely together. ISO develops the standards, and the IAF ensures that they are applied consistently and correctly worldwide by CBs and ABs.

And below: Certification Bodies (CB)

A certification body is an independent company or organization that carries out audits and issues certificates of conformity to ISO standards.

For its certificates to be credible, it must be accredited by a recognized AB, in accordance with the ISO/IEC 17021-1 standard for management systems.

How do you become an accredited CB?

  1. You set up your structure and processes in compliance with ISO/IEC 17021-1.
  2. You apply to an AB such as CCN.
  3. You undergo a detailed assessment (document review, field audits, interviews with your auditors).
  4. If all goes well, you’ll be accredited for a limited period (usually 3 to 5 years), with regular surveillance audits.

Please note: CBs are accredited by domain. Being accredited for ISO 9001 does not mean being accredited for ISO/IEC 27001. You need to check the exact scope of your accreditation.

Examples of accredited CBs in Quebec and Canada :

  • BNQ (Bureau de normalisation du Québec)
  • PECB Canada
  • SGS
  • Certi-Trust
  • Bureau Veritas, DNV, Intertek, UL, NQA, etc.

United States:

  • BSI America
  • ControlCase
  • Schellman
  • Perry Johnson Registrars
  • NSF-ISR
  • NQA USA
  • A-LIGN
  • Orion Registrar

SCC maintains an up-to-date list of accredited CBs here: https: //www.scc.ca/fr/programmes/accreditation/organismes-de-certification

And finally, there’s the certified company

At the end of the chain, we find the company (You) that wishes to demonstrate its conformity to an ISO standard. The company will:

  1. Implement a compliant management system (e.g. SGSI for ISO 27001)
  2. Choose an accredited CB to audit it
  3. Certification valid for 3 years (with annual surveillance audits)

Why is this structure essential?

It guarantees the chain of trust. ISO writes the rules. IAF supervises supervisors (ABs). ABs validate CBs. And the CBs validate the organizations.

Without this chain, anyone could print an ISO certificate in their basement. And unfortunately, some unaccredited CBs do just that…

At a glance – (ISO → IAF → AB → CB → Certified company)

Beware of non-accredited organizations

A non-accredited CB can still sell you an ISO/IEC 27001 certificate.

But this certificate has no officially recognized value. In short: you pay for a sticker, but no one is going to respect it. Some of these CBs don’t even do a serious audit. They send you a completed PDF, with your logo, signed by a pseudo-auditor. Result: you think you’re compliant, but you’re vulnerable. In the event of an incident, it won’t stand up in front of a customer, an authority or in court.

Worse still: some of these CBs try to pass themselves off as legitimate with fake accreditation logos or affiliations with unrecognized entities. This is why you should always :

  1. Check that the CB is accredited by an IAF member AB
  2. Check that the accreditation covers the desired standard, such as ISO/IEC 27001 (and not just ISO 9001).

Time and costs

ISO/IEC 27001 certification often takes between 3 and 6 months to obtain, depending on the maturity of your ISMS. Fees range from $8,000 to $25,000 over three years, including surveillance audits.

In short: who created whom?

  • ISO is an organization founded by member states in 1947. It is the source of the system.
  • The IAF was created to harmonize the application of ISO standards worldwide.
  • ABs are created or recognized by governments or competent national authorities (such as the SCC in Canada).
  • CBs are private or public entities that comply with ISO/IEC 17021-1 requirements and are accredited by an AB to operate.

Who’s financing this?

ISO :

ISO is financed from three main sources:

  • The sale of ISO standards, which are not free of charge (often between $100 and $300 each).
  • National membership fees
  • International partnerships or special projects (e.g. UN, WTO)

IAF :

The IAF is a non-profit organization funded by :

  • Annual membership fees (accreditation bodies such as CCN, ANAB, UKAS)
  • Membership fees, training and participation in activities

AB (e.g. CCN, ANAB, UKAS) :

Accreditation bodies are funded by :

  • Accreditation fees invoiced to CBs (assessments, renewals, surveillance audits)
  • Sometimes public funds or government subsidies (especially in Canada and Europe)
  • Related services such as training and publications

CB (e.g. PECB, SGS, BNQ) :

Certification bodies derive their revenue from :

  • Sales of audit and certification services to companies
  • Certified training activities
  • Follow-up services, such as surveillance and renewal audits

In short, it’s the certified companies that finance the whole chain. They pay the CBs, who pay the ABs, who pay the IAF, while ISO sells the standards. The model is based on a cascade of financing between independent players, with cross-checks to ensure quality and impartiality.

I invite you to click on “Follow” to continue learning more about the field of information security.