What matters in ISO 27001 verification
- Certified entity name and applicable locations.
- Scope of the information security management system.
- Certificate number, issue date, and expiry date.
- Certification body and accreditation details.
- Whether the scope covers the platform, service, or business unit being reviewed.
Use in security questionnaires
Many security questionnaires ask for ISO 27001 evidence. Verification should record the certificate details, reviewer date, scope notes, and any unresolved mismatches for the risk register.
When ISO 27001 evidence is not enough
A valid certificate does not automatically prove every system, location, or service is covered. Always compare the certification scope with the actual service being purchased.