ISO 27001 is a rigorous standard, and it can be intimidating to tackle if you’re getting certified for the first time. 

Where do you begin? Which policies and controls will you need? How do you know if you’re ready for an audit?

Understanding the process of getting ISO 27001 certified can help you prepare for a successful audit — and remove a lot of the stress along the way. 

In this post, we’ll explain the ISO 27001 certification process, including what organizations need to do to prepare and what happens during each phase of the certification audit.

Phases of the certification process

The ISO 27001 certification process phases

To achieve ISO 27001 certification, you’ll need to undergo a series of audits. Here’s what you can expect to prepare for and complete your certification.

Phase one: create a project plan 

Who within your organization will oversee the process, set expectations, and manage milestones? How will you get buy-in from company leadership? Will you be hiring an ISO 27001 consultant to help you navigate the process? 

Educating yourself on ISO 27001 standards and its 114 controls is a key part of this process. A great place to start is our in-depth guide to ISO 27001.

Phase two: define the scope of your ISMS 

Each business is unique and houses different types of data. Before building your ISMS, you’ll need to determine exactly what kind of information you need to protect.

For some companies, the scope of their ISMS includes their entire organization. For others, it includes only a specific department or system. 

Your team will need to discuss what you want to be represented in the scope statement of your ISO 27001 certificate.

Start by asking yourself:

“What service, product, or platform are our customers most interested in seeing as part of our ISO 27001 certificate?”

Phase three: perform a risk assessment and gap analysis 

A formal risk assessment is a requirement for ISO 27001 compliance. That means the data, analysis, and results of your risk assessment must be documented. 

To start, consider your baseline for security. What legal, regulatory, or contractual obligations is your company being held to?  

Organizations that don’t have a dedicated compliance manager may choose to hire an ISO consultant to help with their gap analysis and remediation plan. A consultant who has experience working with companies like yours can provide expert guidance to help you meet compliance requirements. However, due to costs, limited availability, and other reasons, many organizations decide against using an external consultant and instead opt for a compliance automation solution backed by a team of compliance managers, like Secureframe. Our compliance managers help guide you through that ISO 27001 certification process so you know exactly what measures to implement to achieve compliance. They can also help you establish best practices that strengthen your overall security posture.

ISO 27001 Risk Assessment Template

Identify high-priority risks and build your remediation plan with this risk assessment template.

Phase four: design and implement policies and controls 

Now that you’ve identified risks, you’ll need to decide how your organization will respond. Which risks are you willing to tolerate, and which do you need to address? 

Your auditor will want to review the decisions you’ve made regarding each identified risk during your ISO 27001 certification audit. You’ll also need to produce a Statement of Applicability and a Risk Treatment Plan as part of your audit evidence. 

The Statement of Applicability summarizes and explains which ISO 27001 controls and policies are relevant to your organization. This document is one of the first things your external auditor will review during your certification audit. 

ISO 27001 Statement of Applicability Template

The ISO 27001 Statement of Applicability explains which Annex A security controls are (and aren’t) applicable to your organization’s ISMS. Download our auditor-approved Statement of Applicability template to simplify the process and ensure compliant documentation. 

The Risk Treatment Plan is another essential document for ISO 27001 certification. It records how your organization will respond to the threats you identified during your risk assessment process.

The ISO 27001 standard outlines four actions: 

  • Modify the risk by establishing controls that reduce the likelihood it will occur 
  • Avoid the risk by preventing the circumstances where it could occur 
  • Share the risk with a third party (i.e., outsource security efforts to another company, purchase insurance, etc.) 
  • Accept the risk because the cost of addressing it is greater than the potential damage 

Next, you’ll implement policies and controls in response to identified risks. Your policies should establish and reinforce security best practices like requiring employees to use multi-factor authentication and lock devices whenever they leave their workstations. 

Phase five: complete employee training 

ISO 27001 requires all employees to be trained about information security. This ensures that everyone within your organization understands the importance of data security and their role in both achieving and maintaining compliance. 

Phase six: document and collect evidence 

To get ISO 27001 certification, you’ll need to prove to your auditor that you’ve established effective policies and controls and that they’re functioning as required by the ISO 27001 standard. 

Collecting and organizing all of this evidence can be extremely time-consuming. Compliance automation software for ISO 27001 can eliminate hundreds of hours of busy work by collecting this evidence for you.

Phase seven: complete an ISO 27001 certification audit 

In this phase, an external auditor will evaluate your ISMS to verify that it meets ISO 27001 requirements and issue your certification.

A certification audit happens in two stages. First, the auditor will complete a Stage 1 audit, where they review your ISMS documentation to make sure you have the right policies and procedures in place.

Next, a Stage 2 audit will review your business processes and security controls. Once Stage 1 and Stage 2 audits are complete, you'll be issued an ISO 27001 certification that's valid for three years.

Phase eight: maintain continuous compliance  

ISO 27001 is all about continuous improvement. You’ll need to keep analyzing and reviewing your ISMS to make sure it’s still operating effectively and maintain compliance. And as your business evolves and new risks emerge, you’ll need to watch for opportunities to improve existing processes and controls. 

The ISO 27001 standard requires periodic internal audits as part of this ongoing monitoring. Internal auditors examine processes and policies to look for potential weaknesses and areas of improvement before an external audit. 

ISO 27001 Compliance Kit

Download this free kit with everything you need to simplify your ISO 27001 readiness work, including an evidence collection spreadsheet, fully customizable policy templates, and a compliance checklist.

The certification audit process

The ISO 27001 certification audit process

  • Stage 1: ISMS Design review
    Review ISMS documentation to make sure policies and procedures are properly designed.
  • Stage 2: Certification audit 
    Review business processes & controls for compliance with ISMS and Annex A requirements.
  • Surveillance audits 
    Ensure your ISO 27001 compliance program is still effective and being maintained.
  • Recertification audit
    At the end of the 3-year certification term, a recertification audit assesses ISMS and Annex A controls for compliance. Recertification is valid for another 3 years. 

Once you've built your ISMS, completed a gap analysis, implemented controls, trained your staff, and collected evidence, you're ready to begin the audit process.

A formal ISO 27001 audit happens in stages:

Stage 1: ISMS Design review 

Review ISMS documentation to make sure policies and procedures are properly designed. 

At this stage, your auditor will make sure your documentation is compliant with the ISO 27001 ISMS requirements listed in clauses 4-10. They will also point out any nonconformities or opportunities to improve your ISMS. 

Once you’ve implemented any suggested changes, you’re ready for your Stage 2 audit. 

Stage 2: Certification audit 

Review business processes and controls to ensure compliance with ISO 27001 ISMS and Annex A requirements. 

This is where your auditor will complete a detailed assessment to determine whether your organization satisfies ISO 27001 requirements. 

Once Stage 1 and Stage 2 are complete, your ISO 27001 certification is valid for three years. 

Surveillance audits 

Within your three-year certification period, you’ll need to conduct ongoing audits. These audits ensure your ISO 27001 compliance program is still effective and being maintained. 

Surveillance audits check to make sure organizations are maintaining their ISMS and Annex A controls properly. Surveillance auditors will also check to make sure any nonconformities or exceptions noted during the certification audit have been addressed. 

Recertification audit

During the last year of the three-year ISO certification term, your organization can undergo a recertification audit.  

Similar to Stage 2, the auditor will complete a detailed assessment to determine whether your organization meets ISO 27001 requirements for process/control design and operating effectiveness. 

After completing the recertification audit, your ISO 27001 certification is valid for another three years. Most organizations spend 6-12 months preparing for and completing an ISO 27001 certification audit. 

The ISO 27001 certification process can feel intimidating — but it doesn’t have to be so overwhelming. This flowchart will help you visualize the ISO 27001 certification process, break it down into manageable steps, and track your progress towards achieving compliance.

ISO 27001 evidence requirements

ISO 27001 requirements: process evidence

During your certification audit, your auditor will need to assess different aspects of your ISMS, including policies, business processes, and supporting evidence.

Here’s a baseline of the documentation you’ll need to provide your auditor

  • ISMS scope
  • Information security policy
  • Information security risk assessment process
  • Information security risk treatment process
  • Statement of Applicability
  • Information security objectives
  • Evidence of competence
  • Security awareness training program and results
  • Results of information security risk assessment
  • Results of information security risk treatment
  • Evidence of monitoring and measurement of results
  • Documented internal audit process
  • Evidence of audit programs and results
  • Evidence of results of management reviews
  • Evidence of non-conformities and remediations
  • Evidence of remediation results 
  • Annex A control activity evidence

Streamline the process with Secureframe

Once you’ve created policies and compiled evidence for your ISO 27001 audit, you’ll likely have hundreds of documents that will need to be collected, cataloged, and updated. And you’ll need to make sure all of your documentation is organized with the right controls and requirements so your auditor can verify everything. 

Secureframe can simplify the heavy-lifting to make the process of preparing for and maintaining compliance more manageable and less stressful. We’ll help you build a compliant ISMS, monitor your tech stack for vulnerabilities, and manage risks. Schedule a demo to learn more.