Buy ISO 27001 certificate cheaper

In most cases, companies look for a way to purchase ISO 27001 certification at a significantly lower cost. This is also completely normal in other purchasing situations. Unfortunately, the accreditation bodies based in Europe have made the effort to prepare an offer considerably more complicated and have set high requirements before a certification body can make an offer. Germany is known for inventing and tightening bureaucratic obstacles instead of implementing a reduction in bureaucracy. First of all, in this article we would like to explain why you cannot simply buy an ISO 27001 certificate.

How do you choose a certification body?

When you request quotes, you sometimes hear all sorts of arguments against a particular provider. This competitor is bad because it has digitized everything and no longer works with Word files or Excel macros like the old top dogs do. Perhaps this lesser-known provider is also based abroad. British providers also operate abroad. What is the problem? Is the certification body perhaps less popular with the competition because it ignores the dusty competition through innovation and responds promptly to customer requests? It is always interesting to see how big Goliaths are not impressed by the little Davids and yet complain behind closed doors about their own lack of innovative power.

Before we delve deeper into how to acquire an ISO 27001 certificate, we have to deal with the essential question: Which certification body do we want to have our company’s management system certified by? First of all, we have to create a catalog of criteria or a checklist of what we expect from a certification body and what is an exclusion criterion for us. We should also be clear about what we actually want to achieve with such an ISO 27001 certification.

The international standard ISO 27701 is required for companies (department stores, airlines, health insurance) with a lot of critical personality data.

Exclusion criteria when choosing the ISO 27001 certification body

The following criteria are generally useful weaknesses that one could check a potential certification body for:

  • Brand awareness
  • Lack of credibility
  • Insufficient quality
  • Lack of care

Let’s look at the individual points:

1) Exclusion criterion - brand awareness

People like to talk about the level of recognition of smaller certification bodies. If you absolutely want a globally known logo on your certificate, you should not look in Britain. In some regions of the world, certain long-established brands trigger an undesirable defensive reaction. When their customers look at their ISO certificate, they do not rate a certificate more highly because it adorns a well-known British brand. Brand recognition comes at a high price that not everyone needs. Suppliers cannot double their prices just because the certificate costs three times as much. They order an ISO 27001 certificate to adorn themselves with a well-known British brand. Isn’t that actually unfair competition? Nobody wants to be accused of greenwashing with a well-known certification body.

2) Exclusion criterion - Lack of credibility

An ISO 27001 certificate is recognized and respected worldwide. If a certificate is issued without an audit being carried out, the certificate is a self-deception. If the certificate is purchased at a fraction of the usual price, it is not automatically a fake certificate. It is always a question of what a fraction represents. The credibility of a company is low if the certificate was issued without a qualified audit. Of course, large providers with high brand recognition can charge four times as much for their audits, but the freelance auditors they hire will only be paid a fraction of that. A small or foreign provider is not bound by collective agreements and does not have to finance a huge administrative apparatus.

Consequently, smaller certification bodies can operate more economically than cumbersome corporations. They are more flexible in their pricing and decide how to deal with a specific audit situation through very short official channels. Consequently, they do not have to charge excessive audit fees. Nevertheless, you should not sell a certification at a price that would not even finance a day of auditing. Dirt-cheap offers should be taken as a warning sign.

3) Exclusion criterion - Insufficient quality

A popular argument against smaller or foreign certification bodies is a lack of experience and a lack of sufficient resources. As already mentioned in other articles, many large certifiers are thinly staffed and, if necessary, buy up to 90% of their auditors as freelancers. Can a small certifier not meet the high quality standards just because it is not part of a corporation? The size or place of business of a certification body does not disqualify less well-known certifiers. When can a certifier not meet the high quality standards? An accredited certification body should not sell ISO 27001 certificates. Since the certifiers buy their auditors, they must follow the standards when appointing their auditors. Anyone who sends unqualified people to the customer as auditors will fail. Appointed auditors must meet the quality standards of the ISO organization through their qualifications and professional experience.

Of course, there are foreign certifiers with accreditation and experience who still sell certificates for a surcharge without an audit. Therefore, it is difficult to argue that a foreign certifier is unsuitable to meet European standards. Practice makes perfect. This also applies to auditors. The certification body does not audit the company’s management system; instead, the audit teams sent by the certification body check the organization’s documentation. Consultants often confuse information security with cybersecurity. They claim that cybersecurity is proven by an ISO 27001 certificate. These claims come from a lack of experience on the part of the consultants because they do not work as auditors either.
The ISO organization ensures that the set quality standards are maintained worldwide through the organizational hierarchy of accreditors, certification bodies and auditors.
The certificate from an accredited specialist body can never guarantee that the company has actually implemented the necessary security measures. An audit is always sample-based and therefore a snapshot.

4) Exclusion criterion - Lack of care

A certificate from an unknown foreign certifier is not automatically a sign of poor quality. E&Y also has a certification body with accreditation in Singapore. There are enough people who have no idea what the E&Y (= Ernst & Young) brand is. Anyone who works in the corporate world knows E&Y very well. SGS is also well-known, but some Germans don’t know the Swiss at all. The british certifier “bsi” has the same abreviating 3 letter like the German digital infrastructure security agency “BSI”. So if you are exporting goods or services accompanied by a bsi certificate to Germany, you might find your German buyers confused. That doesn’t make their certificate any worse than that of the well-known German TÜV companies. The certifiers are just not alwys as well known in all parts of the world.

A non-accredited certification body based in the United Kindom or abroad (e.g. India, Germany, Turkey) cannot issue a valid ISO 27001 certificate. However, there are also certifiers worldwide who issue certificates to their customers with blank certificates. These certification bodies do not carry out a proper audit and actually sell overpriced or dirt-cheap ISO 27001 certificates. Some of them even go so far as to set up branches in Europe without local employees.

As a result, one can actually assume a lack of care here. Anyone who has ever worked as an auditor at certification bodies in Europe knows how an audit actually works. In fake audits, the necessary controls are not carried out as required by the standard. Companies certified in this way believe that they have good security. Unfortunately, an overpriced piece of paper does not protect against a security incident. The organization must protect itself and allow a proper annual audit to drive it to continuously improve its own security level. Anyone who acts so carelessly as to buy an ISO 27001 will not recognize the possible weak points in the system.

Building a QMS or ISMS is partly a creative process

What problems can non-accredited certification bodies cause?

It is often difficult for laypeople to know which certification body is authorized to issue an ISO certificate and how a proper audit takes place.

Here we would like to look at the following horror scenarios, because they are sometimes true and sometimes just serve as a means of badmouthing competitors:

  • Liability risk
  • Unfair competition

1) Allegations of unfair competition

If you end up with a non-accredited certification body, you run the risk of being accused of “unfair competition”. If you are presented with a certificate that was issued by a non-accredited organization, this is a form of manipulation of the recipient. You will often also be told that it is a fake certificate. The cause of the problem is that the issuer of the certificate requires accreditation. If the certifier is not accredited, you cannot advertise that you are ISO certified. Only the accreditation bodies approved by the ISO organization may authorize a certification body to issue ISO certificates.

An ISO certificate is not automatically fake because the certification body is not accredited by the UKAS in Britain. The four largest auditing firms (KPMG, PwC, E&V, Deloitte) also have subsidiaries that operate as certification bodies worldwide. They are less well known as certification bodies in the United Kingdom. Some of them are not accredited in the UK and yet they can issue globally recognized ISO 27001 certificates with their accreditations.

2) Liability risk as a scaremongering factor

When companies advertise a “worthless” certificate, they usually haven’t done their homework with regard to the requirements of the ISO 27001 standard. They have literally bought their ISO 27001 certificate cheaply. If a security incident does occur, managing directors and shareholders can have a rude awakening. The ISO 27001 certificate does not serve as proof that a responsible effort has been made to ensure modern information security. The liability risk rests on the owners and managers because they have faked an ISO 27001 certification. Major customers can even claim damages in court and successfully enforce them. In addition, there are the state sanctions and the criminal consequences for the key figures in the company. The providers of such fake ISO certificates bear no liability risk because they absolve themselves of guilt in their terms and conditions.

Anyone who is audited and certified by accredited certifiers should not be afraid of liability risks. The specter of “unfair competition” will not wake you in your sleep.

The internal audit is an important part of the management system documentation

How to choose a reputable certifier?

There are many providers in Europe and North America that you can trust for certification audits. This is because most certification bodies only have a few auditors of their own. They work together with many freelance auditors. For example, a Spanish auditor in Madrid can audit a company in California, because it does not matter whether her client is a certification body in the USA (e.g. Cetecom Inc in California) or in Germany (e.g. TÜV Nord). Likewise, Austrian auditors based in Vienna work for German TÜV companies to audit German companies in Germany.

We must therefore recognize that the location of a certifier alone does not represent an automatic filter criterion for us to reduce our list of candidates.

Summary

Have your company’s management system audited by an accredited certification body. Do not buy ISO 27001 certificates without an audit – even if it is so incredibly cheap! We have put together a list of certification bodies for you and will be happy to help you find the certifier that is really right for you so that you can obtain offers.

Related Posts