Certification Body
An accredited third-party organization authorized to conduct audits and issue certifications confirming that an organization's management system conforms to a specific standard, such as ISO 27001. Certification bodies must be accredited by a national accreditation body to ensure their competence and impartiality.
Certification bodies (CBs), also known as registrars or conformity assessment bodies, play a critical role in the ISO certification ecosystem. They are the organizations that perform the actual certification audits — evaluating whether an organization's ISMS meets all requirements of ISO 27001 — and issue the formal certificate upon successful completion. To maintain credibility and consistency, certification bodies must themselves be accredited by a national accreditation body (such as UKAS in the UK, ANAB in the US, or DAkkS in Germany) and operate in accordance with ISO/IEC 17021, which sets requirements for bodies providing audit and certification of management systems.
The certification process managed by a CB typically follows a defined lifecycle. Initial certification involves a two-stage audit: Stage 1 assesses the organization's readiness and documentation, and Stage 2 evaluates the implementation and effectiveness of the ISMS. If successful, a certificate is issued with a three-year validity period. During this period, the CB conducts surveillance audits (typically annually) to verify ongoing compliance. At the end of the three-year cycle, a recertification audit is performed to renew the certificate. If significant nonconformities are found at any stage, the CB may withhold, suspend, or withdraw certification until the issues are resolved.
Selecting an appropriate certification body is an important decision for organizations. Key factors include the CB's accreditation status and scope, their experience in the organization's industry sector, the qualifications and availability of their auditors, their geographic coverage, pricing structure, and reputation. Organizations should verify accreditation through the International Accreditation Forum (IAF) database. It is important to note that the certification body must maintain independence — they cannot provide consulting services to the organizations they certify, as this would compromise their impartiality. While SOC 2 examinations are not technically certifications (they are attestation engagements performed by CPA firms), the role of the independent evaluator is conceptually similar.
Related frameworks
Related terms
Corrective Action
A documented action taken to eliminate the root cause of a detected nonconformity or other undesirable situation, preventing its recurrence. Corrective actions go beyond simply fixing the immediate problem to address the underlying systemic issue.
External Audit
An independent assessment conducted by a third-party auditor or certification body to evaluate an organization's compliance with a specific standard or framework, such as ISO 27001 certification audits or SOC 2 examinations.
Information Security Management System
A systematic framework of policies, processes, and controls that an organization establishes to manage and protect its information assets. An ISMS addresses people, processes, and technology to ensure the confidentiality, integrity, and availability of information.
Nonconformity
A failure to fulfill a requirement of a standard, policy, procedure, regulation, or contractual obligation. In the context of management systems like ISO 27001, nonconformities are categorized as major (systemic failure or significant gap) or minor (isolated or partial failure).
Surveillance Audit
A periodic audit conducted by a certification body between initial certification and recertification to verify that an organization continues to maintain and improve its management system in conformity with the standard. Surveillance audits typically occur annually during the three-year certification cycle.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment