When it comes to keeping information assets secure, organizations can rely on the ISO/IEC 27000 family.

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO does not perform certification.

CERTIFICATION

Certification can be a useful tool to add credibility, by demonstrating that your product or service meets the expectations of your customers. For some industries, certification is a legal or contractual requirement.

ISO DOES NOT PERFORM CERTIFICATION

At ISO, we develop International Standards, such as ISO 9001 and ISO 14001, but we are not involved in their certification, and do not issue certificates. This is performed by external certification bodies, thus a company or organization cannot be certified by ISO.

However ISO’s Committee on Conformity Assessment (CASCO) has produced a number of standards related to the certification process, which are used by certification bodies.