ISO 27001 certification is a structured process with defined stages, but the path from decision to certificate is rarely linear. Organizations underestimate the documentation requirements, overestimate their current maturity, and discover scope creep midway through implementation. Here is what the process actually looks like, based on our experience helping companies prepare.
Phase 1: Gap Analysis and Scoping
Before committing to certification, conduct a gap analysis against the ISO 27001 standard. This assessment compares your current security posture to the requirements of Clauses 4 through 10 and the 93 Annex A controls. The output is a prioritized list of gaps that need to be addressed before your certification audit.
Scoping defines the boundaries of your Information Security Management System (ISMS). You need to determine which business processes, systems, locations, and personnel are included. A narrower scope reduces the implementation effort but must still cover the systems and processes that matter to your customers and stakeholders. Most SaaS companies scope their ISMS to their cloud infrastructure, development processes, and customer data handling.
Common mistake: Scoping too broadly in an attempt to impress customers. An ISMS that covers your entire organization including HR, facilities, and departments that do not handle sensitive data creates unnecessary compliance burden. Start with a focused scope covering your core product and customer data, then expand in subsequent audit cycles.
Phase 2: ISMS Implementation
Implementation involves building the management system itself: policies, procedures, risk assessment, controls, and the governance structure that ties them together. This is the most time-consuming phase.
Required documentation
- ISMS scope statement defining the boundaries and applicability of the management system
- Information security policy signed by top management demonstrating commitment
- Risk assessment methodology defining how risks are identified, analyzed, evaluated, and treated
- Risk treatment plan documenting selected controls and implementation timelines
- Statement of Applicability (SoA) listing all 93 Annex A controls with justification for inclusion or exclusion
- Internal audit procedure defining how internal audits are planned and conducted
- Management review process for periodic review of ISMS performance
Phase 3: Risk Assessment
The risk assessment is the foundation of your ISMS. Clause 6.1 requires you to identify information security risks, analyze their likelihood and impact, evaluate them against your risk criteria, and determine appropriate treatment. Your risk assessment methodology must be documented and repeatable.
The risk treatment plan maps identified risks to specific controls from Annex A (or other control sets). Each control selection must be justified, and the residual risk after treatment must be formally accepted by management.
Phase 4: Stage 1 Audit
The Stage 1 audit is a documentation review conducted by your chosen certification body. The auditor reviews your ISMS documentation to verify that your management system design meets the requirements of the standard. They check your scope, policies, risk assessment, Statement of Applicability, and internal audit results.
Stage 1 typically takes one to two days on-site or via video conference. The auditor will identify any major gaps that must be addressed before Stage 2. Common Stage 1 findings include incomplete risk assessments, missing mandatory procedures, and SoA entries without adequate justification.
Phase 5: Stage 2 Audit
Stage 2 is the implementation audit. The auditor verifies that your documented controls are actually implemented and operating effectively. This involves interviews with staff, review of evidence (logs, records, tickets), observation of processes, and testing of technical controls.
| Audit Stage | Focus | Duration | Outcome |
|---|---|---|---|
| Stage 1 | Documentation review, ISMS design | 1-2 days | Readiness confirmation or gap list |
| Stage 2 | Implementation verification, evidence review | 3-5 days | Certification recommendation or nonconformities |
| Surveillance (annual) | Ongoing compliance, continuous improvement | 2-3 days | Continued certification or corrective actions |
| Recertification (3 years) | Full reassessment of ISMS | 3-5 days | Certificate renewal |
After Certification: Surveillance and Recertification
ISO 27001 certification is valid for three years, but it requires annual surveillance audits to maintain. Surveillance audits review a subset of your ISMS each year, covering the full scope over the three-year cycle. At the end of three years, a full recertification audit is required.
The ongoing commitment is what separates ISO 27001 from point-in-time assessments like SOC 2 Type 1. Your ISMS must demonstrate continuous improvement through management reviews, internal audits, corrective actions, and updated risk assessments.
Need security testing or compliance support?
We provide penetration testing, compliance assessments, and security consulting for organizations at every stage.
