4 Easy Steps to Switch Your Certification Body

June 18, 2024 | ISO 27001

Widely considered the gold standard in information security, ISO/IEC 27001 is a globally recognized compliance framework designed to help organizations prove their adherence to industry-accepted standards for designing, maintaining, and continuously improving their security postures.

Certifications for ISO 27001 and similar frameworks like ISO 27701 and ISO 27017 typically remain valid for three years following the issuance date. During that time, you’ll work with your auditor to complete regular surveillance audits in order to maintain your certification. But what happens if you want to switch auditors while still in the throes of a three-year cycle?

Businesses may choose to swap certification bodies for a variety of reasons, including being dissatisfied with the auditor’s performance or pricing. Even if your team enjoys working with your current certification body, it might be a smart business decision to change auditors during an active certification cycle. For example, you might choose to switch certification bodies because:

  • You’re not gaining value from your audits. For organizations that prioritize data security, the end goal of an ISO 27001 audit or similar assessment isn’t just to achieve certification—it’s also to receive expert recommendations on ways to improve your overall security posture. If you’re not gleaning new insights from your annual audits, it might be time to make a change.
  • You’ve worked with the same auditing team for many years in a row. For many organizations, it’s common practice—or even formal policy—to switch certification bodies every five or ten years. A new auditor can offer a fresh perspective and help you identify areas for improvement that may have been overlooked in past audits.
  • You’ve outgrown your current certification body. As your organization and its cybersecurity program grow and mature, you may want to pursue compliance against additional security frameworks, such as HITRUST or CSA STAR. Because BARR is accredited to perform audits against all of these standards and more, our team can leverage resources across multiple engagements simultaneously to save you time and streamline your path to compliance.

Whatever the reason, once you’ve decided to make the switch, here are four steps to follow for a seamless transition:

1. Research and select a new certification body.

There are dozens of certification bodies in the U.S. and internationally that can issue ISO 27001 certifications. When researching potential options, look for auditing firms with specific expertise working with cloud service organizations in your industry. You should also consider factors like firm size, reputation, customer service, and cost.

Before making a final decision, it’s also important to confirm the firm’s accreditation. To achieve and maintain accreditation with a formal accreditation body like the ANSI National Accreditation Board (ANAB)—which accredits BARR Certifications to perform ISO audits—firms must undergo a rigorous process that includes being audited themselves. 

While organizations can work with non-accredited auditors to comply with standards like ISO 27001, the absence of accreditation often also means a lack of credibility. With no external body ensuring the auditor is performing up to the established standards, the certification will likely hold less weight in the eyes of potential customers and stakeholders.

To ensure a smooth and successful transition, your new certification body must be accredited to perform audits against the framework for which the original certificate was issued.

2. Notify your current certification body of the impending change.

Once you’ve decided who to work with, your team should reach out to the outgoing audit firm to inform them that your organization will be switching certification bodies. Before doing so, review the contract you signed with the auditor to ensure you are aware of any stipulations about a required notice period or early cancellation fee. 

After you’ve notified the outgoing certification body of your intent to switch firms, your new auditor will walk your team through the remaining steps to transfer your certificate and answer any questions you may have along the way.

3. Work with your new auditor to complete a pre-transfer assessment.

At this stage, the ball is in your certification body’s court. During their pre-transfer review, your new auditor will request your current ISO certificate and recent audit reports. If those reports revealed any nonconformities, the auditor will need evidence that you’ve taken action to close those gaps. Your auditor will also reach out to your previous certification body to verify that your current certificate is valid and that it came from an accredited auditing firm.

In general, transferring certification bodies is a simple and painless process. However, there are some situations in which organizations are not able to transfer their current certificate. This includes cases when:

  • Your auditor discovers during their pre-transfer assessment that your prior certification body was not performed in accordance with current standards.
  • You want to change the scope of the audit.
  • Your current certification has expired or will expire soon.

In these cases, your organization can still choose to move to a new auditing firm, but you will need to restart the initial ISO certification process, including completing the Stage 1 and Stage 2 audits. In some cases, this may result in there being a small period of time during which your organization’s certificate is not active.

4. Communicate the change with customers and stakeholders.

After the transfer assessment is complete, you’re ready to spread the news far and wide. Announce your latest compliance achievement to customers and stakeholders on social media and direct communication methods, like email. 

If your organization experienced a lapse in its ISO certification, be transparent about your circumstances. Explain that while there was or will be a short gap during which your organization is not formally certified, you have already lined up an accredited auditor to get you back on track. 

Keeping lines of communication open will help you maintain trust with customers and instill confidence in stakeholders that data security and privacy remain among your organization’s top priorities.

Has your organization outgrown its current certification body? Contact our team today to find out how our accessible, straightforward approach to compliance makes transferring your ISO certificate simple and seamless.

Let's Talk