Choosing a certification body¶
The certificate at the end of an ISO 27001 or ISO 22301 journey is signed by a certification body, and the choice of body shapes more than the invoice: it decides who walks through the door for the next three years, what kind of audit happens when they do, and how much the certificate is worth to the people it is meant to convince. The summit push covers the audit itself; the buying decision comes first.
Accreditation first¶
Certification bodies are themselves audited. A national accreditation body assesses them against ISO/IEC 17021-1, with ISO/IEC 27006 adding the ISMS-specific requirements, and grants accreditation for specific standards and scopes. In the EU, each member state appoints a single national accreditation body under Regulation 765/2008: UKAS in the UK, DAkkS in Germany, RvA in the Netherlands, COFRAC in France, and so on. Accreditations granted under the International Accreditation Forum’s multilateral arrangements are recognised across borders, which is what lets a certificate issued in one country convince a customer in another.
The practical consequences:
An accredited certificate and an unaccredited one look similar and are worth very different amounts. Unaccredited certificates exist, cost less, and tend to fail the first customer or regulator who checks.
Verification is quick: accreditation bodies publish registers, and a certification body’s accreditation number and scope can be checked before any contract is signed.
Accreditation covers scopes, not just bodies. A body accredited for ISO 9001 is not thereby accredited for ISO 27001, and one accredited for ISO 27001 in one country may operate differently elsewhere.
What actually varies between bodies¶
Within the accredited pool, bodies differ in ways the brochures do not advertise:
Sector experience. An auditor who knows OT environments, healthcare, or SaaS asks different questions from a generalist, and the findings are correspondingly more useful. The body’s auditor pool decides this, not its marketing.
Auditor continuity. Some bodies keep the same lead auditor across the cycle, which builds context; others rotate by policy, which keeps the eyes fresh. Both models are defensible, and knowing which one is on offer beats discovering it.
Audit style. Checklist-driven audits and risk-based conversations both satisfy the standard. They produce very different experiences and very different value from the same audit days.
Language, geography, and scheduling. Multi-site and multi-country scopes need a body that can cover them without importing auditors at day rates.
Integrated audits. Bodies accredited for several standards can audit ISO 27001 and ISO 22301 in a combined visit, since the management system standards share the same structural skeleton. For an organisation running both, this halves the disruption.
Price, last. Day rates vary less than the other factors, and the cheap quote with an inexperienced auditor pool costs more over three years than it saves in year one.
Questions worth asking before signing¶
Who, by name and background, would audit us, and what happens if we consider an assigned auditor a poor fit?
What is the continuity policy across surveillance and recertification?
How are findings graded and challenged, and what does the closure process look like from the client side?
What did the body’s transition support look like the last time the standard revised, and what will it cost next time?
What are the full-cycle fees: application, both stages, each surveillance visit, recertification, and the day rate for extra audit days or scope extensions?
What happens to the schedule and the fees when the scope changes mid-cycle?
What are the terms for leaving? Accredited certificates can move between bodies through a defined transfer process, and a body that makes transfer sound impossible is answering a different question than the one asked.
The relationship over the cycle¶
The certification body is a three-year relationship with a built-in tension. The body is paid by the organisation it audits, and its independence is what gives the certificate value; accreditation rules manage this by, among other things, prohibiting a body from consulting on the management systems it certifies. An offer of “help getting ready” from the same body that will audit the result is a warning sign about the body, not a convenience.
Over the cycle, two failure modes are worth watching from the client side. A relationship gone comfortable produces surveillance visits that find nothing, teach nothing, and quietly devalue the certificate; if the reports have said “no findings” for years while internal audits still find things, the external eye has stopped looking. A relationship gone adversarial produces grading disputes and findings that feel capricious; the challenge process exists for this, and a well-formed finding can be challenged on its evidence. Persistent examples of either are the signal to use the transfer process, which is also the quiet discipline that keeps bodies honest.
Where this does not apply¶
Supervisory relationships are not chosen. NIS2 competent authorities and sector regulators are assigned by law, and the posture there is the one the far bank describes: registration, organised evidence, and professional cooperation. A certification body relationship can support that (a certificate is evidence a supervisor recognises), but it never substitutes for it.
Related¶
Last updated: 8 July 2026