The certification body selection decision is consequential in ways that many organizations underestimate when they begin their ISO 27001 journey. The CB is not simply a vendor providing an audit service — it is the organization that will produce the independent verification of your ISMS that clients, regulators, and procurement bodies will rely on. A certificate from an accredited, internationally recognized CB opens doors. A certificate from an obscure or poorly accredited body may not.
The selection also shapes the audit experience itself. A CB with experienced auditors who understand Indonesian regulatory frameworks will provide findings that are specific, actionable, and grounded in the compliance reality your organization operates in. A CB with generic auditors who have never worked in Indonesian financial services will produce findings that are technically correct but miss the regulatory nuances that matter most to your regulators and clients.
This article covers everything you need to know to make a well-informed CB selection: the accreditation hierarchy that determines certificate legitimacy, the criteria that matter most for Indonesian organizations, the CB landscape in Indonesia, the full cost structure of a three-year certification cycle, the questions to ask before signing, and the scorecard for comparing options.
The Accreditation Hierarchy: Why It Matters
Not all ISO 27001 certificates are equal. The legitimacy and international recognition of a certificate depends on the accreditation chain that sits behind the certification body. Understanding this hierarchy prevents the costly mistake of engaging a non-accredited CB and discovering only after certification that the certificate is not recognized by your target clients or regulators.
| Level | Role in the certification ecosystem |
| IAF (International Accreditation Forum) | The apex body that coordinates mutual recognition agreements between national accreditation bodies worldwide. IAF member agreements mean that a certificate issued by a KAN-accredited body is recognized in Singapore, Europe, the US, and vice versa. |
| National Accreditation Body (KAN, UKAS, DAkkS, etc.) | Government-recognized body that accredits certification bodies in its jurisdiction. In Indonesia: KAN (Komite Akreditasi Nasional). In UK: UKAS. In Germany: DAkkS. In Singapore: SAC. These bodies audit certification bodies to verify their competence and impartiality. |
| Certification Body (BSI, SGS, TÜV, LRQA, Bureau Veritas, etc.) | The organization that conducts Stage 1 and Stage 2 audits and issues ISO 27001 certificates. Must be accredited by a KAN/IAF-member national accreditation body to issue certificates that are internationally recognized. There are hundreds worldwide. |
| Your Organization | Applies for certification to the certification body. Undergoes Stage 1 (documentation review) and Stage 2 (on-site assessment) audits. If conformant, receives a certificate valid for 3 years subject to annual surveillance audits. |
The practical implication: before engaging any certification body, verify their accreditation independently. In Indonesia, the definitive source is the KAN (Komite Akreditasi Nasional) accredited bodies register at kan.or.id. Internationally, the IAF CertSearch database at iafcertsearch.org allows you to verify any certificate issued by a CB accredited through an IAF member body. A certificate that does not appear in IAF CertSearch should be treated with caution.
| THE ACCREDITATION VERIFICATION TEST | Before finalizing any CB engagement: (1) Ask for their accreditation certificate number. (2) Look them up on kan.or.id or the relevant national accreditation body's public registry. (3) Verify that the scope of accreditation explicitly includes 'ISO/IEC 27001 information security management systems'. (4) Check that the accreditation is current and free of limitations or suspensions. This five-minute verification has saved organizations from engaging CBs whose certificates would not be accepted by their target clients. |
Selection Criteria: What to Evaluate
Selecting a certification body requires evaluating eight criteria — each weighted by its importance for Indonesian regulated organizations. The table below maps each criterion to how it should be evaluated and the red flag signals that indicate a CB may not be suitable:
| Selection criterion | Weight | How to evaluate | Red flag signals |
| Accreditation status | Critical | Verify on KAN website (kan.or.id) or national accreditation body website. Look for scope that explicitly covers ISO/IEC 27001 information security management systems. An accreditation for ISO 9001 does not automatically cover ISO 27001. | CB cannot provide accreditation certificate number. Certificate is not listed on KAN/IAF-member body public registry. Scope does not mention information security. |
| Indonesian regulatory recognition | High | For financial services organizations: verify the CB is accepted by OJK and BI for vendor security certification. Some Indonesian regulated sector RFPs name specific accepted CBs. Check procurement requirements before selecting. | CB has no Indonesian track record or local presence. Cannot provide references from Indonesian regulated industry clients. Not recognized in OJK or BI supplier guidance. |
| Industry sector experience | High | Ask for references from organizations in your sector — fintech, financial services, healthcare, or technology as relevant. Sector-experienced auditors understand the regulatory context (UU PDP, POJK, PBI) and produce more nuanced findings than generic auditors. | CB cannot provide references from your sector. Auditor assigned has no listed experience in Indonesian regulatory frameworks. Audit team is generic IT auditors rather than information security specialists. |
| Auditor competence and language | High | Request information on the lead auditor assigned. Verify ISO 27001 lead auditor qualification (IRCA or equivalent). For Indonesian organizations with Indonesian-language documentation or operations, confirm auditor capability. | CB cannot confirm auditor qualifications. Auditor has no ISO 27001 lead auditor certification. Language mismatch creates barriers to effective evidence collection. |
| Audit scope and process | Medium-High | Understand how the CB conducts Stage 1 and Stage 2. Stage 1 is typically a documentation review (remote or on-site). Stage 2 is the on-site (or remote for small scopes) assessment. Understand the nonconformity response process. | CB Stage 1 is entirely superficial (e.g. 30-minute call). Stage 2 timeline is unrealistically short for the scope size. No clear process for addressing nonconformities found during Stage 2. |
| Certificate recognition and validity | High | Verify certificates appear in public registries (CB's own registry + IAF CertSearch). Understand how the certificate will look — does it name the specific scope clearly? Will it be recognized by your target clients and regulators? | CB cannot confirm certificate will appear in public registry. Certificate format is non-standard. CB has previously had its accreditation suspended or withdrawn. |
| Cost structure | Medium | Obtain a full cost breakdown: Stage 1 fee, Stage 2 fee, annual surveillance fee, recertification fee. Understand what travel costs are included or excluded. Compare at least 3 CBs. | Quote significantly lower than market rate (may indicate non-accredited or under-resourced CB). Quote does not include surveillance fees. No transparency on what drives cost variability. |
| Timeline and availability | Medium | Certification bodies often have 8–12 week lead times for Stage 2 scheduling. Confirm Stage 2 slot availability before committing to a Stage 1 date. Ensure the Stage 2 schedule fits your certification deadline. | CB cannot confirm Stage 2 date within your target window. High staff turnover means auditor assigned at Stage 1 may not be the Stage 2 auditor. |
| Accreditation is binary — either they have it or they do not. All other criteria involve judgment and tradeoffs. An organization that scores well on accreditation (critical) and Indonesian regulatory recognition (high), even if it costs slightly more than alternatives, is a better choice than a lower-cost CB that fails on either of the critical criteria. Do not let cost considerations override accreditation status or Indonesian market fit. |
The CB Landscape for Indonesian Organizations
The following overview maps the main certification bodies available to Indonesian organizations, their accreditation basis, Indonesian market presence, and sector strengths. This is a reference guide, not a recommendation — the right CB for your organization depends on your specific sector, client profile, and regulatory requirements:
| Certification body | Origin | Accreditation | Indonesia presence | Sector strength | Cost tier | Key consideration |
| BSI Group | UK | UKAS (IAF member) | Regional office — Singapore/Jakarta | Strong in financial services and technology. Recognized by Indonesian government procurement and OJK processes. Widely accepted by multinational clients. | Premium — typically highest in-market | Most internationally recognized brand. Common choice for organizations targeting multinational enterprise clients or international expansion. |
| SGS | Switzerland | Multiple (UKAS, DAkkS, IAF members) | Local Indonesian presence | Broad sector coverage. Established Indonesian market presence. Recognized across government and private sector. | Mid-to-premium range | Strong local market knowledge. Good for organizations requiring Indonesian-language audit capability and local regulatory familiarity. |
| TÜV SÜD / TÜV Rheinland | Germany | DAkkS (IAF member) | Regional presence — Singapore hub with Indonesian client coverage | Strong in manufacturing, technology, and automotive. Growing financial services practice in Southeast Asia. | Mid-range | Well recognized in German-linked supply chains. Good technical auditor depth for complex technical scopes. |
| Bureau Veritas | France | Multiple (COFRAC, UKAS, IAF members) | Local Indonesian office | Broad coverage. Active in Indonesian mining, maritime, and government sectors. Growing ISMS practice. | Mid-range | Strong Indonesian track record for regulatory compliance. Good choice for organizations in natural resources or government-adjacent sectors. |
| LRQA (formerly Lloyd's Register) | UK | UKAS (IAF member) | Regional — Singapore/Jakarta coverage | Strong in maritime, energy, and financial services. Growing Southeast Asian ISMS certification practice. | Mid-range | Specialized sector depth in maritime and financial services. Good for regulated financial institutions. |
| KAN-accredited Indonesian CBs | Indonesia | KAN (IAF member) | Domestic | Coverage varies by CB. Strong for organizations primarily serving domestic Indonesian market and government procurement. | Typically lower cost | Certificate carries IAF mutual recognition. Good for organizations without international client requirements. Verify specific CB accreditation scope on KAN registry before engaging. |
| Important caveat: The CB landscape evolves — CBs enter and exit markets, accreditation scopes change, and Indonesian market recognition status is updated by regulators. This overview reflects the market as of early 2026. Always verify current accreditation status and Indonesian regulatory acceptance directly before engaging any CB. |
For organizations with both domestic Indonesian clients and international ambitions, the decision often comes down to two factors: whether the CB's certificate is accepted by Indonesian government procurement bodies and OJK-regulated clients on the domestic side, and whether it is recognized by enterprise clients in Singapore, Australia, or Europe on the international side. BSI, SGS, and TÜV-group CBs consistently satisfy both criteria. Indonesian domestic CBs may satisfy the domestic side but require more explanation to international clients.
The Full 3-Year Cost of Certification
Many organizations budget only for the Stage 2 audit cost when planning for ISO 27001 certification. The full cost of a three-year certification cycle — which includes Stage 1, Stage 2, two annual surveillance audits, and a recertification audit — is typically 3–5x the Stage 2 cost alone. Understanding the complete cost picture is essential for budget planning and for avoiding surprises that threaten the continuity of certification.
| Cost item | Timing | SME (<100 staff) | Mid-market (100–500) | Notes |
| Stage 1 audit (documentation review) | Typically 4–8 weeks before Stage 2 | IDR 15–40M | IDR 35–80M | Usually conducted remotely. 1–2 auditor days. Reviews ISMS documentation package against ISO 27001 requirements. |
| Stage 2 audit (on-site/remote assessment) | Typically 8–16 weeks after engagement | IDR 50–150M | IDR 100–350M | Largest single cost. Duration scales with scope complexity and staff count. 2–5 auditor days typical. Travel costs may be separate. |
| Annual surveillance audit — Year 1 | 12 months after certification | IDR 20–60M | IDR 50–130M | Typically 30–40% of Stage 2 cost. Covers a sample of the ISMS scope — not a full re-audit. Remote option often available. |
| Annual surveillance audit — Year 2 | 24 months after certification | IDR 20–60M | IDR 50–130M | Similar to Year 1 surveillance. Different sample areas typically audited in Year 2 vs Year 1. |
| Recertification audit (Year 3) | 36 months after initial certification | IDR 40–120M | IDR 80–280M | Full re-audit at recertification. Typically 60–80% of Stage 2 cost. Resets the 3-year certificate cycle. |
| Additional travel costs (if applicable) | Per audit event | IDR 5–20M | IDR 10–50M+ | Varies significantly based on auditor location, scope location, and whether remote audit is agreed. Jakarta-based CBs reduce travel for Jakarta-headquartered organizations. |
Total three-year certification cost benchmarks for Indonesian organizations in 2026: SME organizations (under 100 staff, focused scope) should budget IDR 120–350M for the full 3-year cycle. Mid-market organizations (100–500 staff, broader scope) should budget IDR 300–900M. These ranges assume a mid-tier internationally accredited CB. Premium CBs (BSI, SGS) at the high end; competent smaller CBs and Indonesian domestic CBs at the lower end.
| Budget planning insight: The surveillance audit fees in Years 1 and 2 are non-optional — they are contractually committed at the time of certification and required to maintain the certificate. Some organizations negotiate multi-year deals at the time of initial engagement that lock in surveillance rates. This can provide cost certainty over the three-year cycle. Ask about multi-year pricing packages when negotiating the initial engagement. |
Questions to Ask Certification Bodies
The evaluation process for a certification body should include a structured conversation with each CB under consideration. The questions below — organized by category — are designed to reveal the information that matters most for making a well-informed selection decision. Ask all CBs the same questions and compare responses:
| Accreditation and Legitimacy |
Q: What is your accreditation body and certificate number for ISO 27001 certification scope? Why it matters: Allows you to verify independently on the KAN or IAF member body public registry. Non-accredited CBs cannot provide a verifiable certificate number. |
Q: Is your ISO 27001 accreditation current and free of any suspensions or limitations? Why it matters: Accreditation can be suspended or have scope limitations. A CB under accreditation review poses certification risk. |
Q: Will our certificate appear in the public IAF CertSearch registry? Why it matters: Certificates in IAF CertSearch are globally verifiable by clients and regulators. Certificates that do not appear there have limited external credibility. |
| Indonesian Market and Regulatory Fit |
Q: How many ISO 27001 certificates have you issued to Indonesian organizations in the last 3 years, and can you provide three references? Why it matters: Indonesian market experience matters. References allow you to verify CB quality from peer organizations rather than relying on the CB's self-description. |
Q: Are your certificates accepted by OJK for vendor security qualification and by government procurement bodies (LKPP)? Why it matters: For regulated financial services and government procurement clients, the certificate must be recognized by relevant gatekeepers. Not all CBs have this recognition. |
Q: Do you have auditors with working knowledge of UU PDP, POJK IT governance requirements, and Bank Indonesia payment system regulations? Why it matters: An auditor who does not understand the Indonesian regulatory context cannot provide useful findings on regulatory alignment gaps. |
| Audit Process and Quality |
Q: Who will be our lead auditor for Stage 1 and Stage 2? What is their ISO 27001 lead auditor qualification and relevant industry experience? Why it matters: The quality of the audit depends almost entirely on the auditor assigned. You have the right to know their qualifications and request a change if they are not suitable. |
Q: How many days do you allocate for Stage 2 for an organization of our size and scope? What is the basis for this calculation? Why it matters: Under-resourced audits miss important areas. IAF guidance provides minimum audit duration recommendations based on organization size — a CB that proposes significantly fewer days is cutting corners. |
Q: If nonconformities are found during Stage 2, what is your process for resolution before a certification decision? Why it matters: Understanding the NC resolution process prevents surprises. Some CBs allow evidence submission within a defined period post-audit; others require a follow-up visit for major NCs. |
| Commercial Terms |
Q: Please provide a full 3-year cost breakdown including Stage 1, Stage 2, both surveillance audits, and recertification, plus any travel or additional charges. Why it matters: Many CBs quote Stage 2 only. The total 3-year cost including surveillance and recertification is what matters for budget planning. |
Q: What are your cancellation and rescheduling terms? Why it matters: Implementation timelines shift. Understanding cancellation terms protects you if you need to reschedule Stage 2 due to implementation delays. |
Q: When is the earliest Stage 2 date available within our target certification window? Why it matters: CB lead times of 8–12 weeks are common. Confirming slot availability before signing prevents missing your target certification date. |
The quality of a CB's responses to these questions is itself an indicator of their seriousness. A CB that cannot readily answer questions about their auditor's qualifications, their process for handling nonconformities, or their Indonesian regulatory recognition is either poorly organized or not genuinely equipped for the Indonesian market. Take note of how quickly and specifically they respond — this reflects how they will perform as your audit partner over a three-year cycle.
The CB Selection Scorecard
The scorecard below provides a structured comparison framework for evaluating three certification bodies simultaneously. The weights reflect the relative importance of each criterion for Indonesian regulated organizations. Complete one column per CB after the evaluation conversations and reference verification:
| Selection criterion | Weight | CB Option A | CB Option B | CB Option C |
| Accredited by KAN or IAF-member body for ISO 27001 scope | / 25 | ___ | ___ | ___ |
| Indonesian regulatory recognition (OJK, BI, government procurement acceptance) | / 20 | ___ | ___ | ___ |
| Relevant sector experience in your industry | / 15 | ___ | ___ | ___ |
| Lead auditor competence (ISO 27001 LA qualification + sector knowledge) | / 15 | ___ | ___ | ___ |
| Audit process quality (Stage 1/2 rigor, nonconformity process, timeline) | / 10 | ___ | ___ | ___ |
| Cost within budget with full 3-year lifecycle transparency | / 8 | ___ | ___ | ___ |
| Stage 2 availability within target certification window | / 7 | ___ | ___ | ___ |
| TOTAL WEIGHTED SCORE (maximum 100) | 100 | ___ | ___ | ___ |
A CB that scores below 70 out of 100 on this framework should be approached with caution — even if their headline price is attractive. A CB that scores zero on accreditation status is disqualified regardless of their score on other criteria. The minimum acceptable scores for Indonesian regulated organizations are: Accreditation: 20/25 or higher; Indonesian regulatory recognition: 15/20 or higher. Below these thresholds, the certificate risk is too high regardless of other factors.
Timing: When to Engage the Certification Body
The timing of CB engagement is an underestimated element of the certification planning process. Many organizations wait until Phase 4 of the implementation (control deployment) before selecting a CB — and then discover that the CB's earliest available Stage 2 slot is 12–16 weeks away, adding several months to the certification timeline.
The recommended engagement timing is:
- Initial conversations with candidate CBs: Phase 1 — Initiate (alongside project launch). Understand their process, get ballpark cost quotes, assess fit.
- Formal evaluation and CB selection decision: Phase 2 — Assess (after gap assessment is complete and scope is confirmed). You now know what you need to certify.
- Formal engagement and Stage 1 scheduling: Phase 3 — Build (approximately 6 months before target certification date). Lock in the slot.
- Stage 1 documentation package submission: Phase 4 — Implement (2–4 weeks before Stage 1 date).
- Stage 2 audit: Phase 5 — Certify (per agreed schedule).
Engaging the CB at Phase 1 for initial conversations — even before the formal selection decision — establishes the relationship, allows you to refine your Stage 2 date target based on actual CB availability, and prevents the timeline compression that comes from discovering CB lead times only when you are ready to proceed.
| Bitlion implementation note: Bitlion's implementation team assists clients with CB selection as part of the implementation engagement — including introductions to CBs with strong Indonesian regulated sector track records and support in preparing the Stage 1 documentation package. CB selection guidance is included in the implementation support offering at no additional cost. |
After Selection: Maintaining the CB Relationship
The relationship with the certification body does not end when the certificate is issued. It is a three-year partnership characterized by annual surveillance audits, ongoing communication about ISMS changes, and ultimately a recertification audit. Organizations that maintain a professional, transparent relationship with their CB throughout the certification cycle have consistently better experiences than those that treat the relationship as transactional.
Two specific behaviors matter most. First, notify the CB proactively of significant ISMS changes — scope expansions, major security incidents, significant organizational changes. These notifications are typically contractually required, and proactive communication demonstrates an organization that takes its ISMS obligations seriously. Second, prepare the surveillance audits with the same rigor as the initial certification. The most common mistake after certification is treating surveillance audits as lower-stakes check-ins — they are not. A significant finding at a surveillance audit can result in certificate suspension.
The CB relationship is ultimately about trust. An auditor who trusts that your organization has a genuine, operational ISMS will engage with you as a partner in verification. An auditor who suspects that your ISMS is primarily a documentation exercise will probe more aggressively and find more. How your organization behaves — in preparation, in transparency, and in how it responds to findings — determines which kind of relationship you have.