ISO 27001 Certification Overview

ISO 27001 certification demonstrates that your organization has implemented an Information Security Management System (ISMS) that meets international standards. The certification process follows a structured two-stage audit approach, followed by ongoing surveillance to maintain certification.

The certification cycle spans three years:

  • Year 1: Initial certification (Stage 1 + Stage 2 audits)
  • Year 2: Surveillance Audit 1
  • Year 3: Surveillance Audit 2
  • Year 4: Recertification audit (new cycle begins)
ISO 27001:2022 Note

Organizations seeking new certification should certify directly against ISO 27001:2022. Existing certifications to ISO 27001:2013 must transition by October 31, 2025. See our transition guide for details.

Selecting a Certification Body

Your choice of certification body (CB) significantly impacts your audit experience and the credibility of your certificate.

Accreditation Requirements

Always verify the CB holds accreditation from a recognized national accreditation body:

  • IAS (United States of America)
  • ANAB (United States of America)
  • UKAS (United Kingdom)
  • DAkkS (Germany)
  • JAS-ANZ (Australia/New Zealand)

Accreditation ensures auditor competence, process consistency, and international recognition of your certificate through the IAF MLA (Multilateral Recognition Arrangement).

Selection Criteria

  • Industry Experience: Has the CB audited organizations in your sector?
  • Auditor Expertise: Do auditors understand your technology stack and business model?
  • Geographic Coverage: Can they audit all locations in your scope?
  • Timeline Flexibility: Can they accommodate your certification timeline?
  • Pricing Transparency: Are audit day rates, travel costs, and certificate fees clear?
  • Client References: Can they provide references from similar organizations?

Request proposals from at least three certification bodies. The cheapest option is rarely the best—consider auditor quality, sector expertise, and long-term partnership value.

Stage 1 Audit: Documentation Review

The Stage 1 audit assesses whether your organization is ready for the full certification audit. It focuses on documentation completeness and preliminary ISMS implementation.

Stage 1 Objectives

  • Review ISMS documentation against ISO 27001 requirements
  • Evaluate the scope and boundaries of your ISMS
  • Assess your organization's understanding of the standard
  • Verify internal audit and management review have been completed
  • Identify areas of concern before Stage 2
  • Plan Stage 2 audit activities and resource allocation

What Auditors Review in Stage 1

  • ISMS Scope Statement: Clear definition of boundaries, locations, and assets
  • Information Security Policy: Top management commitment and direction
  • Risk Assessment Methodology: Documented approach to identifying and treating risks
  • Risk Assessment Results: Evidence of risk assessment completion
  • Risk Treatment Plan: Actions planned for unacceptable risks
  • Statement of Applicability (SoA): Annex A controls with justifications
  • Information Security Objectives: Measurable objectives aligned with policy
  • Internal Audit Records: Evidence of audit planning and execution
  • Management Review Minutes: Records of top management oversight

Stage 1 Duration and Format

Stage 1 typically takes 1-2 days depending on organization size and scope complexity. It can be conducted:

  • On-site: At your premises with document review and initial facility tour
  • Remote: Via video conference with screen sharing for document review
  • Hybrid: Document review remote, followed by brief on-site visit

Stage 1 Outcomes

The auditor provides a report indicating readiness for Stage 2:

  • Proceed to Stage 2: Organization is ready—schedule the implementation audit
  • Proceed with Observations: Minor issues to address; Stage 2 can proceed
  • Delay Stage 2: Significant gaps require remediation before proceeding
Common Stage 1 Issues

The most frequent Stage 1 findings are: incomplete risk assessments, missing Statement of Applicability, no internal audit evidence, and management review not conducted. Address these before scheduling Stage 1.

Stage 2 Audit: Implementation Verification

Stage 2 is the main certification audit, verifying that your ISMS is not just documented but effectively implemented and operating.

Stage 2 Objectives

  • Confirm ISMS conforms to all ISO 27001 requirements
  • Verify policies and procedures are implemented and followed
  • Assess effectiveness of controls in treating identified risks
  • Verify internal audit and management review effectiveness
  • Confirm awareness and competence of personnel
  • Evaluate continual improvement mechanisms

Stage 2 Audit Methods

  • Interviews: Discussions with management, IT staff, process owners, and users
  • Document Review: Examination of policies, procedures, records, and logs
  • Observation: Watching processes, physical security, and operations in action
  • Technical Verification: Reviewing configurations, access controls, and system settings
  • Sampling: Selecting records, incidents, changes to verify consistent application

Stage 2 Duration

Audit duration is calculated based on IAF MD 5 guidelines considering:

  • Number of employees in scope (FTE count)
  • Number of sites/locations
  • Complexity of ISMS and technology environment
  • Regulatory requirements
  • Outsourced processes

Typical Stage 2 durations:

Organization Size Stage 2 Days Total Initial Audit Days
1-10 employees 2-3 days 3-4 days
11-45 employees 3-5 days 4-6 days
46-125 employees 5-7 days 6-9 days
126-425 employees 7-10 days 9-12 days
426-625 employees 10-12 days 12-15 days

Stage 1 vs Stage 2: Key Differences

Aspect Stage 1 Stage 2
Primary Focus Documentation completeness Implementation effectiveness
Duration 1-2 days 2-12+ days (based on size)
Location Can be remote Primarily on-site
Evidence Type Documents, policies, procedures Records, logs, interviews, observations
Outcome Readiness determination Certification recommendation
Who's Involved ISMS manager, key documentation owners All departments, multiple personnel levels
Technical Depth Limited technical review Configuration checks, control testing

Think of Stage 1 as "Do you have what you need?" and Stage 2 as "Are you doing what you say?" Stage 1 checks your blueprints; Stage 2 verifies the building is constructed to specification.

Managing Audit Findings

Types of Findings

  • Major Nonconformity: Absence or complete breakdown of a required element. Systemic failure affecting ISMS effectiveness. Must be resolved before certification can be granted.
  • Minor Nonconformity: Single instance of non-compliance that doesn't indicate systemic failure. Certificate can be issued with an accepted corrective action plan.
  • Observation/Opportunity for Improvement: Area that could be enhanced but is not a conformity issue. No action required, but good practice to address.

Corrective Action Process

  1. Acknowledge: Understand and accept the finding
  2. Root Cause Analysis: Determine why the nonconformity occurred (use 5 Whys, fishbone diagram)
  3. Correction: Immediate action to fix the specific instance
  4. Corrective Action: Systematic changes to prevent recurrence
  5. Evidence: Document actions taken and results achieved
  6. Verification: CB verifies closure (may require follow-up audit)

Timeframes for Resolution

  • Major Nonconformity: Must be closed within 90 days, verified before certification
  • Minor Nonconformity: Corrective action plan accepted; verified at surveillance audit

Surveillance Audits

After initial certification, surveillance audits occur annually to verify continued ISMS conformity.

Surveillance Scope

Each surveillance must cover:

  • Internal audits and management review
  • Actions on previous nonconformities
  • Complaints and their handling
  • ISMS effectiveness and objective achievement
  • Planned continual improvement activities
  • Selected operational controls
  • Use of certification marks
  • Changes to the ISMS

Surveillance Duration

Typically 30-40% of initial audit duration, split across the two annual visits to ensure all clauses and controls are reviewed over the 3-year cycle.

Maintaining Certification

Certification can be suspended or withdrawn if:

  • Surveillance audits are not completed on schedule
  • Major nonconformities are not resolved in time
  • Significant ISMS failures are identified
  • Certification fees are not paid
  • Organization misuses the certification mark

Recertification Audit

Before the 3-year certificate expires, a recertification audit confirms continued suitability of the complete ISMS.

Recertification Scope

Similar to initial certification but considers:

  • ISMS performance over the certification cycle
  • Effectiveness of the ISMS as a whole
  • Changes to scope, organization, or technology
  • Previous audit findings and actions
  • Commitment to continual improvement

Timing

Plan recertification 3-4 months before certificate expiry to allow time for any corrective actions. If the certificate expires before recertification completes, you lose certification status.

Complete Certification Timeline

Phase Duration Key Activities
CB Selection 2-4 weeks RFP, proposal review, contract signing
Pre-Audit Preparation 2-4 weeks Documentation finalization, internal audit, management review
Stage 1 Audit 1-2 days Documentation review, readiness assessment
Gap Closure 2-8 weeks Address Stage 1 findings, finalize implementation
Stage 2 Audit 2-12 days Implementation verification, control effectiveness
Corrective Actions 2-12 weeks Resolve nonconformities, verify effectiveness
Certificate Issuance 1-2 weeks CB technical review and approval

Total Time from Stage 1 to Certificate: Typically 6-16 weeks depending on findings and organization responsiveness.

ISO 27001 Certification Audit Process