ISO 27001:2013. Compliance, Accredited?
If you say ISO 27001:20013 is about compliance or, you are accredited to the standard then something is amiss.
ISO/IEC 27001:2013 is not about compliance. It most certainly helps towards your compliance obligations (legal/regulatory/contractual), but not to the requirements set down by ISO/IEC (JTC1/SC27/WG1 – https://www.iso.org/committee/45306.html).
- ISO 9000:2015 defines in 3.6.11 the word, conformity. Conformance, being synonymous with conformity was deprecated, and thus is not used (note 1 to 3.6.11). The French word, conformité meaning compliance (in English) was also deprecated (note 1 to 3.6.11);
- ISO/IEC 27000:2018 uses in 3.11 the definition for, conformity;
- ISO/IEC 27001:2013 identifies in section 2 a single normative reference this being, ISO/IEC 27000 (and all amendments) and thus points to 3.11 in the 2018. It also states in section 3 that the terms and definitions of ISO/IEC 27000 (and all amendments) are to be used.
- ISO/IEC 27007:2017 identifies:
- in section 2 normative references;
- ISO 19011:2011,
- Defines in 3.18 the word, conformity; giving as its source, ISO 9000:2005 (3.6.1).
- ISO/IEC 27000,
- ISO/IEC 27001:2013,
- In section 3, terms and definitions, the definitions are referenced to;
- ISO 19011:2011 and ISO/IEC 27000.
So then, nothing on that word, compliance. ISO/IEC 27001:2013 is not a compliance standard, but it is one that your ISMS can be assessed against to determine if it conforms to stated requirements.
Now that your ISMS has successfully weathered the audit/assessment (Stage1, Stage 2) storm by an external Certifying Body (CB, and one that is ideally accredited by UKAS), it does not mean the ISMS is accredited! Not at all; your ISMS since it conforms to the requirements set down by ISO/IEC, is now certified.
- See, https://www.iso.org/certification.html.
- "Certification – the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.
- Accreditation – the formal recognition by an independent body, generally known as an accreditation body, that a certification body operates according to international standards.”
- Independent body (CB) provides the written assurance that the ISMS conforms to the requirements of ISO/IEC 27001:2013; thus Certified.
- independent body, the accreditation body, (UKAS in UK) formally (through an extensive audit process) recognises that a CB is operating (performing 3rd party audits etc.) to international standards. Thus, the CB is accredited.
- See, https://www.iso.org/casco.html:
- CASCO being the, Committee on Conformity Assessment;
- ISO 17000:2004 definitions;
- 2.4, Third party conformity assessment body (i.e. CB),
- 2.5, Conformity assessment body (i.e. CB),
- 2.6, Accreditation body (i.e. UKAS in UK),
- 5.5, Certification (third party (CB) attestation related to system, (i.e. the ISMS.), products or services etc.,
- 5.6, Accreditation (third party (UKAS in UK) attestation related to conformity assessment body (CB) and its competence to carry out conformity assessments.