Information Security Management
ISO 27001 Certification Process Explained
Getting ready for your ISO 27001 audit can feel daunting — but once you understand the process, it’s far less intimidating. The audit is designed to confirm that your organisation’s information security management system (ISMS) meets the standard’s requirements and operates effectively in practice.
This guide takes you through each step of the ISO 27001 certification journey, outlining the key audits, assessments, and preparations involved.
Whether you’re aiming for first-time certification or maintaining it year after year, this guide explains what happens at each stage — and what auditors are really looking for.
Ready-to-use templates
Step-by-step implementation
Fast-track with expert support
Verified toolkit reviews:
A note: This guide is designed around the UKAS style stage 1, and stage 2 audits. Not all ISO 27001 certifications are staged, and it is entirely possible to find a body that will certify you in one go. However, most certifications follow a two-stage process, as outlined here.
Overview: How the ISO 27001 Certification Process Works
The ISO 27001 certification process consists of two stages of audits and typically spans a three-year cycle.
The process begins with two formal audits conducted by an accredited certification body: the first stage (Stage 1) and the second stage (Stage 2), followed by annual surveillance audits, and a full recertification audit at the end of the cycle.
- Stage 1 Audit (First Stage): This is a documentation review to assess the organisation’s readiness for certification. A gap analysis is often conducted before the first stage to identify deficiencies and ensure the organisation is prepared for the audit.
- Stage 2 Audit: This stage is conducted in greater depth and involves a more thorough assessment of operational processes, controls, and evidence to verify compliance.
- Annual Surveillance Audits: These audits are conducted at the end of Years 1 and 2 to ensure continued compliance and maintain accreditation.
- Recertification Audits: A comprehensive evaluation, similar to Stage 2, is conducted every three years to assess ongoing compliance and address any process deterioration.
All these audits follow the same process and are based on consistent principles and procedures.
Let’s look at each stage in detail.
Internal Audit – Your First Line of Defence
Internal audits are a vital part of maintaining an effective ISMS and ensuring ongoing compliance with ISO 27001. These audits involve reviewing your organisation’s documentation, procedures, and processes to verify that they align with both your ISMS and the standard’s requirements.
Conducting regular internal audits means that you can proactively identify weaknesses, nonconformities, and opportunities to improve your management system, and is a mandatory requirement of the standard.
The internal audit process is designed to be independent and objective, providing valuable feedback to process owners and management.
Findings from internal audits should drive corrective actions and inform management reviews, supporting continual improvement and helping your organisation stay audit-ready for external assessments. Ultimately, internal audits are your first line of defence in maintaining the effectiveness and resilience of your information security management system.
The fact is, the internal audits help you know you are in good shape for your external audits, so you don’t want to cut corners.
ISO 27001 Coaching
Certification in 90 days
A practical, hands-on sprint that gets you audit-ready fast — without the bloat.
“Working with Alan was easy and a positive experience.” – Phoenix Design Aid, Spain
- Audit-ready plan with checkpoints so you stay on track
- Defined scope, SoA and risk treatment, with evidence mapped for your audit
- Full toolkit + templates included (policies, procedures, records)
- Plain-English guidance — no jargon, just what auditors expect to see
- Expert support throughout (remote, UK/EU/US time zones)
- Save weeks by focusing on what’s truly required for first-year certification
- Save thousands on certification costs – let me direct you to the best
Pass guarantee: if you don’t pass your scheduled audit, I’ll work at no additional fee to close findings and support your re-assessment.
Stage 1 Audit – Documentation and Readiness Review
The Stage 1 audit is your organisation’s first formal interaction with the certification body. It is primarily a documentation review that may be completed on-site, remotely, or through a hybrid approach, with the focus on confirming that your ISMS is ready for a full certification assessment.
Auditors will review your documentation, scope, and foundational processes, making sure the framework of your ISMS exists and makes sense for your organisation. During this stage, auditors will check for required documented information as evidence of compliance with ISO 27001 requirements.
Expect auditors to check that:
- Your ISMS scope is clearly defined and appropriate.
- Key policies, such as your Information Security Policy and Risk Assessment Methodology, are documented and approved.
- Mandatory documents (from Clauses 4–10) are in place and up to date as part of your documented information.
- Internal audits and management reviews have been conducted, with the documentation retained as evidence.
- Any identified gaps have an improvement plan in place.
You’ll receive a Stage 1 report highlighting any issues to address before moving to Stage 2. Think of it as a pre-flight check — you’re ensuring everything’s in order before take-off.
Stage 2 Audit – Operational Evidence and Effectiveness
Stage 2 is the main event — the certification audit itself.
Here, your organisation’s key processes and controls are audited to verify compliance, and the certification body conducts the Stage 2 audit. Auditors test how well your ISMS actually works in practice.
They’ll look for evidence that your policies and controls are being followed day to day through interviews, document samples, and observation. The audit also assesses your organisation’s approach to data security within the ISMS.
Expect auditors to:
- Interview staff at all levels to confirm awareness and practical understanding.
- Review risk assessments, treatment plans, and the Statement of Applicability.
- Examine operational records, including access reviews, incident logs, and training records.
- Sample key controls from Annex A (e.g. backup procedures, access management, supplier reviews).
- Review key processes and assess the effectiveness of implementing controls for data security.
- Confirm that continual improvement processes are active and that management oversight is evident.
At the end of Stage 2, you’ll receive a report summarising conformities, minor nonconformities, and any major nonconformities. Organisations must take corrective action to address any major nonconformities before certification is granted. Once all findings are addressed, you’ll be recommended for certification.
After a Stage 2 audit, the certification body (CB) will issue an audit report listing any nonconformities (NCs) found:
- Minor nonconformities usually need to be corrected within about 30 to 90 days.
- The exact period depends on the certification body’s policy and the severity or number of findings.
- You’ll typically need to provide evidence of correction and corrective action (e.g. updated procedures, training records, or risk assessments).
- The CB will review and verify these corrective actions before granting certification.
If the auditor is satisfied that the issues have been properly addressed (even if the actions are still being implemented), certification can usually proceed.
Major & Minor Nonconformities Explained
So, there are two types of nonconformities: major and minor, which are explained in more detail below.
Audits can also make recommendations, which are called ‘opportunities for improvements’ or OFIs. These need consideration, and don’t need to be implemented.
🧭 Typical timeline example
| Type | Action required | Typical closure window | Certification impact |
|---|---|---|---|
| Minor | Implement corrective action and provide evidence; may need follow-up audit | 30–90 days | Certification may proceed once accepted |
| Major | Implement corrective action and provide evidence, may need follow-up audit | 30–60 days (varies) | Certification on hold until resolved |
⚠️ Major nonconformities
A major nonconformity means a serious failure — for example, a missing core control, a complete lack of risk assessment, or systemic noncompliance.
- You can fail the audit immediately if there’s a major nonconformity that compromises the Information Security Management System (ISMS) as a whole.
- More commonly, certification is put on hold rather than outright failing. You’ll be given a defined period (often 30–60 days) to implement corrective actions.
- The CB will typically require a follow-up audit or evidence review to confirm the issue is resolved.
If you don’t close the major NC in the agreed timeframe, certification cannot be granted — you’d need a re-audit before proceeding.
Examples of Major Nonconformities
| Category | Example | Why it’s major |
|---|---|---|
| Core ISMS missing | No documented risk assessment or risk treatment plan. | The ISMS cannot function without these — they’re fundamental requirements. |
| Scope issues | The defined scope excludes key assets, systems, or processes without justification. | The ISMS doesn’t cover all relevant areas of the business. |
| Unimplemented controls | Claimed Annex A controls not implemented (e.g. no access control, no backups, no incident management). | Indicates the ISMS is not operating as stated. |
| Internal audit failure | The management review is either not carried out or lacks key inputs/outputs. | Management review is either not carried out or is missing key inputs/outputs. |
| Management review not done | An internal audit is mandatory for certification readiness. | The leadership oversight mechanism is absent. |
| Legal/compliance gaps | No process to identify and manage compliance obligations (e.g. GDPR, contracts). | The ISMS cannot ensure compliance with external requirements. |
⚙️ Minor Nonconformities
A minor nonconformity means a specific weakness or lapse in following a requirement — but not one that undermines the ISMS as a whole.
Sometimes, auditors score nonconformities as points, so 3 minors = 1 major.
Examples of Minor Nonconformities
| Category | Example | Why it’s minor |
|---|---|---|
| Documentation gaps | A policy not reviewed on time; missing version control. | The system still works — just needs improvement. |
| Training | One or two employees missing awareness training records. | Not systemic — can be fixed quickly. |
| Asset inventory | One or two assets missing from the inventory. | Not a structural failure. |
| Access control | Access reviews not performed on schedule. | Process exists but not fully followed. |
| Corrective actions | Some corrective actions not tracked through to completion. | ISMS is still functioning but needs tightening. |
Surveillance Audits – Maintaining Your Certification
ISO 27001 certification doesn’t end with Stage 2. To remain certified, your organisation must undergo annual surveillance audits, which are external audits and part of the ongoing external audits required for ISO 27001 certification—typically in years one and two after certification.
These external audits are shorter than the main audit and focus on ensuring your ISMS continues to operate effectively.
Auditors will typically review:
- Progress against previous findings.
- Updates to your risk assessment or Statement of Applicability.
- Evidence of regular internal audits and management reviews.
- Changes to your organisation, technology, or scope.
Surveillance audits are your opportunity to demonstrate continuous improvement and keep your ISMS aligned with business changes. Use these audits to proactively prepare for the next audit and ensure a successful audit outcome by maintaining readiness and gathering evidence throughout the year.
Recertification – Every Three Years
Every 3 years, your certification body will conduct a recertification audit — during this process, your ISMS is audited in depth, similar to your original Stage 2 audit. This confirms your ISMS remains effective, current, and compliant with the latest version of the standard.
To ensure recertification is straightforward, organisations should be continually improving their ISMS, making adjustments and enhancements as needed. Most organisations find it far easier than their initial certification, as processes and evidence are now embedded in day-to-day operations.
Audit Report – What to Expect After the Audit
Once an audit is completed, your organisation will receive a comprehensive audit report from the auditor. This report details the audit scope, summarises the processes and procedures reviewed, and outlines any findings—such as nonconformities or opportunities for improvement. The audit report will also include recommendations for corrective actions to address any identified issues.
It’s essential to carefully review the audit report and implement the recommended corrective actions to enhance the effectiveness of your ISMS. The audit report serves as a roadmap for continual improvement, helping your organisation maintain its ISO 27001 certification and strengthen its information security posture over time.
Certification Bodies – Who Grants Your ISO 27001 Certificate
ISO 27001 certification is granted by independent, accredited certification bodies. These organisations are responsible for conducting the certification audit, which includes both Stage 1 and Stage 2 audits, to assess your ISMS documentation, processes, and procedures against the requirements of the standard.
Most certification bodies are themselves accredited by recognised authorities, ensuring their assessments are impartial and meet international standards (e.g. UKAS accreditation in the UK)
Once your organisation completes the two-stage certification audit, the certification body will issue your ISO 27001 certificate, valid for 3 years. To maintain certification, the certification body will conduct annual surveillance audits to review your ongoing compliance and the effectiveness of your ISMS. This process ensures that your organisation continues to meet ISO 27001 requirements throughout the certification cycle.
What ISO 27001 Auditors Are Looking For
Across all audit stages, effective audit preparation is key to success in ISO 27001 audits. Auditors aren’t trying to catch you out — they’re assessing whether your ISMS is fit for purpose, effectively implemented, and driven by continual improvement.
They’ll expect to see:
- Clear links between identified risks and implemented controls.
- Evidence that your management team is engaged and informed.
- A living ISMS — updated, reviewed, and improved over time.
If you said you should do something in your documentation, or Statement of Applicability, you’ll need to prove you’ve done it.
Only those organisations that embed good practices, maintain proper documented information, and operationalise audit preparation into daily routines will succeed in ISO 27001 audits and be ready for the next audit.
In short, they want to see that information security is not just a box-ticking exercise, but an integral part of how your organisation operates.
Benefits of ISO 27001 Certification
Achieving ISO 27001 certification offers significant benefits for organisations of all sizes and sectors. Certification demonstrates your commitment to managing information security risks and protecting your information assets, thereby enhancing customer trust and opening doors to new business opportunities. It also provides a competitive edge by showing that your organisation meets internationally recognised standards for information security management.
ISO 27001 certification supports compliance with regulatory requirements and industry best practices, reducing the risk of non-compliance and potential penalties. The certification process itself encourages continual improvement, helping organisations identify and address weaknesses in their management system. By maintaining ISO 27001 certification, you ensure the confidentiality, integrity, and availability of your information assets—essential for business continuity, reputation, and long-term success.
Prepare with Confidence
Understanding the ISO 27001 audit process helps you approach it with confidence. Preparation is key — and having the right documentation and evidence in place makes a world of difference.
If you’re at the start of your journey, my ISO 27001 Toolkit gives you all the mandatory documents and templates you’ll need to build your ISMS and get audit-ready.
Or, if you’d prefer hands-on guidance, consider booking a discovery call to discuss how we can get your business certified in under 90 days.
“…We sailed through our assessment. Highly recommend!” – HelpTheMove, UK