ISO 27001 Accreditation: Choosing a Certification Body and Avoiding Common Pitfalls
Consultant Manager
Six Sigma White Belt (AIGPE), Internal Auditor - Integrated Management System (ISO), Gold Medalist MBA, 8+ years in cloud and cybersecurity content
ISO 27001 Accreditation: Choosing a Certification Body and Avoiding Common Pitfalls
The ISO 27001 certificate on your wall is only as credible as the certification body that issued it, and the certification body is only as credible as the accreditation body that watches over it. The accreditation chain β accreditation body, certification body, certificate β is the integrity layer that makes ISO 27001 actually mean something. Choose the wrong link in the chain and the certificate becomes a procurement-defeating liability rather than an asset.
This article covers the accreditation hierarchy, what to check when selecting a certification body, the practical consequences of getting it wrong, and the negotiation patterns that drive better outcomes.
The Accreditation Hierarchy
Three layers stack up to produce a credible certificate.
- The International Accreditation Forum (IAF) β the umbrella that ensures national accreditation bodies operate to consistent global standards through Multilateral Recognition Arrangements (MLAs)
- National accreditation bodies β UKAS (UK), Swedac (Sweden), DAkkS (Germany), ANAB (US), NABCB (India), JAS-ANZ (AU/NZ), DAR (China), etc. They accredit certification bodies and inspect their work
- Certification bodies β the firms that audit your ISMS and issue the certificate. Examples: BSI, DNV, TΓV variants, SGS, Bureau Veritas, Lloyd's Register, Intertek, plus many regional CBs
A certificate from a CB accredited under an IAF-MLA accreditation body is internationally recognised. A certificate from a CB without IAF-MLA accreditation may not be β some procurement teams reject it explicitly.
What "Accredited Under ISO/IEC 17021-1" Means
ISO/IEC 17021-1 is the standard that governs how certification bodies operate management-system audits. Accreditation under this standard means the CB has been independently inspected for: auditor competence, impartiality, audit time calculations, certification decision processes, and complaint handling. Without 17021-1 accreditation, audits may not be performed to documented international standards.
The accompanying ISO/IEC 27006:2015 is the supplementary standard specifically for ISMS certification, defining audit-day requirements per organisation size and complexity. CBs that issue ISO 27001 certificates must be accredited against both 17021-1 and 27006.
Need expert help with iso 27001 accreditation?
Our cloud architects can help you with iso 27001 accreditation β from strategy to implementation. Book a free 30-minute advisory call with no obligation.
How to Verify a Certification Body's Accreditation
Before you sign with a CB, verify accreditation explicitly:
- Ask the CB which accreditation body accredits it for ISO 27001
- Look up the CB on the accreditation body's public register (UKAS, ANAB, Swedac, etc. all publish lists)
- Confirm the accreditation covers ISO/IEC 27001 specifically β not just ISO 9001 or another standard
- Confirm the accreditation body is a signatory to the IAF MLA for management systems
This verification takes 15 minutes and prevents the worst-case outcome β a certificate that procurement rejects.
The Pitfalls We See Most Often
Across customer engagements and audit observations, four pitfalls account for most certification credibility issues.
Pitfall 1: Choosing an Unaccredited or Non-IAF-MLA Certification Body
Some CBs issue ISO 27001 "certificates" without accreditation under any IAF-MLA body. The certificates carry the ISO 27001 wording but lack the accreditation chain. Procurement teams familiar with the standard reject them. New SMEs sometimes fall for these because pricing is 50-70% lower than accredited CBs. The savings disappear when the certificate fails its first procurement check.
Pitfall 2: Underbid Audits
ISO/IEC 27006 prescribes minimum audit days based on organisation size, scope complexity, and effective number of personnel. A quote that significantly undercuts other accredited CBs for the same scope is suspicious β either the CB is calculating audit days incorrectly or skipping required audit work. Both are accreditation findings against the CB and may eventually invalidate certificates issued.
Pitfall 3: Single-Auditor Risk
Smaller CBs may have only one or two auditors qualified for ISO 27001 in your region. If that auditor leaves the firm or is unavailable, surveillance audits get rescheduled or rerouted to new auditors who must learn your environment from scratch. Larger CBs and well-staffed regional ones avoid this concentration risk.
Pitfall 4: Auditor Competence Mismatch
An ISO 27001 auditor with strong manufacturing experience may struggle with cloud-native SaaS environments. The standard is industry-agnostic but auditors are not. Ask the CB about the proposed auditor's industry and technology experience. A mismatched auditor produces longer audits with more findings β sometimes findings that reflect auditor unfamiliarity rather than real ISMS weaknesses.
Negotiation Patterns That Actually Work
CB selection and negotiation is more leveraged than most companies realise. The patterns that consistently produce better outcomes:
- Get three quotes minimum, all from accredited CBs in the same accreditation tier. Quote spread of 30-40% for the same scope is normal
- Confirm audit-day calculations β ask the CB to share the ISO 27006 calculation. Catch errors before the contract
- Negotiate the multi-year package β initial audit + 2 surveillance + recertification. Year-by-year is more expensive
- Confirm auditor assignment in writing β get the named lead auditor's CV before signing
- Confirm CB capacity β multi-year continuity matters, especially for smaller CBs
Switching Certification Bodies
You can switch CBs mid-cycle. The new CB performs a "transfer audit" reviewing the prior CB's findings, the current SoA, and recent management reviews; if everything is in order, the new CB issues a fresh certificate covering the remainder of the original 3-year cycle. The transfer audit costs roughly 30-50% of a new Stage 2.
Common reasons to switch: pricing, auditor availability, accreditation issues at the original CB, customer-driven requirement for a specific accreditation chain. Switching is operationally manageable and worth doing when the original CB relationship has gone sideways.
Mutual Recognition: When One Certificate Is Enough
The IAF MLA means that an ISO 27001 certificate from any IAF-MLA-accredited CB should be accepted globally. In practice, some specific procurement requirements are stricter (e.g., German federal requires DAkkS-accredited certs in some sectors). For most enterprise procurement, IAF-MLA recognition is sufficient.
How Opsio Helps
Opsio runs the CB selection process as part of our ISO certification gap analysis service. We get multiple quotes, review accreditation, vet auditor profiles for technology fit, and structure the multi-year contract. We also run transfer audits when customers inherit a CB relationship that is not working. The CB choice meaningfully affects audit quality and ongoing cost; we treat it as a strategic procurement decision rather than an administrative one. We tie this into broader request a security & compliance review programmes for organisations holding multiple certifications.
About the Author
Consultant Manager at Opsio
Six Sigma White Belt (AIGPE), Internal Auditor - Integrated Management System (ISO), Gold Medalist MBA, 8+ years in cloud and cybersecurity content
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence β we recommend solutions based on technical merit, not commercial relationships.