ISO 27001 Certification Process Explained

< Return to ISO 27001 Certifcation Options & Costs

What does an ISO 27001 Audit & Certification Process Look Like?

ISO 27001 certification process diagram flow

Achieving ISO 27001 certification process is a structured and rigorous process demonstrating an organisation’s commitment to information security and best practices in data management.

Certification involves several key steps, particularly emphasising the auditing process and selecting the right auditor, which is crucial for establishing, maintaining, and continually improving an effective Information Security Management System (ISMS).

ISO 27001:2022 certification helps manage security threats and builds trust with stakeholders by demonstrating a dedication to safeguarding information assets.

ISO 27001 Certification Process

Engaging an accredited certification body to conduct a thorough audit is a critical step in the certification process.

The certification audit typically (depending on the auditing organisation) involves two main stages, each designed to evaluate different aspects of the ISMS to ensure the system is comprehensive and fully operational:

Stage 1 Audit

This initial stage focuses on reviewing ISMS documentation to ensure that all policies, procedures, and frameworks are properly designed and aligned with ISO 27001 requirements.

The auditor will verify that the documented processes reflect the organisation’s objectives, are appropriately scoped, and are comprehensive enough to mitigate potential information security risks.

During this stage, the auditor will also identify gaps that must be addressed before proceeding to Stage 2, allowing the organisation to make necessary adjustments.

Stage 2 Audit

In this second stage, the auditor assesses the actual implementation and effectiveness of the ISMS and the associated controls. This stage is more practical and involves observing operational processes, interviewing staff at all levels, and verifying records to ensure that the security controls are implemented effectively and consistently.

The auditor will check that all personnel understand their roles and responsibilities related to information security and that the controls are functioning as intended in day-to-day operations.

Upon successful completion of both stages, the organisation is awarded ISO 27001 certification. This certification is typically valid for three years, during which time continued adherence to the standards must be demonstrated.

How to Choose the Right ISO 27001 Auditor

Selecting the right certification body is a significant decision that directly impacts the success of the ISO 27001 certification process.

Choosing a qualified auditor ensures that the evaluation is both thorough and constructive.

Here are some key considerations for choosing an auditor:

Accreditation

ISO 27001 Certification Image

Ensure that a recognised national accreditation body accredits the certification body. In the UK, this means selecting an auditor accredited by the United Kingdom Accreditation Service (UKAS).

UKAS is the sole national accreditation body recognised by the UK government to assess organisations that provide certification, testing, inspection, and calibration services against internationally agreed-upon standards.

A UKAS-accredited auditor assures that they meet high standards of competence, impartiality, and performance, which is critical for a successful certification process.

Accreditation guarantees that the auditor is competent, impartial, and capable of delivering a reliable and thorough assessment.

Accredited auditors have undergone rigorous training and evaluation, providing additional confidence in the quality of the audit process.

Industry Experience

Look for an auditor with relevant experience in the industry.

An auditor who understands the specifics of your industry can provide more practical insights and identify areas for improvement that are particularly relevant to your sector.

For example, if your organisation operates in healthcare or finance, an auditor with experience in those fields will be more attuned to industry-specific challenges and regulatory requirements.

Reputation and Reviews

Consider the certification body’s reputation and seek references or reviews from other organisations using its services.

A reputable auditor can streamline the certification process and offer valuable guidance on best practices. Look for auditors with a track record of professionalism, reliability, and constructive feedback that helps organisations improve their ISMS.

Audit Approach

It is important to understand the certification body’s audit approach. Some auditors may take a more collaborative approach, providing constructive feedback, while others might be strictly compliance-focused.

Choosing an auditor whose approach aligns with your organisation’s culture can lead to a more positive certification experience.

A collaborative auditor can help identify opportunities for improvement, while a compliance-focused auditor will ensure rigorous adherence to standards.

Cost and Availability

It is also important to consider the audit’s cost and the auditor’s availability. Costs can vary widely depending on the complexity of the ISMS and the size of the organisation, and availability may impact the timing of your certification.

Ensure the auditor’s schedule aligns with your project timeline to avoid unnecessary delays.

10 Questions to Ask Prospective Auditors

To help you, I’ve collated ten key questions to ask any auditing organisations you are evaluating, to see if they are the right fit for you;

  • Are you accredited by a recognised accreditation body, such as UKAS in the UK?
  • What experience do you have in our industry, and can you provide examples of similar clients?
  • How do you approach the audit process—would you describe your style as collaborative or strictly compliance-based?
  • Can you provide references or testimonials from past clients?
  • How do you handle conflicts of interest during the audit process?
  • What type of follow-up support do you provide after the audit is completed?
  • How flexible is your audit schedule, and can it accommodate our project timelines?
  • What is your fee structure, and are there any potential hidden costs we should be aware of?
  • How do you stay up-to-date with changes in ISO 27001 and related standards?
  • What kind of non-conformities have you seen commonly arise during audits, and how do you help organisations address them?

Ongoing Surveillance and Recertification

Once certified, maintaining the ISMS is an ongoing and dynamic process that requires ongoing attention and continuous improvement.

Regular surveillance audits, typically conducted annually, are necessary to ensure ongoing compliance and identify opportunities for improvement. These audits involve verifying that the ISMS remains effective and up-to-date, and that the organisation is fully committed to continuous improvement.

Surveillance Audits

During these audits, the certification body will revisit the organisation to assess whether the ISMS meets the requirements of ISO 27001.

The focus is on ensuring that controls are effectively maintained, any new risks are properly managed, and organisational changes are appropriately reflected in the ISMS.

Surveillance audits help organisations stay vigilant against emerging threats and adapt their ISMS to the evolving security landscape. By identifying minor issues early, surveillance audits prevent them from becoming major compliance problems.

Recertification Audit

A recertification audit is conducted at the end of the three-year certification cycle. This audit is similar to the initial certification audit and involves a comprehensive review of the ISMS to confirm that it continues to meet ISO 27001 standards.

Successful completion of this audit extends the certification for another three years.

Recertification audits help verify that the organisation’s ISMS has been effectively managed and that there is a culture of continuous improvement within it. They demonstrate that the organisation has not only maintained its ISMS but also adapted to changes in the environment, technology, and regulatory landscape.

The Importance of Continuous Improvement

the plan,do-check-act improvement cycle
The Plan – Do – Check – Act Improvement Cycle

Achieving ISO 27001 certification is not a one-time effort; it is the beginning of a journey towards continually improving an organisation’s security posture.

Continuous improvement is a cornerstone of the ISO 27001 framework, encouraging organisations to regularly evaluate and enhance their ISMS to respond to new challenges and threats. This includes staying updated on emerging risks, adopting new technologies, and incorporating feedback from internal and external audits.

Organisations can anticipate potential risks and effectively protect their valuable information assets by maintaining an active approach to information security.

By focusing on a robust auditing process and selecting an experienced, reputable auditor, organisations can effectively achieve and maintain ISO 27001 certification. This will enhance their information security posture and demonstrate a commitment to protecting sensitive information. It will also help comply with regulatory requirements and instil confidence among customers, partners, and stakeholders that their data is handled with the utmost care and security.

ISO Planner – ISO 27001 Certification Step-by-Step Guide

What is the process to get ISO 27001 certification?

The ISO 27001 certification process involves engaging an accredited auditor to conduct a two-stage audit. Stage 1 assesses the organisation’s documentation and identifies gaps against ISO standards. Stage 2 evaluates the practical implementation and effectiveness of the ISMS through observation, interviews, and record-checking. Successful completion of these audits leads to certification, which must be maintained through annual surveillance audits and recertification every three years.

What are the 6 stages of the ISO 27001 certification process?

The six key stages of the ISO 27001 certification process are:

1) Preparation and Planning: Establish scope and objectives.
2) Gap Analysis: Identify gaps against ISO 27001 requirements.
3) ISMS Implementation: Implement policies, procedures, and controls.
4) Stage 1 Audit: Review documentation and identify any remaining gaps.
5) Stage 2 Audit: Assess practical implementation and effectiveness.
6) Ongoing Maintenance: Conduct regular surveillance audits and periodic recertification to maintain compliance and continuous improvement.

How can I get ISO 27001 certified?

To achieve ISO 27001 certification:
– Establish and document an Information Security Management System (ISMS).
– Engage an accredited certification body to conduct Stage 1 and Stage 2 audits.
– Correct any identified issues or non-conformities.
– Obtain certification after successful audits.
– Maintain certification by regularly reviewing and updating the ISMS, undergoing annual surveillance audits, and completing recertification audits every three years.

Additional Reading

For more information on ISO 27001, I suggest the following articles;

How To Write an ISO 27001 Project Plan

How To Perform an ISO 27001 Gap Analysis

ISO 27001 Costs of Certification

Building an ISO 27001 Business Case

Previous post

Building an ISO 27001 Business Case

NEXT post

ISO 27001 Costs of Certification

Photo of author

Written by

Alan Parker

Alan Parker is an experienced IT governance consultant who’s spent over 30 years helping SMEs and IT teams simplify complex IT challenges. With an Honours Degree in Information Systems, ITIL v3 Expert certification, ITIL v4 Bridge, and PRINCE2 Practitioner accreditation, Alan’s expertise covers project management, ISO 27001 compliance, and service management best practices. Recently named IT Project Expert of the Year (2024, UK).

Leave a Comment

Iseo Blue Limited - UK Registered Company Number : 10215427 

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG