In This Guide
- ISO 27001 certification involves a two-stage audit: Stage 1 (readiness review) and Stage 2 (implementation verification).
- The full certification process typically takes 3-6 months from audit readiness to certificate issuance.
- Choosing an accredited certification body (check IAF MLA and national accreditation) is essential for recognized certification.
- Surveillance audits occur annually; recertification every 3 years.
- Major nonconformities must be resolved before certification can be granted.
ISO 27001 Certification Overview
ISO 27001 certification demonstrates that your organization has implemented an Information Security Management System (ISMS) that meets international standards. The certification process follows a structured two-stage audit approach, followed by ongoing surveillance to maintain certification.
The certification cycle spans three years:
- Year 1: Initial certification (Stage 1 + Stage 2 audits)
- Year 2: Surveillance Audit 1
- Year 3: Surveillance Audit 2
- Year 4: Recertification audit (new cycle begins)
Organizations seeking new certification should certify directly against ISO 27001:2022. Existing certifications to ISO 27001:2013 must transition by October 31, 2025. See our transition guide for details.
Selecting a Certification Body
Your choice of certification body (CB) significantly impacts your audit experience and the credibility of your certificate.
Accreditation Requirements
Always verify the CB holds accreditation from a recognized national accreditation body:
- IAS (United States of America)
- ANAB (United States of America)
- UKAS (United Kingdom)
- DAkkS (Germany)
- JAS-ANZ (Australia/New Zealand)
Accreditation ensures auditor competence, process consistency, and international recognition of your certificate through the IAF MLA (Multilateral Recognition Arrangement).
Selection Criteria
- Industry Experience: Has the CB audited organizations in your sector?
- Auditor Expertise: Do auditors understand your technology stack and business model?
- Geographic Coverage: Can they audit all locations in your scope?
- Timeline Flexibility: Can they accommodate your certification timeline?
- Pricing Transparency: Are audit day rates, travel costs, and certificate fees clear?
- Client References: Can they provide references from similar organizations?
Request proposals from at least three certification bodies. The cheapest option is rarely the best—consider auditor quality, sector expertise, and long-term partnership value.
Stage 1 Audit: Documentation Review
The Stage 1 audit assesses whether your organization is ready for the full certification audit. It focuses on documentation completeness and preliminary ISMS implementation.
Stage 1 Objectives
- Review ISMS documentation against ISO 27001 requirements
- Evaluate the scope and boundaries of your ISMS
- Assess your organization's understanding of the standard
- Verify internal audit and management review have been completed
- Identify areas of concern before Stage 2
- Plan Stage 2 audit activities and resource allocation
What Auditors Review in Stage 1
- ISMS Scope Statement: Clear definition of boundaries, locations, and assets
- Information Security Policy: Top management commitment and direction
- Risk Assessment Methodology: Documented approach to identifying and treating risks
- Risk Assessment Results: Evidence of risk assessment completion
- Risk Treatment Plan: Actions planned for unacceptable risks
- Statement of Applicability (SoA): Annex A controls with justifications
- Information Security Objectives: Measurable objectives aligned with policy
- Internal Audit Records: Evidence of audit planning and execution
- Management Review Minutes: Records of top management oversight
Stage 1 Duration and Format
Stage 1 typically takes 1-2 days depending on organization size and scope complexity. It can be conducted:
- On-site: At your premises with document review and initial facility tour
- Remote: Via video conference with screen sharing for document review
- Hybrid: Document review remote, followed by brief on-site visit
Stage 1 Outcomes
The auditor provides a report indicating readiness for Stage 2:
- Proceed to Stage 2: Organization is ready—schedule the implementation audit
- Proceed with Observations: Minor issues to address; Stage 2 can proceed
- Delay Stage 2: Significant gaps require remediation before proceeding
The most frequent Stage 1 findings are: incomplete risk assessments, missing Statement of Applicability, no internal audit evidence, and management review not conducted. Address these before scheduling Stage 1.
Stage 2 Audit: Implementation Verification
Stage 2 is the main certification audit, verifying that your ISMS is not just documented but effectively implemented and operating.
Stage 2 Objectives
- Confirm ISMS conforms to all ISO 27001 requirements
- Verify policies and procedures are implemented and followed
- Assess effectiveness of controls in treating identified risks
- Verify internal audit and management review effectiveness
- Confirm awareness and competence of personnel
- Evaluate continual improvement mechanisms
Stage 2 Audit Methods
- Interviews: Discussions with management, IT staff, process owners, and users
- Document Review: Examination of policies, procedures, records, and logs
- Observation: Watching processes, physical security, and operations in action
- Technical Verification: Reviewing configurations, access controls, and system settings
- Sampling: Selecting records, incidents, changes to verify consistent application
Stage 2 Duration
Audit duration is calculated based on IAF MD 5 guidelines considering:
- Number of employees in scope (FTE count)
- Number of sites/locations
- Complexity of ISMS and technology environment
- Regulatory requirements
- Outsourced processes
Typical Stage 2 durations:
| Organization Size | Stage 2 Days | Total Initial Audit Days |
|---|---|---|
| 1-10 employees | 2-3 days | 3-4 days |
| 11-45 employees | 3-5 days | 4-6 days |
| 46-125 employees | 5-7 days | 6-9 days |
| 126-425 employees | 7-10 days | 9-12 days |
| 426-625 employees | 10-12 days | 12-15 days |
Stage 1 vs Stage 2: Key Differences
| Aspect | Stage 1 | Stage 2 |
|---|---|---|
| Primary Focus | Documentation completeness | Implementation effectiveness |
| Duration | 1-2 days | 2-12+ days (based on size) |
| Location | Can be remote | Primarily on-site |
| Evidence Type | Documents, policies, procedures | Records, logs, interviews, observations |
| Outcome | Readiness determination | Certification recommendation |
| Who's Involved | ISMS manager, key documentation owners | All departments, multiple personnel levels |
| Technical Depth | Limited technical review | Configuration checks, control testing |
Think of Stage 1 as "Do you have what you need?" and Stage 2 as "Are you doing what you say?" Stage 1 checks your blueprints; Stage 2 verifies the building is constructed to specification.
Managing Audit Findings
Types of Findings
- Major Nonconformity: Absence or complete breakdown of a required element. Systemic failure affecting ISMS effectiveness. Must be resolved before certification can be granted.
- Minor Nonconformity: Single instance of non-compliance that doesn't indicate systemic failure. Certificate can be issued with an accepted corrective action plan.
- Observation/Opportunity for Improvement: Area that could be enhanced but is not a conformity issue. No action required, but good practice to address.
Corrective Action Process
- Acknowledge: Understand and accept the finding
- Root Cause Analysis: Determine why the nonconformity occurred (use 5 Whys, fishbone diagram)
- Correction: Immediate action to fix the specific instance
- Corrective Action: Systematic changes to prevent recurrence
- Evidence: Document actions taken and results achieved
- Verification: CB verifies closure (may require follow-up audit)
Timeframes for Resolution
- Major Nonconformity: Must be closed within 90 days, verified before certification
- Minor Nonconformity: Corrective action plan accepted; verified at surveillance audit
Surveillance Audits
After initial certification, surveillance audits occur annually to verify continued ISMS conformity.
Surveillance Scope
Each surveillance must cover:
- Internal audits and management review
- Actions on previous nonconformities
- Complaints and their handling
- ISMS effectiveness and objective achievement
- Planned continual improvement activities
- Selected operational controls
- Use of certification marks
- Changes to the ISMS
Surveillance Duration
Typically 30-40% of initial audit duration, split across the two annual visits to ensure all clauses and controls are reviewed over the 3-year cycle.
Maintaining Certification
Certification can be suspended or withdrawn if:
- Surveillance audits are not completed on schedule
- Major nonconformities are not resolved in time
- Significant ISMS failures are identified
- Certification fees are not paid
- Organization misuses the certification mark
Recertification Audit
Before the 3-year certificate expires, a recertification audit confirms continued suitability of the complete ISMS.
Recertification Scope
Similar to initial certification but considers:
- ISMS performance over the certification cycle
- Effectiveness of the ISMS as a whole
- Changes to scope, organization, or technology
- Previous audit findings and actions
- Commitment to continual improvement
Timing
Plan recertification 3-4 months before certificate expiry to allow time for any corrective actions. If the certificate expires before recertification completes, you lose certification status.
Complete Certification Timeline
| Phase | Duration | Key Activities |
|---|---|---|
| CB Selection | 2-4 weeks | RFP, proposal review, contract signing |
| Pre-Audit Preparation | 2-4 weeks | Documentation finalization, internal audit, management review |
| Stage 1 Audit | 1-2 days | Documentation review, readiness assessment |
| Gap Closure | 2-8 weeks | Address Stage 1 findings, finalize implementation |
| Stage 2 Audit | 2-12 days | Implementation verification, control effectiveness |
| Corrective Actions | 2-12 weeks | Resolve nonconformities, verify effectiveness |
| Certificate Issuance | 1-2 weeks | CB technical review and approval |
Total Time from Stage 1 to Certificate: Typically 6-16 weeks depending on findings and organization responsiveness.
Frequently Asked Questions
What happens in an ISO 27001 Stage 1 audit?
Stage 1 is a readiness review focused on ISMS documentation, scope definition, risk assessment methodology, Statement of Applicability, and evidence of internal audit and management review. The auditor determines whether you are ready to proceed to Stage 2.
What happens in ISO 27001 Stage 2?
Stage 2 is the main certification audit verifying that your ISMS is effectively implemented. Auditors conduct on-site evidence review, interviews with staff, process observation, and verification of Annex A controls. It results in a certification recommendation.
How long is an ISO 27001 certificate valid?
An ISO 27001 certificate is valid for 3 years from the date of issuance. During this period, mandatory annual surveillance audits must be completed to maintain certification. A recertification audit is required before the certificate expires to start a new 3-year cycle.
What is the difference between accredited and non-accredited certification?
Accredited certification is issued by a certification body accredited by an IAF MLA member (such as IAS, UKAS, or ANAB). Non-accredited certificates may not be recognized internationally and carry less credibility with customers, regulators, and partners. Always verify your CB's accreditation status.
How many audit days does ISO 27001 require?
Audit duration is determined by organization size, scope complexity, and number of sites — typically 5-15 days for initial certification. This includes both Stage 1 (1-2 days) and Stage 2 (2-12+ days). IAF MD 5 provides the calculation guidelines.
Can ISO 27001 certification be done remotely?
Partially. Some Stage 1 and Stage 2 activities can be conducted remotely per IAF MD 4 guidance, especially document review and interviews. However, physical site visits are typically required for Stage 2 to verify physical security controls and observe operations in action.