In recent months, there’s been a surge in companies promoting bundled “compliance + certification” packages promising ISO 27001 or SOC 2 certification and the software to get you there… all at an unbeatable price.
If you’re a business leader considering one of these offers, pause before signing. Here’s what you need to know.
Conflict of Interest: The Auditor Shouldn’t Be the Seller
In any credible certification process, independence is non-negotiable.
The same organisation shouldn’t both prepare you for the audit and issue your certificate.
Why? Because certification must be an independent validation of your security posture — not a rubber stamp from the same team that built your compliance platform. Without independence, the value of that certificate (and your clients’ trust) is compromised.
Not All “ISO 27001 Certificates” Are Equal
Let’s take ISO 27001 as an example.
In Australia, genuine ISO 27001 certificates are issued by Certification Bodies accredited by JAS-ANZ, our local accreditation authority.
JAS-ANZ, in turn, is recognised under the International Accreditation Forum (IAF) — a global association of accreditation bodies working to reduce trade barriers and ensure mutual recognition of certificates worldwide.
But here’s the catch:
-
Some overseas accreditation bodies are not IAF MLA Signatories.
-
Others aren’t even part of the IAF system.
So yes — anyone can issue a certificate, but not all certificates carry the same weight or recognition.
Local Accreditation Matters (Especially in Australia)
If your business is Australian, always check:
-
Is the certification body accredited by JAS-ANZ (or another IAF MLA Signatory)?
-
Can your certificate be verified on the JAS-ANZ register?
-
Will your clients, regulators, or government tenders accept it?
A non-JAS-ANZ accredited certificate might look impressive and cost-effective, but if procurement teams can’t validate it on official portals, you risk rejection, lost bids, and reputational damage.
The Hidden Risks Behind Cheap, Quick Deals
Here’s what we’re seeing across the market:
Auditor Competency – Non-IAF MLA Signatory accredited auditors may not have the correct competency to audit an Australian operation, particularly regarding legal requirements and other requirements.
Government Rejection – Many agencies explicitly require JAS-ANZ-accredited certification.
Legal Non-Compliance – Some frameworks cite JAS-ANZ accreditation as mandatory.
Market Barriers – International certificates often fail local verification checks.
Reputation Damage – Stakeholders question credibility when certificates aren’t traceable.
“Paper Mill” Certificates – Some operators skip real audits entirely.
Double Costs – You might pay again later for recognised certification.
If it sounds too fast or too cheap, it probably is.
Understanding the IAF Recognition Hierarchy
| Status | International Recognition | Certificate Weight | Mutual Recognition |
|---|---|---|---|
| IAF MLA Signatory | Full worldwide | Highest | Yes |
| IAF Member (non-MLA) | Limited | Reduced | No |
| Non-IAF Body | Minimal | Lowest | No |
Only IAF MLA Signatories (like JAS-ANZ, ANAB, UKAS) offer globally recognised and mutually accepted certifications.
The Bottom Line
Cheaper, bundled “compliance + certification” deals may look attractive, but they can leave your business:
-
Non-compliant with local regulations
-
Rejected by clients and tenders
-
Paying twice for recognition you thought you already had
When it comes to information security certification, independence and accreditation matter more than price or speed.
Tip: Before you commit, ask your provider to share their IAF MLA Signatory status and confirm whether your certificate will be listed on the JAS-ANZ register or another IAF MLA accredited accreditation body register.
