ISO 27001 has been around for two decades. The standard is well understood. The market is mature. And yet, when a procurement team or a regulator evaluates a vendor’s certificate, a large share of what gets presented turns out to be something different from what the buyer assumed.
The gap sits in a single word: accredited. In a commodity market, that word is what separates a defensible certificate from decorative paper.
## The common belief
Most organizations assume that ISO 27001 is ISO 27001. A logo on the wall, a PDF in the vendor portal, an auditor’s signature. If a certification body issued it, it counts.
That assumption worked in the early years of the standard. It does not work now. The information security certification market has fragmented into accredited and non-accredited tiers, and the distinction has become material.
## Where the real problem lives
ISO 27001 is a public standard. Any firm with a website can set up shop as an “ISO 27001 certification provider.” Nothing stops them. What distinguishes an accredited certification body from an unaccredited one is oversight. Accredited bodies operate under ISO/IEC 17021-1, the international standard that governs how certification bodies work, and are audited periodically by national accreditation bodies such as ANAB (USA), UKAS (UK), ENAC (Spain), or DAkkS (Germany).
Unaccredited certifiers operate outside that oversight. They may follow the standard carefully, or they may not. The buyer cannot tell from the certificate itself, and that is precisely the problem.
> An unaccredited ISO 27001 certificate is a document signed by a private company. An accredited certificate is a document signed by a company whose competence is verified, every year, by a national authority.
>
## Where it matters commercially
Three concrete situations where the distinction becomes expensive:
### 1. Enterprise procurement
Modern vendor questionnaires from financial institutions, healthcare organizations, and public-sector buyers increasingly ask for accreditation evidence, not just the certificate. The question “which accreditation body issued the accreditation of your certifier?” closes or opens the deal.
### 2. Cross-border contracts
Certificates travel through accreditation body agreements. The International Accreditation Forum’s Multilateral Recognition Arrangement (IAF MLA) is the network that makes an ANAB-backed certificate recognizable in Spain, and a UKAS-backed certificate recognizable in Japan. Outside that network, certificates stop at the border.
### 3. M&A and investor due diligence
When a buy-side firm or investor runs security due diligence, the accreditation chain is documented. An unaccredited certificate creates friction precisely at the moment when the seller has the least leverage to explain.
## Reframing the question
The question to ask is not “Are we ISO 27001 certified?” The question is “Is our certificate backed by a recognized accreditation body whose mark travels where our customers, regulators, and investors are?”
For most organizations today, the honest answer to the first question is yes and the honest answer to the second is unclear. That unclarity is what makes certificates fail in commercial moments.
## The structural shift
When ISO 27001 was young, the market rewarded adoption itself. Any certificate was a signal that the organization had thought seriously about information security. Twenty years later, certification has become table stakes. The signal has moved from “did you certify?” to “how defensible is your certificate?”
That shift is why accreditation has become a differentiator. In a saturated market, the procurement, legal, and regulatory sides all compress evaluation time by looking for markers of credibility. Accreditation is the most efficient one.
## What this means for your organization
Check the accreditation, not just the certificate. Ask your current or prospective certification body for their accreditation certificate. Verify the scope on the accreditation body’s public registry (ANAB, UKAS, ENAC, DAkkS). A 27001 certificate issued by a body that is not accredited for 27001 is not accredited for 27001, regardless of brand.
Understand where your customers are. If your buyers, regulators, or investors operate in regions outside your certification body’s primary accreditation, check the IAF MLA network coverage before committing.
Treat the scheme as non-optional. ISO/IEC 17021-1 is the scheme standard. A certifier unable to describe how they operate under it is not operating under it.
> In a commodity market, accreditation is what stops the commodity from being worthless.
>
—
Ready to move from documentation to certification?
Talk to an ANAB-accredited auditor about your ISMS.
📩 [[email protected]](mailto:[email protected]) · 🌐 [zertia.ai](http://zertia.ai)
Zertia is a conformity assessment body accredited by ANAB (USA). UKAS (UK) and ENAC (EU) accreditations in process.
–
