How to Get ISO 27001 Certified? Navigating the ISO 27001 Certification Process
Learn how to navigate the ISO 27001 certification process and prepare for the required audits with our informative guide. Discover the different Audits involved, timeline expectations, and the ultimate checklist for a successful certification.
Table of Contents
- The ISO 27001 Certification Process explained
- The ISO 27001 Stage 1 Audit
- The ISO 27001 Stage 2 Audit
- The ISO 27001 Annual Surveillance Audits
- The ISO 27001 Recertification Audit
- Professional Behavior of the ISO 27001 Auditor in the Certification Process
- How Long Does an ISO 27001 Audit Take? Knowing Your Audit Timeline
- The Ultimate Checklist for an ISO 27001 Certification Audit
The ISO 27001 Certification Process explained
Once your ISMS is up and running for at least 3 months and you have undergone an internal audit, it's time to engage with an accredited certification body for your ISO 27001 certification.
By the way, it's worth noting that the choice of an accredited certification body is crucial to the validity and recognition of your ISO 27001 certification.
Ensure that the partner you choose is accredited by one of the major accreditation bodies, as they provide accreditation to certification companies that conduct accredited external assessments.
The most well-known and respected accreditation body in the English-speaking world is ANAB - the ANSI National Accreditation Board.
Here is the full list of all ANAB-accredited certification bodies (February 23)
- ABS Quality Evaluations
- A-LIGN
- Aprio
- BARR Certifications
- BASC
- BSI Global
- Cadence Assurance
- ControlCase Assessments
- Ceprei
- CIRQ
- Coalfire
- Consilium Labs
- DEKRA
- DQS
- EQA
- Ernst and Young CertifyPoint
- Frank, Rimerman Information Security
- ISOQAR
- Kompleye
- LBMC
- Marcum
- NQA
- NSAI
- NSF
- Orion Registrar
- PRI Registrar
- Ronet
- Schellman Compliance
- Securisea
- SGS
- SII
- SRI Quality System Registrar
- TÜV Rheinland
- TÜV Süd
While it is possible to obtain an unaccredited certification from an unaccredited company or even self-declare ISO 27001 compliance, this is not recommended due to a lack of due diligence. It is often not accepted by clients or partners and can even give a competitive disadvantage.
Generally, accredited certification bodies have the same basic requirements and perform similar assessments. They also have the same requirements for auditors and checklists. However, there may be some differences.
But What Are the Differences Between ISO 27001 Certification Bodies?
- Pricing:
different certification bodies usually offer different pricing. It is recommended to shop around and compare prices before choosing a certification body. - Portfolio:
some certification bodies offer certifications to other standards in addition to ISO 27001. If you need multiple certifications, it's best to choose a certification body that offers all the certifications you need. This can save time and money on audits. - Processes, reports, and NC requirements:
some certification bodies offer more detailed lists of areas for improvement and sometimes even note discrepancies with the standard that are not yet non-conformities. This allows you to act and implement changes before they become actual non-conformities. It's important to choose a certification body that offers a process and report that fits your needs. - Remote audits:
some certification bodies do not accept remote audits, while others do. Choosing a certification body that offers remote audits can save time and money.
Once you have selected the certification body you wish to work with, they will typically require some information from you.
They will send an inquiry form that asks for the following details:
ISO 27001 Certification Body Inquiry Form: What Information is Needed?
- General information about your company, such as its name and headquarters address
- The number of employees within the scope of the ISMS to determine the audit timing
- Which standards you are certified in or wish to be certified in
- Whether you utilize an Integrated Management System (IMS) for managing more than one standard
- The sites that are within the scope of certification
- The general scope of certification (which may differ from the scope of the ISMS)
- Processes used
- Products and services offered
- Technology solutions utilized
- Major outsourced activities
Using this information, the certification body can determine the exact pricing, audit timing, and form of the audit, and schedule the audits with you.
The initial certification process is conducted in two stages: Stage one and Stage two.
After successfully completing the certification process, you will hold the certification for three years, provided you conduct annual surveillance audits.
At the end of the three-year period, you will need to undergo a recertification audit to maintain your certification.
The ISO 27001 Stage 1 Audit
The stage one audit is an essential part of the ISO 27001 certification process, as it provides an opportunity for the certification body to gain an understanding of your organization's management system and assess its readiness for the full audit in stage two.
During this stage of the audit, the certification body will evaluate the scope of your ISMS and ensure that it is consistent with the scope defined in your application.
The stage one audit typically involves a review of your organization's documentation, including policies, procedures, and records related to your information security management system. The certification body will also conduct interviews with key personnel to gain an understanding of your organization's internal and external issues, stakeholders, and risk management processes.
It's important to note that the stage one audit is not a pass or fail assessment, but rather a way for the certification body to gain an understanding of your organization's ISMS and ensure that it is ready for the full audit in stage two. By addressing any areas of concern or improvement identified during the stage one audit, your organization will be better prepared for the stage two audit and have a higher chance of achieving ISO 27001 certification.
The deliverables of a stage 1 audit typically include a report outlining the first assessment of the ISO 27001 clauses. The report may also include recommendations for improvement to ensure that your organization is ready for the full audit in stage two. Additionally, the certification body will provide you with a coherent audit schedule for stage two.
The ISO 27001 Stage 2 Audit
The stage two audit is the actual audit, where the implementation of all controls is analyzed in detail.
The audit is conducted by the same auditors as the stage one audit.
During the stage two audit, the certification body will examine your organization's ISMS documentation, conduct interviews with staff, and observe processes to determine compliance with the ISO 27001 standard.
Once the audit is complete, the certification body will issue an audit report within a specified timeframe, which is typically within two weeks. This report is a comprehensive document that explains all the findings and declares any observations or non-conformities found during the audit. If any non-conformities are found, your auditor will ask you to provide an Action Plan to address these issues.
This plan will typically involve two parts:
- a corrective action intended to correct the immediate problem and when it will be completed, and
- a corrective action intended to address the root cause of the non-conformance and when it will be completed.
These plans will be reviewed and accepted or declined by the lead auditor.
If your action plan is accepted, you will pass the audit and receive your certification, which grants compliance with ISO 27001.
However, it is important to note that ISO 27001 certification is an ongoing process, and you must maintain your ISMS and remediate all the non-conformities until the next audit to ensure continued compliance.
ISO 27001 Annual Surveillance Audits
Maintaining your ISO 27001 certification involves undergoing regular surveillance audits by the certification body to ensure that your organization continues to comply with the standard. These surveillance audits are typically conducted once a year, and you will need to demonstrate that you have maintained the effectiveness of your ISMS and addressed any non-conformities found during the previous audit.
The main focus of these audits is to determine whether your organization's management system is actually working in its day-to-day operations. Different to stage 2 audits, surveillance audits are usually shorter but longer than the stage 1 audit. The auditor will also focus on minor non-conformities, areas of concern identified in the certification audit or other previous audits. Your organization should have taken corrective action to fix all non-conformities.
The ISO 27001 Recertification Audit
After three years, the first certification cycle is completed and to maintain your certification, you will need to undergo a recertification audit.
This audit is similar to the initial Stage 2 audit and involves a more in-depth examination of your organization's ISMS than during the surveillance audits. The reasoning behind this is that a lot may have changed for your company in the past years and this needs to be accounted for.
The recertification audit reviews all processes in detail and assesses the continuous improvement aspect of your ISMS.
Has your ISMS improved in the last few years?
If so, it is possible to obtain certification for the next few years. If not, corrective actions will need to be addressed. As with the other audits, you will receive an in-depth report.
Professional Behavior of the ISO 27001 Auditor in the Certification Process
Auditors are expected to conduct themselves with a high degree of professionalism and integrity while carrying out their duties. This includes treating the auditee with respect and courtesy, being impartial and unbiased in their assessments, and maintaining confidentiality of any sensitive information they come across during the audit.
However, in the rare event that you encounter an auditor who fails to meet these expectations, there are steps you can take.
First, you can try to resolve the issue with the auditor directly by bringing up your concerns with them and discussing how to address them. If this is not successful, you can escalate the issue to the auditor's supervisor or the certification body.
It is important to document any incidents or concerns related to the auditor's conduct, including the date, time, and specific details of the issue. This can help support your case if you need to make a formal complaint.
Overall, while instances of unprofessional behavior from auditors are uncommon, it is important to be aware of your options for addressing any issues that do arise.
How Long Does an ISO 27001 Audit Take? Knowing Your Audit Timeline
The duration of an ISO 27001 audit depends on various factors, such as:
- the size and complexity of your organization,
- the number of sites and locations included in the audit
- and the scope of the audit.
For example, a stage one audit typically takes a few days, while a stage two audit can take several days or even weeks, depending on the size and complexity of your organization.
The time frame for an audit is determined within ISO 27006, which uses the number of employees within the scope of the ISMS to calculate the required audit time. For instance, if your company has 400 employees in the main office and 700 in a side office, but only considers the headquarters within the scope, the number of employees to consider is 400.
There are various factors that can either increase or decrease the required audit time.
The following factors increase the audit time of ISO 27001 Audits:
- A highly complex ISMS
- Additional sites
- Complicated logistics
- Staff speaking multiple languages
- A high number of regulatory requirements
The following factors reduce the audit time of ISO 27001 Audits:
- Being certified to another ISO standard
- Demonstrating a high confidence level through an established system (over 12 months)
- Allowing significant exclusions, such as audit technology used
- Low-risk processes and products
- High client preparedness
Reminder: The audit time is always measured in so-called "mandays." This means that if you have two or more auditors, the total days are divided by the number of auditors, which shortens the timespan used for the audit.
Here is the standard table for determining audit timing from ISO 27006:2015:
| Number of persons doing work under the organization’s control | ISMS audit time for initial audit (auditor days) |
| 1~10 | 5 |
| 11~15 | 6 |
| 16~25 | 7 |
| 26~45 | 8.5 |
| 46~65 | 10 |
| 66~85 | 11 |
| 86~125 | 12 |
| 126~175 | 13 |
| 176~275 | 14 |
| 276~425 | 15 |
| 426~625 | 16.5 |
| 626~875 | 17.5 |
| 876~1175 | 18.5 |
| 1176~1550 | 19.5 |
| 1551~2025 | 21 |
| 2026~2675 | 22 |
| 2676~3450 | 23 |
| 3451~4350 | 24 |
| 4351~5450 | 25 |
| 5451~6800 | 26 |
| 6801~8500 | 27 |
| 8501~10700 | 28 |
| > 10,700 | Follow Progression Above |
Note that a new version of ISO 27006 is currently under development, and the timing may change in 2023.
Practical Example of determining the ISO 27001 Audit Time:
Let's consider a company with 650 employees and 3 sites. Only the headquarters and one additional site in a different country with 500 employees are within the scope of the ISMS.
The company is also ISO 9001 certified, but has a complicated ISMS due to different policies and procedures at the two locations.
General Formula:
Total Audit Mandays = Employee day from ISO 27006 + (Increase Audit Time Factors) - (Reduction Audit Time Factors)
Formula:
Total Audit Mandays = Employee day from ISO 27006 + (Site days x site factor) + (Complexity factor) + (Language factor) - (Certification factor)
Measurement Example:
- Employee days: 500 employees = 16.5 days (refer to ISO 27006)
- Site days: 1 x additional site factor 20% = 3,3 days
- Complexity factor: Complicated ISMS x 20% = 3.3 days
- Language factor: Multilingual staff x 20% = 3.3 days
- Certification factor: Already ISO 9001 certified x 20% = 3.3 days
Total Audit Mandays = 16.5 + 3,3 + 3.3 + 3.3 - 3.3 = 23,1 Mandays = 23 Audit Mandays
Note that this is just an example and the suggested factors may vary between certification bodies.
The Ultimate Checklist for an ISO 27001 Certification Audit
Before the Engagement Starts:
- Ensure that your ISMS is fully documented and up-to-date.
- Verify that all required policies and procedures are in place and being followed.
- Verify that your risk assessment is current and that all identified risks have been addressed through appropriate controls.
- Make sure that all key processes have been identified and documented.
- Verify that all required records are in place and up-to-date.
- Ensure that all employees who are within the scope of the ISMS are aware of their roles and responsibilities.
- Confirm that all necessary training has been provided to employees on their responsibilities related to the ISMS.
- Check that all monitoring and measurement activities are being performed as required and are producing accurate results.
- Verify that all security controls are in place and operating effectively.
- If applicable, review all previous audit reports and ensure that corrective actions have been completed.
- If applicable, assess all changes in activities and take action accordingly.
During the Engagement:
- Ensure that communication channels between the auditor and all relevant personnel are open.
- Ensure that the audit schedule is up to date.
- Schedule the audit internally as early as feasible.
- Ensure that all employees who will be interviewed by the auditor are prepared and know what to expect.
- Confirm that all employees are aware of the audit and understand their role in supporting it.
- Make sure that all necessary documentation is available and easily accessible to the auditor.
- Verify that all audit findings and recommendations are documented and tracked to closure.
- Once the audit starts, don't panic.
After the Engagement:
- Review the final audit report to ensure that it accurately reflects the current state of your ISMS.
- Confirm that all non-conformities have been addressed and that corrective actions have been planned
- Verify that all recommendations made by the auditor have been addressed.
- Ensure that all necessary follow-up actions have been completed and documented.
- Schedule periodic reviews to ensure ongoing compliance with the ISO 27001 standard.