What is a Certification Body?
What is a Certification Body?
A certification body (CB), also called a registrar or conformity assessment body, is an independent organization accredited to perform audits and issue certifications against management system standards such as ISO 27001. When an organization achieves ISO 27001 certification, the certificate is issued by the certification body that conducted the audit.
How certification bodies work
Certification bodies operate under a structured process:
- Application — the organization applies to the certification body, providing information about the scope of its ISMS
- Stage 1 audit — the CB reviews documentation to confirm the ISMS is designed in accordance with ISO 27001 requirements
- Stage 2 audit — the CB conducts an on-site or remote audit to verify that the ISMS is implemented and operating effectively
- Certification decision — based on audit findings, the CB decides whether to grant certification
- Certificate issuance — if successful, the CB issues a certificate valid for three years
- Surveillance audits — the CB conducts annual surveillance audits to verify continued compliance
- Recertification — at the end of the three-year cycle, a full recertification audit is performed
Accreditation of certification bodies
Certification bodies must themselves be accredited by a recognized accreditation body to ensure they operate competently and impartially. Key accreditation bodies include:
- UKAS (United Kingdom Accreditation Service)
- ANAB (ANSI National Accreditation Board) in the United States
- DAkkS (Deutsche Akkreditierungsstelle) in Germany
- JAS-ANZ (Joint Accreditation System of Australia and New Zealand)
Accreditation ensures that the certification body follows ISO 17021 (requirements for bodies providing audit and certification of management systems) and employs qualified auditors. Choosing a non-accredited certification body undermines the credibility of the certification.
Selecting a certification body
When choosing a certification body, consider:
- Accreditation — verify the CB is accredited by a recognized national accreditation body
- Industry experience — some CBs specialize in certain industries (technology, healthcare, financial services) and understand sector-specific risks
- Geographic coverage — if your organization operates in multiple countries, ensure the CB can support international audits
- Auditor expertise — the quality of the audit depends heavily on the auditor assigned to your engagement
- Reputation — CBs recognized by your customers and partners carry more weight
- Cost and timeline — audit fees and scheduling availability vary between CBs
Independence requirements
Certification bodies must maintain independence from the organizations they certify. A CB cannot provide consulting services to design or implement the ISMS and then audit it. This separation ensures objectivity in the certification process.
Some organizations engage a consulting firm for ISMS implementation and a separate certification body for the audit to maintain clear boundaries.
What happens when nonconformities are found
During an audit, the certification body may identify:
- Major nonconformities — significant failures that prevent certification until resolved
- Minor nonconformities — less critical issues that must be addressed within a defined timeframe
- Opportunities for improvement — suggestions that are not required but recommended
Major nonconformities must be resolved and verified before the certificate can be issued. Minor nonconformities typically must be addressed before the next surveillance audit.
How episki helps
episki prepares your organization for certification body audits by organizing your ISMS documentation, Statement of Applicability, risk treatment plans, and evidence in a structured format that auditors can easily review. The platform tracks nonconformities and corrective actions to ensure timely resolution. Learn more on our ISO 27001 compliance page.
