top of page

#FindingsFriday: ISO 27001:2013 - Annex A.15 Supplier Relationships

The Finding

It may be beneficial to encourage [the shredding company] to gain a UKAS accredited ISO 27001 certificate, to further mitigate any risk to confidentiality.

Some Context to the Finding

This finding was raised during an ISO 27001 Stage 2 assessment. The client company was using an outsourced document shredding service provider to destroy confidential waste paper.

The client company had requested copies of all relevant certifications before working with their chosen supplier. Whilst the supplier company was able to supply evidence of certification to ISO 27001, it was not from a United Kingdom Accreditation Service (UKAS) accredited Certification Body.

The supplier had instead made the mistake of using a company that claims to provide both consultancy and certification. (UKAS accredited certification bodies cannot provide consultancy). In effect, the certification had been provided by an organisation that had produced the documentation and then marked its own homework, which, for obvious reasons, does not inspire the same degree of confidence about the integrity of the certification.

The individual who had requested and uploaded the certificate into their compliance system was unaware of the importance of ensuring that they check for evidence of UKAS accredited certification.

The initial supplier evaluation was carried out before the introduction of a formal supplier assessment process.

Action taken to address the finding

  1. The senior management team and personnel involved in supplier and subcontractor management were made aware of the importance of ensuring that their suppliers hold certification from UKAS accredited Certification Bodies.

  2. In spite of the finding, the team valued the working relationship with the supplier, and decided to engage with them to explain they wanted to continue to work together, but would need them to achieve UKAS accredited certification to ISO 27001 within an agreed timeframe.

  3. Review certifications from all suppliers who had submitted information prior to the introduction of the supplier assessment process.

Lessons to take from this finding

  1. Just because a company provides a certificate, doesn't mean that it is fit for purpose.

  2. Make sure that anyone involved in evaluating suppliers and subcontractors understands exactly what certifications (and logos) they should be looking out for when reviewing certification.

  3. A supplier assessment process can make it much easier to avoid similar things happening.


Mango compliance software includes a supplier module, from where you can set up assessments, store relevant documentation and even automate reminders when certificates, insurances and other key documents are due to expire.

It's free to book a demonstration to find out more about using Mango to manage your supply chain.


bottom of page