The Official ISO27001 Certification Register

We frequently see questions asked regarding this issue, largely as people search for data regarding existing certifications, or perhaps to get an idea of the total number of certificates issued.

There simply is no official worldwide register.

Searching the internet reveals a couple of efforts to build credible registers, but in truth these are sourced by a very tiny minority of certification bodies. They are thus not even remotely complete.

The most interesting approach is the one adopted by the ISO17799/27001 Guide, which is a dedicated Wiki. This operates a voluntary register, which enables certified organizations to enter their own details. This is surely the most valid approach.

Voluntary v Involuntary
Not every certified organization wants its details paraded on the internet. There may be a variety of reasons for this.

For example, there is a school of thought which believes that specifying in public which security framework has been followed is in itself something of a security risk. If something is missing from that framework, then it is quite possible that it is missing from the security implementation too, and stating this in public is not sensible. Another example could be the loss of competitive advantage if the certification of part of an organization is made public in the circumstance in which others are to follow shortly.

Whatever the reason, however, surely the certified organization should be the party to determine when, where and whether this is made public. A voluntary arrangement supports this proposition.

It has to be accepted that this approach will never create a complete register, but at least the playing field will be level and equal, and not driven by selected certification bodies.

The voluntary register is a worthy initiative.