What is ISO certified vs. ISO compliant?

Discover the difference between an ISO 27002 certification report and an ISO 27002 compliant report.

What is ISO certified vs. ISO compliant? What kind of report is issued to attest a company is ISO 27002 certified vs. a report that attests the company is ISO 27002 compliant?

First and foremost, ISO 27002 began its life as code of practice published by the U.K. government, which then evolved into a BSI standard (BS7799), then into an ISO standard (ISO 17799). ISO/IEC 27001 is the requirement standard to which organizations certify towards, while ISO/IEC 17799, which was renamed to ISO/IEC 27002, is actually "just" the code of practice.

A company that is ISO 27001 "certified" is given a report by a registrar that has gone through the required registration process by an approved body. This is a lengthy, time-consuming process, limited to select companies. As for being ISO 27001 "compliant," that could mean any number of things, such as a CPA firm issuing an Agreed Upon Procedures (AUP) report saying your company is ISO compliant, or an ISO lead auditor coming into your organization to help you become ISO "compliant" with all the relevant ISO requirements.

Lastly, ISO certification from an approved registrar can also mean you are ISO compliant. Certified vs. compliant can mean the same thing, but they can also mean two entirely different things.  It depends on your needs, your customer requirements and other ancillary issues.  With that said, there is much confusion on what ISO certification and ISO compliance really mean. For an ounce of clarity, just remember that true ISO certification can only happen from an approved registrar, while ISO compliance can be interpreted by any number of measures.

This was last published in November 2011

Dig Deeper on IT security audits and audit frameworks