background

The ISO 27001 Certification Process: A Step-by-Step Guide

  • iso-27001angle-right
  • The ISO 27001 Certification Process: A Step-by-Step Guide

ISO/IEC 27001:2022 is a rigorous cybersecurity standard, and it can be intimidating to tackle if you’re getting certified for the first time. 

Where do you begin? Which policies and controls will you need? How do you know if you’re ready for an audit?

Understanding the process of getting ISO 27001 certified can help you prepare for a successful audit — and remove a lot of the stress along the way. 

In this post, we’ll explain the ISO 27001 certification process, including what organizations need to do to prepare and what happens during each phase of the certification audit.

Phases of the certification process

The ISO 27001 certification process phases

To achieve ISO 27001 certification, you’ll need to undergo a series of audits. Here’s what you can expect to prepare for and complete your certification.

Phase one: create a project plan 

Start by defining who will lead the certification project. Identify a project manager or team responsible for scoping, timelines, and communication. Get buy-in from senior leadership early, since auditors will want to see evidence of management commitment.

At this stage, some organizations choose to work with an ISO 27001 consultant, while others use compliance automation platforms backed by expert support. Both options can help you interpret requirements, but automation tools can save significant time and effort by collecting evidence and tracking tasks automatically.

Educating yourself on ISO 27001 standards and its 114 controls is a key part of this process. A great place to start is our in-depth guide to ISO 27001.

Phase two: define the scope of your ISMS 

Each business is unique and houses different types of data. Before building your ISMS, you’ll need to determine exactly what kind of information you need to protect. Which assets, systems, or services are most critical to your business and most relevant to customer trust?

For some companies, the scope of their ISMS includes their entire organization. For others, it includes only a specific department or system. 

Your team will need to discuss what you want to be represented in your ISO 27001 scope statement. Start by asking yourself: “What service, product, or platform are our customers most interested in seeing as part of our ISO 27001 certificate?” Then use our free ISO 27001 Scope Statement Template to get a head start and ensure compliant documentation.

Phase three: perform a risk assessment and gap analysis 

ISO 27001:2022 requires a documented, repeatable risk assessment process. You’ll need to identify risks to your information assets, evaluate their likelihood and potential impact, and decide how to address them.

To start, consider your baseline for security. What legal, regulatory, or contractual obligations is your company being held to?  

At the same time, a gap analysis will show how your current security practices compare against ISO 27001 requirements. This helps you prioritize remediation efforts before the audit.

Organizations that don’t have a dedicated compliance manager may choose to hire an ISO consultant to help with their gap analysis and remediation plan. A consultant who has experience working with companies like yours can provide expert guidance to help you meet compliance requirements.

However, due to costs, limited availability, and other reasons, many organizations decide against using an external consultant and instead opt for a compliance automation solution backed by a team of compliance managers, like Secureframe. Our compliance managers help guide you through that ISO 27001 certification process so you know exactly what measures to implement to achieve compliance. They can also help you establish best practices that strengthen your overall security posture.

ISO 27001 Risk Assessment Template

Identify high-priority risks and build your remediation plan with this risk assessment template.

Phase four: design and implement policies and controls 

Now that you’ve identified risks, you’ll need to decide how your organization will respond. Which risks are you willing to tolerate, and which do you need to address? 

ISO 27001 outlines four options:

  • Modify the risk with new controls that reduce likelihood or impact
  • Avoid the risk by preventing the scenario entirely
  • Transfer the risk to another party (e.g., cyber insurance or outsourcing)
  • Accept the risk when the cost of remediation outweighs potential harm

Your auditor will want to review the decisions you’ve made regarding each identified risk during your ISO 27001 certification audit. You’ll also need to produce a Statement of Applicability and a Risk Treatment Plan as part of your audit evidence. 

The Statement of Applicability summarizes and explains which ISO 27001 controls and policies are relevant to your organization. This document is one of the first things your external auditor will review during your certification audit. 

The Risk Treatment Plan is another essential document for ISO 27001 certification. It records how your organization will respond to the threats you identified during your risk assessment process.

Next, you’ll implement policies and controls in response to identified risks. Your policies should establish and reinforce security best practices like requiring employees to use multi-factor authentication and lock devices whenever they leave their workstations. 

ISO 27001 Statement of Applicability Template

The ISO 27001 Statement of Applicability explains which Annex A security controls are (and aren’t) applicable to your organization’s ISMS. Download our auditor-approved Statement of Applicability template to simplify the process and ensure compliant documentation. 

Step 5: Complete employee training 

ISO 27001 requires evidence that all employees understand their role in maintaining information security. Training should cover security awareness, reporting procedures, and daily best practices. This ensures that everyone within your organization understands the importance of data security and their role in both achieving and maintaining compliance. 

Documentation of training sessions and completion rates is important audit evidence.

Step 6: Document and collect evidence 

Auditors will want to see proof that your policies and controls are not only documented but also operating effectively.

Common evidence includes:

  • ISMS scope
  • Information security policy
  • Risk assessment and treatment processes
  • Statement of Applicability
  • Information security objectives
  • Incident response plans
  • Access logs
  • Security training records
  • Audit programs and reports
  • Management review evidence
  • Records of nonconformities and remediations
  • Annex A control implementation evidence

Collecting and organizing all of this evidence can be extremely time-consuming. Compliance automation software for ISO 27001 can eliminate hundreds of hours of busy work by collecting this evidence for you.

Step 7: Complete an ISO 27001 certification audit 

In this phase, an external auditor will evaluate your ISMS to verify that it meets ISO 27001 requirements and issue your certification.

A certification audit happens in two stages:

  • Stage 1: Documentation review
    The auditor examines your ISMS documentation to verify that it aligns with ISO 27001 requirements. They may identify nonconformities or improvement areas that need to be addressed before moving forward.
  • Stage 2: Certification audit
    The auditor tests whether your policies and controls are actually being followed in practice. This includes reviewing processes, interviewing staff, and checking operational effectiveness.

If both stages are successful, you’ll receive an ISO 27001 certification that's valid for three years.

Step 8: Maintain continuous compliance  

ISO 27001 is all about continuous improvement. You’ll need to keep analyzing and reviewing your ISMS to make sure it’s still operating effectively and maintain compliance. And as your business evolves and new risks emerge, you’ll need to watch for opportunities to improve existing processes and controls. 

ISO 27001 requires:

  • Surveillance audits: conducted annually by your certification body to ensure you’re still compliant.
  • Internal audits: scheduled by your organization to spot weaknesses before the auditor does.
  • Recertification audits: required every three years to renew your ISO 27001 certificate.

By maintaining an ongoing compliance program, you’ll not only keep your certification but also strengthen your overall security posture.

ISO 27001 Compliance Kit

Download this free kit with everything you need to simplify your ISO 27001 readiness work, including an evidence collection spreadsheet, fully customizable policy templates, and a compliance checklist.

The certification audit process

The ISO 27001 certification audit process

  • Stage 1: ISMS Design review
    Review ISMS documentation to make sure policies and procedures are properly designed.
  • Stage 2: Certification audit 
    Review business processes & controls for compliance with ISMS and Annex A requirements.
  • Surveillance audits 
    Ensure your ISO 27001 compliance program is still effective and being maintained.
  • Recertification audit
    At the end of the 3-year certification term, a recertification audit assesses ISMS and Annex A controls for compliance. Recertification is valid for another 3 years. 

Once you've built your ISMS, completed a gap analysis, implemented controls, trained your staff, and collected evidence, you're ready to begin the audit process.

A formal ISO 27001 audit happens in stages:

Stage 1: ISMS Design review 

Review ISMS documentation to make sure policies and procedures are properly designed. 

At this stage, your auditor will make sure your documentation is compliant with the ISO 27001 ISMS requirements listed in clauses 4-10. They will also point out any nonconformities or opportunities to improve your ISMS. 

Once you’ve implemented any suggested changes, you’re ready for your Stage 2 audit. 

Stage 2: Certification audit 

Review business processes and controls to ensure compliance with ISO 27001 ISMS and Annex A requirements. 

This is where your auditor will complete a detailed assessment to determine whether your organization satisfies ISO 27001 requirements. 

Once Stage 1 and Stage 2 are complete, your ISO 27001 certification is valid for three years. 

Surveillance audits 

Within your three-year certification period, you’ll need to conduct ongoing audits. These audits ensure your ISO 27001 compliance program is still effective and being maintained. 

Surveillance audits check to make sure organizations are maintaining their ISMS and Annex A controls properly. Surveillance auditors will also check to make sure any nonconformities or exceptions noted during the certification audit have been addressed. 

Recertification audit

During the last year of the three-year ISO certification term, your organization can undergo a recertification audit.  

Similar to Stage 2, the auditor will complete a detailed assessment to determine whether your organization meets ISO 27001 requirements for process/control design and operating effectiveness. 

After completing the recertification audit, your ISO 27001 certification is valid for another three years. Most organizations spend 6-12 months preparing for and completing an ISO 27001 certification audit. 

The ISO 27001 certification process can feel intimidating — but it doesn’t have to be so overwhelming. This flowchart will help you visualize the ISO 27001 certification process, break it down into manageable steps, and track your progress towards achieving compliance.

ISO 27001 evidence requirements

ISO 27001 requirements: process evidence

During your certification audit, your auditor will need to assess different aspects of your ISMS, including policies, business processes, and supporting evidence.

Here’s a baseline of the documentation you’ll need to provide your auditor

  • ISMS scope
  • Information security policy
  • Information security risk assessment process
  • Information security risk treatment process
  • Statement of Applicability
  • Information security objectives
  • Evidence of competence
  • Security awareness training program and results
  • Results of information security risk assessment
  • Results of information security risk treatment
  • Evidence of monitoring and measurement of results
  • Documented internal audit process
  • Evidence of audit programs and results
  • Evidence of results of management reviews
  • Evidence of non-conformities and remediations
  • Evidence of remediation results 
  • Annex A control activity evidence

Streamline the process with Secureframe

Once you’ve created policies and compiled evidence for your ISO 27001 audit, you’ll likely have hundreds of documents that will need to be collected, cataloged, and updated. And you’ll need to make sure all of your documentation is organized with the right controls and requirements so your auditor can verify everything. 

Secureframe can simplify the heavy-lifting to make the process of preparing for and maintaining compliance more manageable and less stressful. We’ll help you build a compliant ISMS, monitor your tech stack for vulnerabilities, and manage risks. Schedule a demo to learn more.