Certifications are widely used by companies as advertisement, showing the company is reliable. The more certifications the better. Of course, having a lot certification can show the reliability of an organization, however that is not the case by default! Knowing the purpose of a certification and understanding the scope is crucial when you really want to gain trust by assessing certifications.
Certifications regarding the internal organization of your Service Organization
Certifications can be used to obtain comfort of the operations of an organization. For example: ISO 9001 will provide comfort regarding the quality management of an organization’s internal business processes. Such a certification does not directly provide comfort to the environment that is part of the customer’s responsibility. Also, for ISO 27001 the scope can include the service provided to the customer, however it can also solely include the sales process of the internal organization. Just obtaining a certificate and showing it on your website does not mean the services you use are included in the scope or has impact on the services you use. Therefore; if your organization demands a supplier to be certified, check the services/scope that is included in the certification.
Certifications regarding the services offered to you as a client
Besides certifications that are related to the internal organization, some certifications are designed to specifically certify the services to the client, like PCI-DSS and SOC-reporting. These certifications specifically address how the service organization manages their client services. Instead of showing that the internal organization has an effective information management process, these certifications specifically address the requirements with respect to the services you use. Also, for certifications regarding client services, again the scope is important. For example, within SOC reporting a specific scope is defined. If your organization is using additional services offered by the service organization or uses a difficult physical site and it is not included in the scope, you cannot rely on the certification for those specific services.
The certification purposes
Besides looking at the scope of the certification, it must be determined if the purpose of the certification is relevant for your service organization. For example, a data center can be certified to comply to NEN 5710 (information security on medical data), however if the data center does not have access to the information, requesting that certification is not useful. The data center can be a control used by the holder of the certificate, but an auditor cannot assess how the data center handles medical data if the data center does not have access to that data.
Another example is the GDPR certification that can be obtained by companies. Using a company that is GDPR certified will not mean that your organization can rely on that certifications. Such a certification means that the company that has the GDPR certification complies to the GDPR for the personal data they store and can access.
To conclude, certifications are widely used by organizations to show their companies processes are the best and their clients can trust them. It is important to not just list certifications and ‘check-in-the-box’ when selecting your suppliers. When you know which processes and services are important for you, you can assess the certification and the certifications brings the value they should bring.