What is the difference between certification and accreditation bodies for ISO 27001?
Accreditation and certification are two important approaches to attesting to the competence of an institution; they are, however, not the same. As it has been said, accreditation can be compared to endorsements for certification bodies themselves. It means that third parties understood that these bodies have sufficient qualifications and unbiased judging criteria to solve some technical problems.
For instance, if a certification body gets accredited, it confirms that it meets the right standard to assess another organization against ISO standards.
Hearing, on the other hand, is about providing proof that an organization, product, or individual complies with criteria as defined in a standard or scheme. If a company produces that they are ISO certified it means a third-party assessment organization has found that the company complies with ISO Standards.
Let’s break down the differences in a detailed way:
| Aspect | Certification Bodies | Accreditation Bodies |
| Function | Conduct audits and issue ISO 27001 certificates to organizations. | Evaluate and authorize certification bodies to issue ISO 27001 certificates. |
| Focus | Verifying an organization’s compliance with ISO 27001. | Ensuring certification bodies operate according to international standards and guidelines. |
| Examples | BSI (British Standards Institution), DNV GL, SGS, TÜV SÜD. | UKAS (United Kingdom Accreditation Service), ANAB (ANSI National Accreditation Board). |
| Direct Interaction | Organizations interact directly to obtain certification. | Organizations typically do not interact directly; they interact through certification bodies. |
| Authority | Operate under the authority granted by accreditation bodies. | Operate with authority given by international standards and national regulations. |
| Evaluation Criteria | Based on ISO 27001 standards and specific audit requirements. | Based on ISO/IEC 17021 (requirements for bodies providing audit and certification of management systems). |
| Issuance of Certificates | Issues ISO 27001 certificates once an organization is found compliant. | It does not issue certificates to organizations; it ensures certification bodies are competent. |
| Compliance Monitoring | Monitors ongoing compliance of certified organizations through periodic audits. | Monitors certification bodies to ensure they maintain accreditation standards. |
