Q

What is ISO certified vs. ISO compliant?

Expert Charles Denyer explains the difference between an ISO 27002 certification report and an ISO 27002 compliant report.

What is ISO certified vs. ISO compliant? What kind of report is issued to attest a company is ISO 27002 certified vs. a report that attests the company is ISO 27002 compliant?

First and foremost, ISO 27002 began its life as code of practice published by the U.K. government, which then evolved into a BSI standard (BS7799), then into an ISO standard (ISO 17799). ISO/IEC 27001 is the requirement standard to which organizations certify towards, while ISO/IEC 17799, which was renamed to ISO/IEC 27002, is actually "just" the code of practice.

A company that is ISO 27001 "certified" is given a report by a registrar that has gone through the required registration process by an approved body. This is a lengthy, time-consuming process, limited to select companies. As for being ISO 27001 "compliant," that could mean any number of things, such as a CPA firm issuing an Agreed Upon Procedures (AUP) report saying your company is ISO compliant, or an ISO lead auditor coming into your organization to help you become ISO "compliant" with all the relevant ISO requirements.

Lastly, ISO certification from an approved registrar can also mean you are ISO compliant. Certified vs. compliant can mean the same thing, but they can also mean two entirely different things.  It depends on your needs, your customer requirements and other ancillary issues.  With that said, there is much confusion on what ISO certification and ISO compliance really mean. For an ounce of clarity, just remember that true ISO certification can only happen from an approved registrar, while ISO compliance can be interpreted by any number of measures.

Ask the expert

Charles Denyer, SearchSecurity.com's resident expert on enterprise compliance, standards and frameworks, is standing by to answer your questions. Send in your questions via email today. (All questions are anonymous!)

This was first published in November 2011

Dig deeper on IT Security Audits

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close