ISO 27001 Certification Process: Step-by-Step Guide
Quick Answer
The ISO 27001 certification process involves three main stages: building your ISMS (3-9 months), Stage 1 audit (documentation review), and Stage 2 audit (implementation assessment). After passing both stages, you receive a 3-year certificate with annual surveillance audits.
Certification Process Overview
ISO 27001 certification is granted by accredited certification bodies (CBs) after a formal two-stage audit process. Unlike SOC 2 (which produces a report), ISO 27001 results in a certificate that is valid for three years, subject to annual surveillance audits.
Key Takeaways
- Certification involves two audit stages: Stage 1 (documentation review) and Stage 2 (implementation audit)
- You must choose an accredited certification body — accreditation bodies include UKAS (UK), ANAB (US), DAkkS (Germany)
- Stage 1 and Stage 2 are typically 1-3 months apart
- After certification, annual surveillance audits maintain your certificate
- Full recertification audit every 3 years
The Full Certification Journey
Months 1-2 — Planning & Gap Analysis
Define ISMS scope, conduct gap analysis against ISO 27001 requirements, build project plan and secure management commitment.
Months 2-4 — Risk Assessment & Treatment
Identify information assets, assess risks, create risk treatment plan, and select applicable Annex A controls.
Months 3-6 — Documentation & Implementation
Write required policies, procedures, and the Statement of Applicability. Implement controls and security measures.
Months 5-7 — Internal Audit & Management Review
Conduct internal audit of the ISMS, perform management review, and address nonconformities.
Month 7-8 — Stage 1 Audit
Certification body reviews documentation, ISMS design, and readiness for Stage 2. Identifies any major gaps.
Month 9-10 — Stage 2 Audit
On-site assessment of ISMS implementation. Auditors verify controls are operating effectively.
Month 10+ — Certification Issued
If no major nonconformities, certificate is issued. Valid for 3 years.
Stage 1 Audit: Documentation Review
What Auditors Assess in Stage 1
- ISMS scope definition and context of the organization
- Information security policy and objectives
- Risk assessment methodology and risk treatment plan
- Statement of Applicability (SoA)
- Internal audit plan and results
- Management review records
- Documented procedures for key processes
- Readiness for Stage 2 audit
Stage 2 Audit: Implementation Assessment
The Stage 2 audit is the main certification audit. Auditors spend 2-10 days on-site (or remote) verifying that your ISMS is implemented and operating effectively. They interview staff, review evidence, test controls, and assess whether your organization lives the security management system — not just documented it.
- Staff interviews: Auditors will talk to employees across departments to verify security awareness and adherence to procedures
- Evidence sampling: Random selection of records, logs, and artifacts to verify controls are operating
- Control testing: Verification that selected Annex A controls are implemented and effective
- Process observation: Watching how key processes (incident response, access management, change management) actually work
- Nonconformity assessment: Any gaps are classified as major (blocks certification) or minor (must be addressed with corrective action plan)
After Certification
3-Year Certification Cycle
The ongoing certification maintenance cycle
Year 1: Certification Audit
Stage 1 + Stage 2 — full initial assessment
Year 2: Surveillance Audit
Partial review of ISMS — subset of controls
Year 3: Surveillance Audit
Partial review — different subset of controls
Year 4: Recertification Audit
Full reassessment — similar to initial certification
⚠️ Choosing a Certification Body
Only use certification bodies accredited by recognized accreditation bodies (UKAS, ANAB, DAkkS, JAS-ANZ, etc.). Non-accredited certificates may not be recognized by customers. Check your target market — some customers specifically require UKAS or ANAB accreditation. Get quotes from 2-3 CBs; pricing varies significantly.
2-10 days
Stage 2 Audit Duration
Depends on organization size and scope
1-3 months
Between Stage 1 & 2
Time to address Stage 1 findings
3 years
Certificate Validity
With annual surveillance audits
90 days
Major NC Resolution
Deadline to resolve major nonconformities
What happens if we fail the Stage 2 audit?
If you receive major nonconformities, you typically have 90 days to address them before a follow-up audit. The certification body will re-assess the specific areas. Minor nonconformities require a corrective action plan but don't block certification. Complete failure is rare if you've done a proper Stage 1 and internal audit.
Can the audit be done remotely?
Since COVID, many certification bodies offer remote audits (especially Stage 1). Stage 2 often includes a mix of remote and on-site, depending on the CB's policy and your organization's physical operations. Fully remote Stage 2 audits are increasingly accepted for cloud-native organizations.
How do we choose the right certification body?
Key factors: accreditation (UKAS, ANAB, etc.), industry experience, auditor expertise, pricing, and availability. Get quotes from 2-3 accredited CBs. Check if your customers have preferences. Larger CBs (BSI, Bureau Veritas, SGS, Schellman) have global recognition; smaller CBs may offer better pricing.
Can we scope down our ISMS to make certification easier?
Yes, and this is common. You can certify a specific business unit, product, or service rather than the entire organization. However, the scope must make business sense and include all assets and processes relevant to the information security of the scoped area. Customers will see the scope on your certificate.
Streamline Your ISO 27001 Certification
Compare compliance platforms that automate evidence collection, manage documentation, and prepare you for audit.
Browse ISO 27001 Tools