ISO 27001 is a rigorous standard, and it can be intimidating to tackle if you’re getting certified for the first time.
Where do you begin? Which policies and controls will you need? How do you know if you’re ready for an audit?
Understanding the process of getting ISO 27001 certified can help you prepare for a successful audit — and remove a lot of the stress along the way.
In this post, we’ll explain the ISO 27001 certification process, including what organizations need to do to prepare and what happens during each phase of the certification audit.
Phases of the certification process
The ISO 27001 certification process phases
To achieve ISO 27001 certification, you’ll need to undergo a series of audits. Here’s what you can expect to prepare for and complete your certification.
Phase one: create a project plan
Who within your organization will oversee the process, set expectations, and manage milestones? How will you get buy-in from company leadership? Will you be hiring an ISO 27001 consultant to help you navigate the process?
Educating yourself on ISO 27001 standards and its 114 controls is a key part of this process. A great place to start is our in-depth guide to ISO 27001.
Phase two: define the scope of your ISMS
Each business is unique and houses different types of data. Before building your ISMS, you’ll need to determine exactly what kind of information you need to protect.
For some companies, the scope of their ISMS includes their entire organization. For others, it includes only a specific department or system.
Your team will need to discuss what you want to be represented in the scope statement of your ISO 27001 certificate.
Start by asking yourself:
“What service, product, or platform are our customers most interested in seeing as part of our ISO 27001 certificate?”
Phase three: perform a risk assessment and gap analysis
A formal risk assessment is a requirement for ISO 27001 compliance. That means the data, analysis, and results of your risk assessment must be documented.
To start, consider your baseline for security. What legal, regulatory, or contractual obligations is your company being held to?
Many startups that don’t have a dedicated compliance team choose to hire an ISO consultant to help with their gap analysis and remediation plan. A consultant who has experience working with companies like yours can provide expert guidance to help you meet compliance requirements.
On top of that, they can help you establish best practices that strengthen your overall security posture.
Phase four: design and implement policies and controls
Now that you’ve identified risks, you’ll need to decide how your organization will respond. Which risks are you willing to tolerate, and which do you need to address?
Your auditor will want to review the decisions you’ve made regarding each identified risk during your ISO 27001 certification audit. You’ll also need to produce a Statement of Applicability and a Risk Treatment Plan as part of your audit evidence.
The Statement of Applicability summarizes and explains which ISO 27001 controls and policies are relevant to your organization. This document is one of the first things your external auditor will review during your certification audit.
The Risk Treatment Plan is another essential document for ISO 27001 certification. It records how your organization will respond to the threats you identified during your risk assessment process.
The ISO 27001 standard outlines four actions:
- Modify the risk by establishing controls that reduce the likelihood it will occur
- Avoid the risk by preventing the circumstances where it could occur
- Share the risk with a third party (i.e., outsource security efforts to another company, purchase insurance, etc.)
- Accept the risk because the cost of addressing it is greater than the potential damage
Next, you’ll implement policies and controls in response to identified risks. Your policies should establish and reinforce security best practices like requiring employees to use multi-factor authentication and lock devices whenever they leave their workstations.
Phase five: complete employee training
ISO 27001 requires all employees to be trained about information security. This ensures that everyone within your organization understands the importance of data security and their role in both achieving and maintaining compliance.
Phase six: document and collect evidence
To get ISO 27001 certification, you’ll need to prove to your auditor that you’ve established effective policies and controls and that they’re functioning as required by the ISO 27001 standard.
Collecting and organizing all of this evidence can be extremely time-consuming. Compliance automation software for ISO 27001 can eliminate hundreds of hours of busy work by collecting this evidence for you.
Phase seven: complete an ISO 27001 certification audit
In this phase, an external auditor will evaluate your ISMS to verify that it meets ISO 27001 requirements and issue your certification.
A certification audit happens in two stages. First, the auditor will complete a Stage 1 audit, where they review your ISMS documentation to make sure you have the right policies and procedures in place.
Next, a Stage 2 audit will review your business processes and security controls. Once Stage 1 and Stage 2 audits are complete, you'll be issued an ISO 27001 certification that's valid for three years.
Phase eight: maintain continuous compliance
ISO 27001 is all about continuous improvement. You’ll need to keep analyzing and reviewing your ISMS to make sure it’s still operating effectively. And as your business evolves and new risks emerge, you’ll need to watch for opportunities to improve existing processes and controls.
The ISO 27001 standard requires periodic internal audits as part of this ongoing monitoring. Internal auditors examine processes and policies to look for potential weaknesses and areas of improvement before an external audit.
The certification audit process
The ISO 27001 certification audit process
- Stage 1: ISMS Design review
Review ISMS documentation to make sure policies and procedures are properly designed.
- Stage 2: Certification audit
Review business processes & controls for compliance with ISMS and Annex A requirements.
- Surveillance audits
Ensure your ISO 27001 compliance program is still effective and being maintained.
- Recertification audit
At the end of the 3-year certification term, a recertification audit assesses ISMS and Annex A controls for compliance. Recertification is valid for another 3 years.
Once you've built your ISMS, completed a gap assessment, implemented controls, trained your staff, and collected evidence, you're ready to begin the audit process.
A formal ISO 27001 audit happens in stages:
Stage 1: ISMS Design review
Review ISMS documentation to make sure policies and procedures are properly designed.
At this stage, your auditor will make sure your documentation is compliant with the ISO 27001 ISMS requirements listed in clauses 4-10. They will also point out any nonconformities or opportunities to improve your ISMS.
Once you’ve implemented any suggested changes, you’re ready for your Stage 2 audit.
Stage 2: Certification audit
Review business processes and controls to ensure compliance with ISO 27001 ISMS and Annex A requirements.
This is where your auditor will complete a detailed assessment to determine whether your organization satisfies ISO 27001 requirements.
Once Stage 1 and Stage 2 are complete, your ISO 27001 certification is valid for three years.
Within your three-year certification period, you’ll need to conduct ongoing audits. These audits ensure your ISO 27001 compliance program is still effective and being maintained.
Surveillance audits check to make sure organizations are maintaining their ISMS and Annex A controls properly. Surveillance auditors will also check to make sure any nonconformities or exceptions noted during the certification audit have been addressed.
During the last year of the three-year ISO certification term, your organization can undergo a recertification audit.
Similar to Stage 2, the auditor will complete a detailed assessment to determine whether your organization meets ISO 27001 requirements for process/control design and operating effectiveness.
After completing the recertification audit, your ISO 27001 certification is valid for another three years. Most organizations spend 6-12 months preparing for and completing an ISO 27001 certification audit.
The ISO 27001 certification process can feel intimidating — but it doesn’t have to be so overwhelming. This flowchart will help you visualize the ISO 27001 certification process, break it down into manageable steps, and track your progress towards achieving compliance.
ISO 27001 evidence requirements
ISO 27001 requirements: process evidence
During your certification audit, your auditor will need to assess different aspects of your ISMS, including policies, business processes, and supporting evidence.
Here’s a baseline of the documentation you’ll need to provide your auditor:
- ISMS scope
- Information security policy
- Information security risk assessment process
- Information security risk treatment process
- Statement of Applicability
- Information security objectives
- Evidence of competence
- Security awareness training program and results
- Results of information security risk assessment
- Results of information security risk treatment
- Evidence of monitoring and measurement of results
- Documented internal audit process
- Evidence of audit programs and results
- Evidence of results of management reviews
- Evidence of non-conformities and remediations
- Evidence of remediation results
- Annex A control activity evidence
Streamline the process with Secureframe
Once you’ve created policies and compiled evidence for your ISO 27001 audit, you’ll likely have hundreds of documents that will need to be collected, cataloged, and updated. And you’ll need to make sure all of your documentation is organized with the right controls and requirements so your auditor can verify everything.
Secureframe can simplify the heavy-lifting to make the process of preparing for and maintaining compliance more manageable and less stressful. We’ll help you build a compliant ISMS, monitor your tech stack for vulnerabilities, and manage risks. Schedule a demo to learn more.