ISO/IEC 27001 acreditation for certification bodies
Actually we are a small security company with the first Colombian 27001 certificate of an ISMS. Two other companies have certificated ISMS but with the old BS7799-2. Our certification is a stone in the shoe for some companies that in Colombia do not have this certificate. The technique, FUD: Fear, Uncertainty and Doubt in some security lists in Colombia. The pattern, questioning the validity of our certificate emitted for our certification body. Our intentions: Be the bests with facts, not with words. Moving fast using our small size.
To solve this issue I read a lot and I think that is useful for everybody to know this summary. First of all some definitions:
1. Accreditation: Procedure by which an authoritative body gives formal recognition that a body or person is competent to carry out specific tasks.
2. Certitication: Procedure by which a third party gives written assurance (certificate of conformity) that a product, process or service conforms to specified requirements.
The main goal is the confidence related with the conformity (similar to the PKI problem). In this sense, there are some goverment organization in the country that runs the accreditation function, for instance, UKAS in England, SIC in Colombia. This organizations accredit the certification bodies, whom, in the future, runs the certification process.
Following a similar processIn the same waprocess.In
To achieve the accreditation, the certification body must comply with some requirements, but which are this requirements? For now there are three alternatives for the acreditation related with 27001.
1. ISO/IEC 27006:2007: Of course, this standard is very new, and I could not find references of certifications bodies accredited with this standard
2.EN 45012:1998 modified for information security management systems certification: The certification body BSI is actually accredited with this standard, but the scope does not cover any locations in latin america (Brazil and Mexico, for instance).
3. EA 7/03.
Additionally is possible to achieve some level of confidence, with Multi-Lateral Agreements (MLA). A multilateral agreement, recognize the validity of some kind of certification between accreditation bodies or certification bodies. For example, Icontec, now is not accredited even in ISO9000 by the SIC or another accreditation body, but have MLA with IQNet, given some kind of confidence to his certificated customers.
Another important point here, is that every certification body needs at least one audit of an ISMS in a company to get his accreditation for the accreditation body.
In this sense is important to say, that our certificate is valid only for the companies or people who trust in the independence of our certification body, because for now, they are not accredited and does not have MLA related with ISO/IEC 27001.
However there are very interesting discoveries, like BSI Brasil and BSI Mexico are not accredited certification bodies, neither with UKAS or another accreditation body.