Are you a believer? Do you accept that a company that is implementing and maintaining a management system based on ISO/IEC 27001 will have effective information security management processes appropriate for their unique business environment?
If you don't, then its pointless worrying about how or why we should trust certification bodies since their role is essentially to provide a greater degree of assurance to the interested parties of the certified organization of ongoing conformity to those standards.
In certification, you are putting your faith in the abilities of the individual auditors that carry out the audits on behalf of the certifying body. If two different and competent auditors plan and conduct the same audit, both will emerge with different findings. In order to have confidence in this process, you must also understand how it works, its value and its weaknesses.
National accreditation bodies, like UKAS in the United Kingdom, help to give us confidence by auditing the certification bodies, essentially on our behalf, and ultimately removing the accreditation if the certification body is not fulfilling its own management system requirements and complying with standards such as ISO/IEC 17021 (Conformity assessment requirements) - which, for example, requires that certification bodies and their auditors are independent in conducting the audit. For example, certification bodies cannot also be consultants.
Another important requirement is that certification bodies must have effective processes in place for selecting and training auditors to ensure the necessary competence - very important given that we are being audited by people, and all are different. Good certification bodies will ensure consistency as much as possible, and to a high standard.
So to answer my own question, we often trust in 'accredited' certification bodies because we understand that they are being monitored by a competent, independent third-party (a national standards body) and have to maintain certain standards in order to remain accredited.
Are there good and bad certification bodies? Are there good and bad auditors? YES to both! Its certainly not black and white, and good auditors can have bad days too! But ultimately, the certification process is a convention of trust. Ultimately, it is the reputation of the certification body and its accreditation that we are looking to for that trust and is the main reason why an unaccredited certificate of conformity issued by myself would likely be perceived as being worthless compared to the certificate of a known certification organisation.
A final thought. When you see the little green lock icon in your browser window whilst typing in your credit card details for a spot of midnight shopping, and the URL reads HTTPS - Do you stop to ask the question, "Why do we trust in Certificate Authorities"? SSL Certificate Authorities (CA) - those who issue the digital certificates to the e-commerce websites that we trust with our credit card and other personal details are businesses too.
When it comes to selecting a certification body as an implementer, or evaluating a supplier who is certified, it is primarily the independence, reputation/brand, and history of the certification body which is providing you the degree of assurance that you are probably looking for. But its not a guarantee.
No comments:
Post a Comment