ISO/IEC 27001 is one of the most widely recognized information security standards in the world. Earning certification is a powerful way to strengthen your security posture and show your commitment to protecting customer data.

But getting certified is not simple. The process can take months of preparation, detailed documentation, and careful coordination across your entire organization.

That is why we created this guide. Below you'll find an interactive checklist that walks you through each step of ISO 27001 certification, along with practical insights and expert advice to help you move through each stage with confidence.

How long ISO 27001 certification takes and what to expect

ISO/IEC 27001 certification is a major milestone, but it is not a quick process. The time it takes depends on your organization’s size, complexity, and how mature your existing security practices are.

For many small and medium-sized businesses, getting audit-ready typically takes about four months, with the certification audit adding another two to three months. Larger organizations or those with complex IT environments may need a year or more.

A typical ISO 27001 certification timeline

• Pre-audit preparation (Months 1–4): Define the scope of your ISMS, perform a risk assessment, design and implement policies and controls, train staff, and gather required documentation. Many organizations also perform an internal audit and remediate findings at this stage.
• Stage 1 audit (Month 5): An accredited auditor reviews your ISMS documentation and ensures your policies and procedures are designed properly.
• Stage 2 audit (Months 6–8): The auditor tests whether your controls and business processes are effectively implemented and aligned with ISO 27001 requirements. Passing Stage 2 results in certification, which is valid for three years.
• Surveillance audits (Years 1–2): Annual reviews confirm your ISMS is still effective and that improvements are being made.
• Recertification audit (Year 3): A full reassessment at the end of your certification term renews your ISO 27001 certificate for another three years.

How to become ISO 27001 certified

Need a bit more instruction on how to complete the steps above? We'll walk you through each step of the ISO 27001 implementation process below. 

1. Appoint an ISO 27001 team

First, gather a dedicated team to oversee and own the ISO 27001 process. 

This team will determine the scope of the certification process, create information management practices and policies, gain buy-in from stakeholders, and work directly with the auditor. 

Depending on the size of your organization and the scope of the data you manage, you may be able to have just one person lead the project, or you may need a larger team. It can be helpful to appoint one lead project manager to oversee ISO 27001 and let them build a team around them. 

Some of the traits to look for in the ideal ISO 27001 project manager are:

• Understanding of IT
• Familiarity with the organization’s business processes
• Background in project management
• Ability to communicate ISO 27001 details effectively

2. Build your information security management system (ISMS)

There’s a good chance your company already has an ad hoc system of information management in place. However, that type of asset management isn’t going to cut it during an ISO 27001 audit.

In short, an information security management system, or ISMS, is the framework a company uses to manage information and risk. An ISMS consists of policies and procedures that spell out exactly how information will be stored and managed. 

There are three pillars of an ISMS: people, processes, and technology. 

ISO 27001 is the international standard that offers detailed instructions on how to create a best-in-class ISMS and how to meet compliance requirements. 

We break down how to determine ISMS scope in three steps:

• Set the scope: Start by asking, “What information needs to be protected?” You’ll need to identify all locations where information is stored. This includes both physical and digital documents and information systems.
• Identify how that information can be accessed: Examine access controls and document every access point, such as an employee’s computer or a file cabinet. 
• Determine what’s out of scope: A helpful question to ask is “What parts of the business need to create, access, or process our valuable information assets?” Any department or parties that fall outside of that category may not need to be included in the scope. 

After you’ve determined your ISMS scope, you’ll need to create the scope statement of your ISO 27001 certificate. You’ll outline what’s in scope and out of scope related to products and services, locations, departments and people, technology, and networks.

It’s important to note that your ISMS is not static. As your company evolves, new processes and departments may be introduced. When this happens, it’s important to revisit your ISMS and make adjustments as needed. 

3. Create and publish ISMS policies, documents, and records 

Two big parts of the ISO 27001 process are documentation and sharing those documents internally. Doing so will help keep you accountable and build a foundation for establishing, implementing, maintaining, and continually improving the ISMS. 

Here’s a list of ISMS documents you’ll need to compile:

• Scope of the ISMS (Clause 4.3)
• Information Security Policy (Clause 5.2)
• Risk assessment & treatment methodology (Clause 6.1.2)
• Statement of Applicability (SoA) (Clause 6.1.3 d)
• Risk treatment plan & security objectives (Clauses 6.1.3 e, 6.2; results in 8.3)
• Evidence of competence (Clause 7.2)
• Documented information necessary for ISMS effectiveness & processes (Clauses 7.5.1, 8.1)
• Results of risk assessments and treatments (Clauses 8.2, 8.3)
• Monitoring and measurement evidence (Clause 9.1)
• Internal audit program and results (Clause 9.2)
• Management review results (Clause 9.3)
• Nonconformities and corrective actions (Clause 10)

When creating your documents, you can customize policy templates with organization-specific policies, processes, and language. 

Include information or references to supporting documentation regarding:

• Information security objectives
• Leadership and commitment
• Roles, responsibilities, and authorities
• Approach to assessing and treating risk
• Control of documented information
• Communication
• Internal audit
• Management review
• Corrective action and continual improvement
• Policy violations

4. Conduct a risk assessment

The next step in your ISO 27001 checklist is to conduct an internal risk assessment. This will identify potential risks to data security and judge the severity of those risks.

Similar to how you identified where all your sensitive data is stored in step two, you’ll do the same for risks your organization faces. After compiling a list of risks, determine the likelihood that these risks could occur. 

Then, evaluate the potential impact of all identified risks. Think not only in terms of business continuity but also the financial impact a risk poses to your organization. 

Using a risk matrix is a helpful way to identify the most important risks your organization faces. Here's an example of how that process could look

• After identifying risks, you can sort them based on the likelihood that they may happen. For example, you could create a scale of 1-5, with one being unlikely and 5 being likely. 
• Next, you’ll measure the potential impact of each risk. You can use another scale of 1-5, with 1 being an insignificant impact and 5 being catastrophic. 
• You can then calculate the total risk of each identified threat to help you prioritize the most urgent ones. 

After ranking risks, create a risk treatment plan for each. Assign responsibilities to certain employees and track to completion. 

5. Complete a Statement of Applicability (SoA) document 

Consult ISO 27002 documentation to better familiarize yourself with the 93 controls of Annex A. You can think of Annex A as a collection of all possible security controls so you can find the ones that pertain to your organization. 

Once you’ve selected the security measures that best address your identified risks, you can then create a Statement of Applicability (SoA). 

The SoA states what ISO 27001 controls and policies are being applied by the organization. This document will outline what actions will be taken to address risks. 

6. Implement ISMS policies and controls 

After identifying risks and developing risk management processes, you can begin implementing the information security policy. This policy is a high-level overview of how your organization approaches information security. You can download a free information security policy template here.

The ISMS is at the heart of ISO 27001. The standard offers step-by-step instructions for how to protect data from threats and vulnerabilities. Organizations often turn to the Plan-Do-Check-Act (PDCA) method to help them put an ISMS plan in place. 

Here’s a look at what the PDCA method looks like in practice: 

• Plan: Review current cybersecurity management processes and identify gaps compared to the ISO 27001 ISMS requirements. 
• Do: Roll out the new ISMS controls and policies.
• Check: Monitor and review ISMS and make changes as necessary. 
• Act: Maintain and improve ISMS over time. 

Comb through ISO 27001 clauses 4-10 and the Annex A controls to ensure you’ve met all the requirements. Continue to perform ongoing effectiveness monitoring of your ISMS rollout. 

This is also the point at which you should begin informing employees of any new procedures related to the ISMS that may impact their day-to-day duties. Share policies with employees and track that they’re being reviewed.  

7. Train team members on ISO 27001 

Hold regular trainings for employees to familiarize them with ISO 27001 and the company’s ISMS. 

Go over terms related to ISO 27001 that may be new to them and highlight the importance of becoming certified. 

This is also a time to define expectations for staff regarding their role in ISMS maintenance. Educate employees on what may happen should the company fall out of compliance with data security requirements. 

This will help highlight the importance of your ISMS and plant the seed of security awareness in your team. 

8. Gather documentation and evidence 

If there’s one word you’ll hear over and over again when it comes to ISO 27001 it’s this: documentation. The more documentation you do prior to the audit stages, the better. 

Now is the time to prepare all ISO 27001 required documents and records for reference during the audits. 

9. Undergo an internal audit

Once your ISMS is in decent shape, plan an internal audit to see where your company lands on the path to certification.

Choose an independent and objective auditor to perform the internal audit. When the audit is complete, record and remediate the internal audit results before scheduling the Stage 1 audit.

10. Undergo a Stage 1 audit 

Select an accredited ISO 27001 auditor to conduct a Stage 1 audit. Within this external audit, they’ll be reviewing documentation required for ISO 27001 certification. 

Once they’ve finished going through all the documentation, they will identify any gaps or places where your ISMS fails to meet the ISO 27001 standard.

11. Get a Stage 2 audit 

At this point your auditor will perform tests on your ISMS to evaluate its implementation and functionality. They will also see how your ISMS stacks up against applicable Annex A controls. 

The point of this audit is to ensure that the processes you began in the stage one audit are being followed company-wide. 

12. Implement Stage 2 audit advice 

Take all recommendations from the auditor to heart. Once all major nonconformities have been addressed, the auditor will send a draft certificate of ISO 27001 compliance to the organization for review. 

The company then makes any minor adjustments before sending it back to the auditor. Then the auditor will publish the certificate, and your ISO 27001 certification is official.    

13. Commit to periodic audits and assessments  

Becoming ISO 27001 certified isn’t the final step. To maintain continuous compliance with ISO 27001, your organization must commit to ongoing audits and assessments.

An ISO 27001 certificate lasts for three years. During that time, ISO 27001 requires organizations to conduct a surveillance audit each year to ensure a compliant ISMS hasn’t lapsed. 

Here are additional steps to take to ensure compliance: 

• Hold management reviews at least once per year or on a quarterly review cycle. 
• Prepare for first- and second-year surveillance audits.
• Perform annual risk assessments.
• Prepare for the third-year renewal audit.

14. Perform ongoing improvements 

Your ISMS will go through changes after ISO 27001 certification. When you change your software providers or you’re working with new suppliers, this may require revising your ISMS. 

Your ISO 27001 team should be updating your ISMS as needed and documenting each change. Additionally, any threats to your ISMS that were identified and remediated need to be documented. 

This will not only make your next certification process easier, but will highlight nonconformities that may impact the overall security of your data.

Achieve and maintain ISO 27001 compliance with Secureframe

If this process seems a little grueling, that’s because it is. 

However, organizations like Secureframe make this process much simpler. Our compliance automation platform streamlines the entire ISO 27001 audit process, saving you hundreds of hours and thousands of dollars. 

We have partnerships with dozens of auditors and can match you with an audit firm that’s already well-versed in your industry. We also provide access to ISO 27001 experts who can walk you through all of the intricacies that trip up many businesses on the path to certification.

Simply put, Secureframe has your back throughout every step of the ISO 27001 process. To find out how we can help you, request a demo today.