What are the steps in the ISO 27001 certification process?

The ISO 27001 certification process consists of several stages that organisations go through to have their information security management system (ISMS) assessed. The process includes preparatory steps, documentation audit (stage 1), implementation audit (stage 2) and maintenance of the certificate. A structured approach helps organisations successfully navigate through all stages and strengthen their digital resilience.

What exactly does the ISO 27001 certification process entail?

The ISO 27001 certification process is a systematic assessment of your information security management system by an accredited certification body. The process consists of the implementation of security measures, the documentation of procedures and the external audit of the system.

The main difference between implementation and certification lies in the focus. Implementation involves actually setting up your ISMS within the organisation, including identifying risks, establishing policies and training employees. Certification, on the other hand, is the external validation that your system complies with the ISO 27001 standard.

The certification process has three main components. First, the preparation, where you implement and document your ISMS. Second, the external audit, consisting of documentation review and implementation review. Third, maintenance, with annual audits and recertification after three years.

Both elements are essential for effective information security. Implementation without certification provides no external validation of your efforts. Certification without proper implementation results in a worthless piece of paper with no real protection.

What preparatory steps should your organisation take before the audit begins?

The preparation phase requires a thorough gap analysis to determine where your current information security falls short of ISO 27001 requirements. This analysis forms the basis for your implementation plan and determines which measures are prioritised.

Start by conducting a comprehensive risk assessment. Identify all information assets, determine possible threats and vulnerabilities, and evaluate the impact of possible security incidents. This risk assessment should be documented and updated regularly.

Next, establish your information security policies and procedures. The main policy should be approved by management and communicate how information security is organised within your organisation. Additional procedures describe specific practices for different security aspects.

Employee training is crucial for successful audit completion. Make sure all stakeholders understand what ISO 27001 means, their role in the ISMS and how procedures are applied in practice. Document all training activities for the auditor.

How is the stage 1 audit conducted and what exactly is assessed?

The stage 1 audit is a documentation check in which the auditor assesses whether your ISMS documentation is complete and meets ISO 27001 requirements. This phase usually takes one day and takes place on your premises or digitally.

Auditors check during stage 1 that all mandatory documents are in place. This includes the information security policy, risk assessment and risk treatment plan, statement of applicability, objectives and procedures for all selected security measures.

Many organisations make the mistake of drafting documentation in either too general or too detailed a manner. Documents that are too general do not provide practical guidance for employees. Procedures that are too detailed are often not followed because they are too cumbersome. Find the balance between usability and completeness.

Another common mistake is not aligning different documents. Make sure your policies, procedures and risk assessment are consistent. Inconsistencies between documents lead to questions during the audit and possible postponement of certification.

Prepare by going through all documents thoroughly before the auditor arrives. Check that versions are up to date, approvals are in place and documents are accessible to relevant staff.

What happens during the stage 2 audit and how long does it take?

The stage 2 audit assesses whether your ISMS effectively implemented is in daily practice. This implementation audit usually takes two to four days, depending on the size and complexity of your organisation.

During stage 2, the auditor conducts interviews with employees at different levels to check whether procedures are followed. Expect questions about their duties, how they deal with security incidents and what training they have received. The auditor wants to see that information security actually lives in the organisation.

The auditor checks processes by taking samples. This may mean reviewing security log files, checking access rights or inspecting physical security measures. The aim is to verify that your documented procedures match reality.

Assessing effectiveness goes beyond simply following procedures. The auditor evaluates whether your security measures actually contribute to controlling identified risks. This requires evidence of monitoring, management reviews and continuous improvement of the ISMS.

What if non-conformities are found during the audit?

Non-conformities are deficiencies in which your ISMS does not meet ISO 27001 requirements. Major non-conformities are serious deficiencies that block certification, while minor non-conformities are smaller deviations that must be resolved within a certain timeframe.

The difference between major and minor non-conformities lies in the impact on your ISMS. Major non-conformities involve missing essential elements, such as an incomplete risk assessment or lack of management reviews. Minor non-conformities are usually procedural deviations or documentation deficiencies.

To draw up corrective measures, you must analyse the cause of each non-conformity. Describe not only what you will do to solve the problem, but also how you will prevent it from recurring. Include a timeline and responsible persons for each action.

For major non-conformities, certification is delayed until you provide evidence that the deficiencies have been resolved. This may mean that the auditor returns for an additional assessment. Minor non-conformities can usually be resolved without an additional visit, provided you provide adequate evidence.

Common problems include incomplete documentation, lack of evidence of management commitment and unclear roles and responsibilities. Avoid these problems by conducting an internal audit beforehand and thoroughly testing all processes.

How do you keep your ISO 27001 certification valid after initial certification?

After certification find annual surveillance audits place to check that your ISMS continues to function effectively. These audits are less comprehensive than initial certification, but do check that you are maintaining and improving the system.

The three-year recertification process is similar to the original certification. The auditor reassesses your complete ISMS, including any changes made in the meantime. This is the time to demonstrate that your system has grown with your organisation.

Continuous improvement is a core requirement of ISO 27001. You must demonstrate that you regularly evaluate your ISMS, identify areas for improvement and implement measures. Document all improvements and their effectiveness for the auditor.

Maintaining your ISMS requires regular management reviews, internal audits and monitoring of security indicators. Keep your risk assessment up to date, train new staff and adapt procedures as your organisation changes.

For organisations seeking support with their certification process, we offer ISO 27001 certification A structured approach that goes beyond standard compliance. Our context-oriented approach helps you build an ISMS that truly contributes to your digital resilience. Take contact at for a no-obligation discussion about your certification needs.

Related Articles

• Can you integrate ISO 27001 with ISO 9001?
• What distinguishes a high-quality ISO 27001 auditor?
• How do you prepare for an ISO 27001 audit?
• What is the average turnaround time for ISO 27001?
• What does an ISO 27001 certification cost?