866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

A Breakdown of the ISO 27001 Certification Process Blog Feature
Jenelle Tamura

By: Jenelle Tamura

Print/Save as PDF

A Breakdown of the ISO 27001 Certification Process

ISO Certifications | ISO 27001

Published: Mar 2, 2022

Last Updated: Jul 7, 2025

ISO 27001 is the international standard for information security management, providing a structured, risk-based framework for identifying threats, implementing effective security controls, and safeguarding sensitive data. By pursuing ISO 27001 certification, organizations demonstrate their commitment to protecting information assets and managing security risks with intention and discipline. But like other ISO certifications, the holistic nature of ISO 27001 entails a significant commitment, not only in satisfying the standard’s requirements but also in approaching the overall process.  

And while it is absolutely worth it to stand up your own ISMS and become certified, it helps your decision to know exactly what you’re getting into ahead of committing to the process. In this article, we will detail just that. Schellman is an ISO Certification Body, meaning we help our clients through this process consistently, conducting hundreds of ISO 27001 audits annually. Though it may be routine for us, we know the process may not be as familiar for you, and we want to offer support in any way we can– whether you choose to use us for certification or not. 

This breakdown of what you can expect during your ISO 27001 certification process will help you anticipate what is coming. This way, you’ll have a better idea of what will be reviewed during each phase of the audit process and thus feel better positioned for a streamlined certification for what is a cyclical process. 

The ISO 27001 Certification Audit Lifecycle 

We should note that the following outline does not include the specific requirements for an extensive planning and preparation period to get your ISMS functional and compliant. What we’ll explore below is what’s involved when your third-party auditor is on-site doing their review across the four parts of that cyclical process: 

Initial Certification: 2 Stages of Review 

Stage 1 Review 

This first stage is largely an evaluation of your designed ISMS against the requirements of ISO 27001 standard. ISO 27001 requires a certain level of documentation, and this is where your third-party auditor will check that you have the necessary policies, procedures, processes, and other documents relevant to your ISMS in place.  

This stage is more high-level than the next since your auditor won’t dive into the effectiveness of controls in practice (yet). The goal of the Stage 1 audit is to ensure you are ready to undergo the Stage 2 review. Your auditor will be looking for what is referred to as “areas of concern” i.e., lack of objective evidence to meet the ISO 27001 standard. If these areas of concern go unaddressed, they can or will likely materialize into formal nonconformities during the Stage 2. 

In this stage, your auditor will also be looking for opportunities for improvement to help identify areas that can be enhanced. After you complete the Stage 1 process, you should address any areas of concern that your auditor notes in order to prepare for Stage 2. How this affects your overall timeline will be up to you, but you should expect to spend some time in between the initial certification stages to address areas of concern and demonstrate the effectiveness of the ISMS. 

Stage 2 Review 

If your ISMS appears well-designed and accounts for all necessary requirements, then it’s time to watch it in action. During this phase, the auditor will evaluate your ISMS to determine if its active practices, activities, and controls are functioning effectively. Your ISMS will be assessed against the requirements of both ISO 27001 and your internal requirements.  

During your pre-audit planning, you will have performed a risk assessment of your environment. Those results will have allowed you to form subsequent risk treatment plans, including a statement of applicability that notes which of the control activities within Annex A of ISO 27001 are applicable and support the ISMS. 

During the Stage 2, ISMS Framework Clauses 4-10 and those controls defined within the statement of applicability will be reviewed to ensure they are operating effectively. For a breakdown of clauses 4-10, check our ISO 27001 guide. Keep in mind that retaining documented information and relevant records is imperative to your success during the Stage 2, as they are evidence that required practices and activities are being performed. 

Similar to the Stage 1, the auditor will be looking for nonconformities and opportunities for improvement based upon the ISO 27001 standard and your own defined requirements:

  • Major nonconformities require an acceptable corrective action plan, evidence of correction, and evidence of remediation prior to certificate issuance.
  • Minor nonconformities only require those first two to issue the certificate—no remediation evidence necessary. 

Prior to receiving your ISO 27001 certification, corrective action plans and evidence of correction and remediation must be provided for each nonconformity based upon their classification. The time it takes to correct and remediate these nonconformities should be considered when determining the amount of time it will take to obtain your ISO 27001 certification.  

Note: Despite it not being necessary for the issuing of your certificate, your auditor will take the time to evaluate evidence of remediation for any noted minor nonconformities during the subsequent surveillance review (detailed below) to formally close them out.  

Annual Surveillance 

Once you have your ISO 27001 certification, you must ensure your ISMS continues to perform like a well-oiled machine. That means continuing to perform the activities necessary for the continued maintenance, monitoring, and improvement (e.g., go back and cycle through everything you did in your pre-audit buildout of your ISMS). 

Your ISO 27001 certification is valid for 3 years, but to maintain it, your auditor must return on an annual basis during the two calendar years following certification to reassess the continued conformance of your ISMS to the ISO 27001 standard. That said, these reviews are less intense than certification audits, because not every element of your ISMS may be reviewed. Think of these more as snapshots of your ISMS since only ISMS Framework Clauses 4-10 and a sample of Annex A controls will be tested each year.  

Your auditor will also review action taken on any nonconformities and opportunities for improvement identified during the previous audit. Again, your auditor will note any nonconformities and opportunities for improvement based on the ISO 27001 standard and your own internal requirements. The nonconformities will require corrective action plans and evidence of correction and remediation based upon their classification. Failing to address nonconformities puts your ISO 27001 certificate at risk of becoming inactive. 

One of the things that makes ISO 27001 such a strong standard is that it necessitates you continue to develop and prioritize your ISMS even when your auditors aren’t on-site for a formal evaluation. This means you’ll need to continue monitoring, documenting any changes, and internally auditing your risks, because when it comes time for your surveillance review, that’s what will be checked.

Recertification 

You’ll be required to recertify your ISMS prior to certification expiration (every 3 years). The goal of recertification is to assess that the ISMS has been effectively maintained, that any changes have been properly implemented into the ISMS, and that identified nonconformities and opportunities for improvement are being handled appropriately. Three years is a long time, and a lot can change within your organization. Recertification audits ensure that as these changes have occurred within your organization, you’ve documented the impact on your ISMS and mitigated any new risks. 

The recertification will evaluate the entirety of your ISMS, which includes ISMS Framework Clauses 4-10 and each applicable Annex A control. By now you can guess the next step—any noted nonconformities during this process will require corrective action plans and evidence of correction and remediation based upon their classification as major or minor.  

Reissuance of your ISO 27001 certificate is dependent on the correction and remediation of major nonconformities and the correction of minor nonconformities. This recertification audit will need to take place every 3 years for as long as you want to maintain your ISO 27001 certification. 

Next Steps Towards Your ISO 27001 Certification 

ISO 27001 certification can provide strong assurance to your customers and prospects regarding your information security practices, and you now understand how its cyclical and stringent nature makes for a thorough and demanding process. Still, your knowledge now of what to expect from each phase–including what certification bodies like Schellman will evaluate each time they’re on-site–will help you set expectations for said process and alleviate some stress surrounding what will become routine for you. 

For that reason, you may consider a SOC 2 examination instead–there are some overlapping controls there and like ISO 27001, SOC 2 is also a widely accepted and popular information security standard. Read more about it here: 

But, if you’re determined to become ISO 27001 certified, you’re likely to have more questions about how your organization can accommodate this process. Contact us and we can set up a conversation which will help further shape what your ISO 27001 experience could look like.  

And in the meantime, you can discover additional ISO 27001 tips and insights in these helpful resources:  

About Jenelle Tamura

Jenelle Tamura is a Manager with Schellman Compliance and has 9+ years professional in IT assurance and compliance with experience in auditing, information security, and cloud compliance. Jenelle is focused primarily on leading ISO 27001, ISO 42001, ISO 9001, SOC 2, and CSA STAR projects to help organizations meet security and compliance standards.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.