When a vendor tells you they are ISO 27001 certified, they are telling you the truth, right?
…..right?!?
It turns out vendors sometimes fib a little when they tell you they are ISO 27001 certified (shocker!)
Back in the day when I used to do the security due diligence checks for new vendors that were being onboarded, I asked a potential new vendor if they were certified.
“Hey…are you ISO 27001 certified? It would be great if you were”
“Sure, of course we are!”
“Great! Please send me a copy of your cert as soon as possible!”
“Oh…ok…sure…”
When I eventually received the certificate, I pretty quickly suspected something was not quite right.
What was the big red flag, you ask?
There was no Accreditation Body logo on the certificate.
The thing is, not just anybody can issue an ISO 27001 certificate. The auditors that issue such certificates must themselves be accredited to be able to do so (this is to ensure quality).
The “auditor” that provided the vendor with their certificate was not an accredited Certification Body, and thus they were not actually certified.
When I quizzed the vendor on this, they insisted they were indeed certified. So I asked them to tell me more about the audit process they went through with the “auditor”. They proudly responded that they went through a grueling 2 hour table-top exercise where the “auditor” asked them some questions about their “ISMS”.
Needless to say…we politely declined the services of the vendor.
How to Check An ISO 27001 Certificate
To ensure an ISO/IEC 27001:2022 certificate is valid and legitimate, you should follow these steps:
Initial Document Triage
Examine the physical or digital certificate for mandatory data points that serve as initial indicators of authenticity.
Verify the Standard: Ensure it specifically references ISO/IEC 27001:2022. Note that the previous 2013 version became null and void on October 31, 2025.
Identify the Certificate Number: A legitimate certificate must have a unique alphanumeric identifier. Its absence is a definitive red flag.
Check Logos and Stamps: The document should feature the logos of both the Certification Body, such as BSI or SGS, and the Accreditation Body, such as UKAS or ANAB.
Review Dates: Confirm the issue and expiry dates. ISO 27001 certificates are typically valid for a three-year cycle, provided annual surveillance audits are completed.
Analyse the Scope Statement: The scope must detail the exact business processes, locations, and systems covered. Ensure the services or products you are purchasing fall within this specified boundary.
Accreditation and CB Verification
Verify the entities involved in issuing it.
Check the Certification Body’s Portal: Most major Certification Bodies maintain their own client directories. Use their online tools to search for the company by name or certificate number.
Direct Inquiry: If online tools are unavailable, email the Certification Body directly. Provide the certificate number and ask them to confirm its validity, scope, and that no major non-conformities are outstanding.
Common Red Flags of "Certificate Mills"
Be alert for these signs of fraudulent activity:
Typographical Errors: Look for typos in the standard name (e.g., "ISO_IEC" or "ISO 27001-2022") or misspelled company details.
No Digital Signature: While not universal, the absence of a digital signature on a PDF certificate can be suspicious.
Generic Scopes: Scopes that vaguely claim to cover "all company operations" without specifics.