A Breakdown of the ISO 27001 Certification Process
ISO Certifications | ISO 27001
Published: Mar 2, 2022
Last Updated: Jul 7, 2025
ISO 27001 is the international standard for information security management, providing a structured, risk-based framework for identifying threats, implementing effective security controls, and safeguarding sensitive data. By pursuing ISO 27001 certification, organizations demonstrate their commitment to protecting information assets and managing security risks with intention and discipline. But like other ISO certifications, the holistic nature of ISO 27001 entails a significant commitment, not only in satisfying the standard’s requirements but also in approaching the overall process.
And while it is absolutely worth it to stand up your own ISMS and become certified, it helps your decision to know exactly what you’re getting into ahead of committing to the process. In this article, we will detail just that. Schellman is an ISO Certification Body, meaning we help our clients through this process consistently, conducting hundreds of ISO 27001 audits annually. Though it may be routine for us, we know the process may not be as familiar for you, and we want to offer support in any way we can– whether you choose to use us for certification or not.
This breakdown of what you can expect during your ISO 27001 certification process will help you anticipate what is coming. This way, you’ll have a better idea of what will be reviewed during each phase of the audit process and thus feel better positioned for a streamlined certification for what is a cyclical process.
The ISO 27001 Certification Audit Lifecycle
We should note that the following outline does not include the specific requirements for an extensive planning and preparation period to get your ISMS functional and compliant. What we’ll explore below is what’s involved when your third-party auditor is on-site doing their review across the four parts of that cyclical process:
Initial Certification: 2 Stages of Review
Stage 1 Review
This first stage is largely an evaluation of your designed ISMS against the requirements of ISO 27001 standard. ISO 27001 requires a certain level of documentation, and this is where your third-party auditor will check that you have the necessary policies, procedures, processes, and other documents relevant to your ISMS in place.
This stage is more high-level than the next since your auditor won’t dive into the effectiveness of controls in practice (yet). The goal of the Stage 1 audit is to ensure you are ready to undergo the Stage 2 review. Your auditor will be looking for what is referred to as “areas of concern” i.e., lack of objective evidence to meet the ISO 27001 standard. If these areas of concern go unaddressed, they can or will likely materialize into formal nonconformities during the Stage 2.
In this stage, your auditor will also be looking for opportunities for improvement to help identify areas that can be enhanced. After you complete the Stage 1 process, you should address any areas of concern that your auditor notes in order to prepare for Stage 2. How this affects your overall timeline will be up to you, but you should expect to spend some time in between the initial certification stages to address areas of concern and demonstrate the effectiveness of the ISMS.
Stage 2 Review
If your ISMS appears well-designed and accounts for all necessary requirements, then it’s time to watch it in action. During this phase, the auditor will evaluate your ISMS to determine if its active practices, activities, and controls are functioning effectively. Your ISMS will be assessed against the requirements of both ISO 27001 and your internal requirements.
During your pre-audit planning, you will have performed a risk assessment of your environment. Those results will have allowed you to form subsequent risk treatment plans, including a statement of applicability that notes which of the control activities within Annex A of ISO 27001 are applicable and support the ISMS.
During the Stage 2, ISMS Framework Clauses 4-10 and those controls defined within the statement of applicability will be reviewed to ensure they are operating effectively. For a breakdown of clauses 4-10, check our ISO 27001 guide. Keep in mind that retaining documented information and relevant records is imperative to your success during the Stage 2, as they are evidence that required practices and activities are being performed.
Similar to the Stage 1, the auditor will be looking for nonconformities and opportunities for improvement based upon the ISO 27001 standard and your own defined requirements:
- Major nonconformities require an acceptable corrective action plan, evidence of correction, and evidence of remediation prior to certificate issuance.
- Minor nonconformities only require those first two to issue the certificate—no remediation evidence necessary.
Prior to receiving your ISO 27001 certification, corrective action plans and evidence of correction and remediation must be provided for each nonconformity based upon their classification. The time it takes to correct and remediate these nonconformities should be considered when determining the amount of time it will take to obtain your ISO 27001 certification.
Note: Despite it not being necessary for the issuing of your certificate, your auditor will take the time to evaluate evidence of remediation for any noted minor nonconformities during the subsequent surveillance review (detailed below) to formally close them out.
Annual Surveillance
Once you have your ISO 27001 certification, you must ensure your ISMS continues to perform like a well-oiled machine. That means continuing to perform the activities necessary for the continued maintenance, monitoring, and improvement (e.g., go back and cycle through everything you did in your pre-audit buildout of your ISMS).
Your ISO 27001 certification is valid for 3 years, but to maintain it, your auditor must return on an annual basis during the two calendar years following certification to reassess the continued conformance of your ISMS to the ISO 27001 standard. That said, these reviews are less intense than certification audits, because not every element of your ISMS may be reviewed. Think of these more as snapshots of your ISMS since only ISMS Framework Clauses 4-10 and a sample of Annex A controls will be tested each year.
Your auditor will also review action taken on any nonconformities and opportunities for improvement identified during the previous audit. Again, your auditor will note any nonconformities and opportunities for improvement based on the ISO 27001 standard and your own internal requirements. The nonconformities will require corrective action plans and evidence of correction and remediation based upon their classification. Failing to address nonconformities puts your ISO 27001 certificate at risk of becoming inactive.
One of the things that makes ISO 27001 such a strong standard is that it necessitates you continue to develop and prioritize your ISMS even when your auditors aren’t on-site for a formal evaluation. This means you’ll need to continue monitoring, documenting any changes, and internally auditing your risks, because when it comes time for your surveillance review, that’s what will be checked.
Recertification
You’ll be required to recertify your ISMS prior to certification expiration (every 3 years). The goal of recertification is to assess that the ISMS has been effectively maintained, that any changes have been properly implemented into the ISMS, and that identified nonconformities and opportunities for improvement are being handled appropriately. Three years is a long time, and a lot can change within your organization. Recertification audits ensure that as these changes have occurred within your organization, you’ve documented the impact on your ISMS and mitigated any new risks.
The recertification will evaluate the entirety of your ISMS, which includes ISMS Framework Clauses 4-10 and each applicable Annex A control. By now you can guess the next step—any noted nonconformities during this process will require corrective action plans and evidence of correction and remediation based upon their classification as major or minor.
Reissuance of your ISO 27001 certificate is dependent on the correction and remediation of major nonconformities and the correction of minor nonconformities. This recertification audit will need to take place every 3 years for as long as you want to maintain your ISO 27001 certification.
Next Steps Towards Your ISO 27001 Certification
ISO 27001 certification can provide strong assurance to your customers and prospects regarding your information security practices, and you now understand how its cyclical and stringent nature makes for a thorough and demanding process. Still, your knowledge now of what to expect from each phase–including what certification bodies like Schellman will evaluate each time they’re on-site–will help you set expectations for said process and alleviate some stress surrounding what will become routine for you.
For that reason, you may consider a SOC 2 examination instead–there are some overlapping controls there and like ISO 27001, SOC 2 is also a widely accepted and popular information security standard. Read more about it here:
- SOC 2 vs. ISO 27001: Key Similarities, Differences, and Strategies to Merge Both
- 3 Benefits to Getting a SOC 2 Report
But, if you’re determined to become ISO 27001 certified, you’re likely to have more questions about how your organization can accommodate this process. Contact us and we can set up a conversation which will help further shape what your ISO 27001 experience could look like.
And in the meantime, you can discover additional ISO 27001 tips and insights in these helpful resources:
- An Overview of ISO 27001: Key Principles, Benefits, and Implementation
- ISO 27001: Management’s Role and Strategies to Secure Their Support
- ISO 27001 Certification: How to Determine Your Scope
- ISO 27001 Third-Party Risk Management Requirements
- How to Create Efficiencies in Your ISO 27001 Certification
About Jenelle Tamura
Jenelle Tamura is a Manager with Schellman Compliance and has 9+ years professional in IT assurance and compliance with experience in auditing, information security, and cloud compliance. Jenelle is focused primarily on leading ISO 27001, ISO 42001, ISO 9001, SOC 2, and CSA STAR projects to help organizations meet security and compliance standards.