top of page

WHAT IS THE ISO 27001 CERTIFICATION PROCESS?

Updated: Sep 7

What's an audit like?




 

Contents

 

Achieving ISO 27001 Certification

Achieving ISO 27001 certification is a significant milestone for any organisation, demonstrating a commitment to information security management and adherence to internationally recognised standards.


What does it look like? How does it work? Will I get a badge? All these are explored below as we look at the steps to prepare for certification, the process of selecting a certification body, and the stages involved in the certification audit.


Preparing for Certification

Pre-certification Audits

Organisations should conduct pre-certification audits before undergoing the formal certification audit to ensure their Information Security Management System (ISMS) fully complies with ISO 27001 requirements.


You don't want to head into an official audit and come up massively short. You can do this through two main methods;


  1. Internal Audits

    • Conduct thorough internal audits of the ISMS to identify any gaps or non-conformities.

    • Use checklists and the Statement of Applicability (SoA) to verify that all controls are implemented and effective.

    • Ensure that the internal auditors are competent and independent of the areas being audited to maintain objectivity.


  2. Third-Party Pre-Assessment

    • Engage a third-party consultant to perform a pre-assessment audit. This can provide an external perspective and identify areas that might have been overlooked internally.

    • The pre-assessment audit mimics the certification audit, giving the organisation a realistic view of what to expect and where to improve.

    • Some audit bodies will offer to undertake a gap analysis / pre-assessment as part of their offering.

    • Third-party audits give a different perspective than internal audits. There may be something you've misunderstood or overlooked, so external audits give an unbiased assessment.


The Certification Process

Selecting a Certification Body

Choosing the right certification body is crucial for a smooth and credible process.


I wrote in another article about the types of certification and what those paths look like, but make sure you know what you want and why you want it.


Accreditation

Determine if you need the certification body accredited by a recognised accreditation body, such as UKAS (United Kingdom Accreditation Service) or ANAB (ANSI National Accreditation Board).


Accreditation ensures that the certification body meets international standards for competence and impartiality. This can be very important for some organisations, mainly if you are dealing with governmental contracts.


Experience and Expertise

Evaluate the experience and expertise of the certification body in auditing organisations similar to yours.


Look for certification bodies with a proven track record.


Research the reputation of the certification body and ask for references from other organisations that have been certified by them. Positive feedback from peers can be a good indicator of reliability and quality.


Cost and Flexibility

Consider the certification cost and the certification body's flexibility in scheduling audits. They can differ wildly, depending on who you engage with, so shopping around should be something you consider to get a feel for typical charges.


Clarify any ongoing costs for maintaining your certification once you have it.


Seek to understand how they will handle any remediation work needed on your part to meet the standard if their audit shows gaps and how that might impact any rework or additional costs.

 

Stages of the Certification Audit

The certification audit typically consists of two main stages:


  1. Stage 1 Audit (Documentation Review)

    • Objective: The primary goal of the Stage 1 audit is to review the organisation's documentation to ensure it meets the requirements of ISO 27001.

    • Activities: The auditor will examine the ISMS documentation, including policies, procedures, risk assessments, and the SoA. They will also evaluate whether the ISMS scope is appropriate and aligned with organisational objectives.

    • Outcome: The auditor will provide a report highlighting any areas of concern or non-conformities that must be addressed before the Stage 2 audit.

 

  1. Stage 2 Audit (On-site Assessment)

    • Objective: The Stage 2 audit involves an on-site assessment to verify the implementation and effectiveness of the ISMS.

    • Activities: The auditor will interview staff, observe processes, and review records to ensure the ISMS operates as documented. They will also check the effectiveness of controls and the organisation's ability to meet its information security objectives.

    • Outcome: The auditor will provide a detailed report with findings, including any non-conformities or areas for improvement. If the ISMS is compliant, the auditor will recommend certification.


Common Questions

How long does certification take?

The time required to achieve ISO 27001 certification varies depending on the organisation's size, complexity, and existing information security maturity level. It typically takes several months to a year.


Fast-track certification is possible, but be honest about why you want to do that. It probably won't lead to a robust ISMS.

 

What if I fail an audit?

Most auditors will give you a window of opportunity to fix the issue and provide evidence to them. However, it is worth clarifying with the specific auditor.

 

How long does a certificate last?

Typically, it will be a year, at which point you'll need a re-audit. However, the annual audit is likely against a random selection of the controls rather than an in-depth, step-by-step review of each and every one. So, it's less stressful than the first time.

 

Can 27001 be integrated with other standards?

Yes, ISO 27001 can be integrated with other management system standards, such as ISO 9001 (Quality Management) and ISO 14001 (Environmental Management), using the common high-level structure defined in Annex SL of ISO/IEC Directives. When you look at them, there are many areas that overlap.

 

How does ISO 27001 relate to GDPR?

ISO 27001 provides a framework for managing information security that can help organisations comply with GDPR requirements.


By implementing ISO 27001, organisations can ensure they have the necessary controls to protect personal data and meet GDPR obligations. However, ISO 27001 certification does not mean you are GDPR compliant as a byproduct. It requires careful planning and hard work, specifically regarding data protection requirements.

 

 

 


 

  

Important Notice

This document is provided for personal use only. Commercial or consultative use requires a licence. For detailed terms of use, please visit https://www.iseoblue.com/terms.

 

Comments


image.png

Play Crossy Chicken

Never miss another article.

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.