Certification is about rules, compliance is about trust

Thursday, 14 July, 2022

The word ‘trust’ spelled out in Scrabble letters (Source: Unsplash/faithgiant)

Various schemes and standards exist to provide assurance of baseline controls and good cyber security practices within an organisation. They may be internationally recognised such as ISO 27001, or even government backed, like the UK government scheme Cyber Essentials or IASME Governance.

You’ll often encounter organisations that say they’re “certified” to these standards, and others that say they’re “compliant” with them. There’s an important difference between those two things.

Certification means that an authorised third party has tested and validated that the organisation adheres to the requirements and conforms to the standard or scheme. You can only say you’re certified if a third party agrees that you are.

Whereas with compliance, it’s different: you are not validated against the requirements. Any organisation can claim to “comply” with a standard, but no third party is involved to back that up. It would be like someone saying they’d done all the revision and know the material, they just haven’t taken the test.

What to look out for

There are subtle ways to tell the difference between certification or compliance.

For example, a certified organisation may say: “We’re audited by a third-party provider and certified against ISO 27001 to prove we have an operational and effective Information Security Management System”, or “We are Cyber Essentials Plus accredited”.

A compliant organisation may say “We meet the requirements of ISO 27001”, or “We follow Cyber Essentials Plus’ best practices for cyber security”.

The words are only slightly different, but those small differences matter.

Compliance can be subjective

Based on subjective and self-assessed views, compliance is not always guaranteed. So it boils down to trust: do you trust another organisation’s claims to be compliant? The only way to be properly reassured is to look for official reassurance by someone impartial to the organisation.

Certification relies on audits against the requirements. This provides impartial assurance as the auditor is not involved in the organisation’s cyber security. An accredited auditor is reliable as they have the trust of having the right skills and knowledge to certify organisations.

Certification provides validation and assurance

Consider if you were looking to trust your sensitive data with another organisation. How confident would you be that they have the right security in place?

In this instance, with an organisation’s certification to some form of cyber security standard, you are more likely to trust them over another where they are only compliant to the same standard.

For example, if a company is ISO 27001 certified, you can trust that they have been verified by their auditor, and that they meet the requirements of the standard. If another company says they are ISO 27001 compliant, the views of the company may be different to the opinion of an ISO 27001 external auditor so you couldn’t trust that they actually are compliant. Standards are lists of things to conform to, and a company that says it’s “compliant” is effectively saying that it may or may not conform to everything on the list. You can’t easily tell if they conform to all of it, or just some of it.

Certification over compliance

We’re not saying that all companies who claim to be “compliant” with standards are doing the wrong thing, but we do believe that certification is a far more trustworthy and valuable way of saying where you stand. Certification comes with that vital extra layer of formalised validation from a third party. It removes doubt, and helps everyone build more confidence and more trust.

Cydea can help you become Cyber Essentials (Plus) certified or help you to run a security programme to achieve ISO 27001 certification.

Photo by Alex Shute on Unsplash.