If you've been looking at offshore accounting providers, you've probably seen "ISO 27001:2022 certified" on a few websites. It sounds impressive. But unless you've spent time in information security, it's hard to know whether it actually means something or whether it's just a certification that looks good on a webpage.
It means something. But it's worth understanding exactly what, so you can ask the right questions and know what you're actually getting.
What ISO 27001:2022 Is — In Plain English
ISO 27001:2022 is the international standard for information security management. In plain terms: it's a set of requirements that describes what a responsible organisation needs to have in place to protect the information it handles.
The 2022 version — updated from the previous 2013 edition — reflects the current reality of how data gets handled. Cloud systems, remote work, supply chain risk, third-party access. The controls are specific, documented, and audited.
Here's the critical thing: this is not a self-declaration. A company cannot simply say it meets ISO 27001 standards and issue itself a certificate. An independent, accredited certification body — an organisation approved to conduct ISO audits — has to come in, assess every control, verify that they're operational, and formally sign off. That's the audit. That's what the certificate actually represents.
What Those 93 Controls Actually Cover
The controls span four areas, and each matters for how your client data is handled.
Organisational controls cover things like information security policies, how roles and responsibilities are defined, how incidents get managed, and how supplier relationships are governed. This is the governance layer — who's responsible for what, and what happens when something goes wrong.
People controls cover employee screening, confidentiality obligations built into employment contracts, security awareness training, and what happens when someone leaves. This is where the NDA requirement and offboarding procedures live.
Physical controls address workspace security — locked areas, clean desk policies, whether equipment is secured when not in use. Relevant for an offshore environment where people are working with sensitive financial data.
Technological controls cover the systems layer: access control, multi-factor authentication, network security, data encryption, malware protection, audit logging. This is the technical infrastructure that keeps data from being accessed or moved inappropriately.
When all four are audited and passed, it means the organisation has a functioning, verified security programme — not just a policy document.
What the Audit Actually Involves
Getting certified takes real work — typically six to eighteen months of implementation before the initial audit. The audit itself runs in two stages: a documentation review (are the policies and procedures written correctly?), followed by an implementation review (are those policies actually being followed in practice?).
Passing both stages earns a three-year certification. Annual surveillance audits check that nothing has slipped in the intervening year. If an audit finds that controls have degraded, the certification gets suspended. It's not a one-time checkbox. It's an ongoing commitment.
What It Means When You're Choosing a Provider
For you as a firm owner, working with an ISO 27001:2022 certified offshore provider is a meaningful baseline. It means someone independent has verified that the organisation has the policies, the technical controls, the people practices, and the incident response procedures to handle sensitive data responsibly.
It's not a guarantee that nothing will ever go wrong. Nothing is. But it's independently verified evidence that the provider is running a serious security operation — not just claiming to be. There's a real difference between a provider that says "we take security seriously" and one that can hand you a certificate number you can verify yourself.
How to Actually Verify a Certification Claim
Don't just take the certificate on the website at face value. Here's what to actually check.
Ask for the certificate directly. A real ISO 27001 certificate will show the certifying body's name, the certificate number, the scope (what specific activities and locations are covered), and the expiry date.
Verify the certificate number with the certifying body. Major certification bodies — BSI, DNV, Bureau Veritas, and others — maintain public registers. You can look up the certificate number and confirm it's current and not suspended.
Check the scope statement. ISO certificates have a defined scope. Make sure the certification covers the specific services being provided to your firm — not just a different division or location of the same company.
Ask when the last surveillance audit was. If they can't answer this quickly, it's a yellow flag. Annual audits are required; a current certified provider should know the answer immediately.
Common Questions
Not legally required in most jurisdictions. But for any provider handling client financial data, it's the baseline professional standard — and increasingly expected by professional liability insurers. Working with a certified provider is the difference between a vendor that claims to be secure and one that has had that claim independently verified.
Yes. We'll provide the certificate number, certifying body name, and scope documentation on request. You can verify the certificate in the certifying body's public register. We encourage you to do this — it's exactly the kind of due diligence you should be doing with any offshore provider you're trusting with client financial data.
