Lifecycle of the ISO 27001 Certification Process
In this article, we will detail just that. Schellman is an ISO Certification Body, meaning we help our clients through this process consistently, with over 400 ISO 27001 audits in just the last 12 months. Though it may be routine for us, we know it may not be for you and we want to support you how we can–no matter if you use us for certification or not.
The ISO 27001 Certification Audit Lifecycle
Initial Certification: 2 Stages of Review
Stage 1 Review
- This stage is more high level than the next since your auditor won’t dive into the effectiveness of controls in practice (yet). The goal of the Stage 1 is to ensure you are ready to undergo the Stage 2 review.
After you complete the Stage 1, you’ll need to take time to correct and remediate any nonconformities your auditor notes:
- Major nonconformities require an acceptable corrective action plan, evidence of correction, and evidence of remediation prior to certificate issuance.
- Minor nonconformities only require those first two to issue the certificate—no remediation evidence necessary.
Note: Despite it not being necessary for issuing of your certificate, your auditor will take the time to evaluate evidence of remediation for any noted minor nonconformities during the subsequent surveillance review to formally close them out. (Read on for more on those surveillance reviews.)
How this all affects your overall timeline will be up to you, but we can say that you should expect to spend some time in between initial certification stages.
Stage 2 Review
- Your ISO 27001 certification is valid for 3 years, but to maintain it, your auditor must return on an annual basis during the two calendar years following certification to reassess the continued conformance of your ISMS to the ISO 27001 standard.
- These reviews are less intense than certification audits, because not every element of your ISMS may be reviewed–think of these more as snapshots of your ISMS since only ISMS Framework Clauses 4-10 and a sample of Annex A control activities will be tested each year. Your auditor will also review action taken on any nonconformities and opportunities for improvement identified during the previous audit.
- Again, your auditor will note any nonconformities and opportunities for improvement based on the ISO 27001 standard and your own internal requirements. The nonconformities will require corrective action plans and evidence of correction and remediation based upon their classification. Failing to address nonconformities put your ISO 27001 certificate at risk of becoming inactive.
- By now you can guess the next step—any noted nonconformities during this process will require corrective action plans and evidence of correction and remediation based upon their classification as major or minor. Reissuance of your ISO 27001 certificate is dependent on the correction and remediation of major nonconformities and the correction of minor nonconformities.
- This recertification audit will need to take place every 3 years for as long as you want to maintain your ISO 27001 certification.
Next Steps Towards Your ISO 27001 Certification
ISO 27001 certification can provide strong assurance to your customers and prospects regarding your information security practices, but you now understand how its cyclical and stringent nature makes for a thorough and demanding process.
Still, your knowledge now of what to expect from each phase–including what certification bodies like Schellman will evaluate each time they’re on-site–will help you set expectations for said process and alleviate some stress surrounding what will become routine for you.
For that reason, you may wonder instead about a SOC 2 examination–there are some overlapping controls there and like ISO 27001, SOC 2 is also a widely accepted and popular information security standard. Read more about it here:
But, if you’re set on becoming ISO 27001 certified, you’re likely to have more questions about how your organization can accommodate this process. Reach out to us and we can set up a conversation that will help further shape what your ISO 27001 experience could look like.