ISO 27001 Certification Process: what to expect and how to prepare

Home / ISO 27001 / ISO 27001 Certification Process: what to expect and how to prepare

Achieving ISO 27001 certification can seem daunting, especially if it’s your first time. You might wonder where to start, what rules to follow, or when you’re truly prepared for an inspection.

Knowing the steps involved in getting certified can make the process smoother and less stressful. This article will outline the ISO 27001 certification journey. We will cover what companies need to do beforehand and what happens during each stage of the certification check.

Here are the steps to getting your ISO 27001 certification.

How to prepare for ISO 27001 Certification
The ISO 27001 Certification audit process
What You Need to Show for ISO 27001 evidence
ISO 27001 Certification Process Summary

How to prepare for ISO 27001 Certification

1. Plan Your Project

First, decide who in your company will lead this effort. This person will set goals and keep things on track. How will you get your company’s leaders on board? Will you hire an expert to help you? It’s key to learn about ISO 27001 rules and its 93 controls. Our detailed guide on ISO 27001 is a good place to begin.

2. Define Your Information Security Scope

Every business is different and handles various kinds of information. Before you set up your information security system, you need to decide exactly what data you need to protect. For some companies, this includes everything they do. For others, it might just be one department or system. Your team should talk about what you want your ISO 27001 certificate to cover. Ask yourself: “What service, product, or platform do our customers most want to see protected by our ISO 27001 certificate?”

3. Assess Risks and Find Gaps

You must do a formal risk assessment for ISO 27001. This means you need to write down all the information, analysis, and results of your risk check. Start by thinking about your current security level. What legal rules, regulations, or contracts does your company need to follow?

Companies without a dedicated person to manage compliance might hire an expert to help with this step. An expert who has worked with similar companies can offer valuable advice. However, because of costs or other reasons, many companies choose not to use an outside expert. These experts can guide you through the ISO 27001 process, telling you what steps to take. They can also help you improve your overall security.

4. Set Up Rules and Protections

Now that you know your risks, you need to decide how your company will handle them. Which risks are you okay with, and which ones do you need to fix?

During your ISO 27001 check, the auditor will want to see how you decided to deal with each risk you found. You’ll also need to provide a Statement of Applicability and a Risk Treatment Plan as proof for your audit.

The Statement of Applicability clearly explains which ISO 27001 rules and policies apply to your company. This document is one of the first things your auditor will look at during the certification check.

The Risk Treatment Plan is another essential document for ISO 27001 certification. It records how your organization will respond to the threats you identified during your risk assessment process.

The Risk Treatment Plan is another key document for ISO 27001 certification. It explains how your company will handle the threats you found during your risk assessment.

The ISO 27001 standard suggests four ways to deal with risks:

Change the risk: Put controls in place to make it less likely for the risk to happen.
Avoid the risk: Stop the situations that could cause the risk in the first place.
Share the risk: Let another company handle some security tasks, or buy insurance to cover potential issues.
Accept the risk: Decide to live with the risk because fixing it would cost more than the possible harm.

After this, you will put new rules and controls into practice to deal with the risks you found. Your rules should set and strengthen good security habits. For example, they might require employees to use multi-factor authentication and lock their computers when they step away.

5. Train Your Employees

All employees must receive training on information security for ISO 27001. This makes sure everyone in your company understands why data security matters and their part in meeting and keeping up with the rules.

6. Document and Collect Evidence

To get ISO 27001 certified, you’ll need to show your auditor that you have set up good policies and controls, and that they are working as the ISO 27001 standard requires.

7. Complete an ISO 27001 Certification Audit

In this step, an outside auditor will check your security system to confirm it meets ISO 27001 requirements. If it does, they will issue your certification. The certification audit happens in two parts. First, the auditor does a Stage 1 audit to review your security system documents. This ensures you have the correct policies and procedures in place. Next, a Stage 2 audit will look at your business processes and security controls. Once both stages are complete, you’ll get an ISO 27001 certificate that is good for three years.

8. Keep Up Continuous Compliance

ISO 27001 is all about getting better over time. You’ll need to keep looking at and reviewing your security system to make sure it’s still working well and that you are maintaining compliance. As your business changes and new risks appear, you’ll need to look for ways to improve your current processes and controls. The ISO 27001 standard requires regular internal audits as part of this ongoing check. Internal auditors review processes and policies to find possible weaknesses and areas to improve before an external audit.

The ISO 27001 Certification audit process

Here’s a breakdown of the key stages in the ISO 27001 certification process:

ISO 27001 Stage 1 Audit: Design Review of Your Security System

An auditor will look at your Information Security Management System (ISMS) documents. They’ll make sure your rules and procedures are set up correctly. This stage ensures your documents meet the ISO 27001 ISMS rules found in sections 4-10. The auditor will also point out any issues or ways to make your ISMS better. Once you’ve made these suggested changes, you’re ready for Stage 2.

ISO 27001 Stage 2 Audit : Main Certification Audit

This step involves reviewing your business processes and controls. The auditor will check that they meet the needs of your ISMS and the extra rules in Annex A. The auditor will do a detailed review to see if your company meets all ISO 27001 requirements. After both Stage 1 and Stage 2 are done, your ISO 27001 certificate is issued and is good for three years

ISO 27001 Surveillance Audits

During the three years your certificate is valid, you’ll have ongoing checks. These are to make sure your ISO 27001 program is still working well and being followed. These checks confirm that your company is properly keeping up its ISMS and Annex A controls. Auditors will also verify that any problems noted during the main certification check have been fixed.

ISO 27001 Recertification Audit

In the last year of your three-year certification, your company can go through a recertification check. Similar to Stage 2, the auditor will do a detailed review. They’ll confirm that your company still meets ISO 27001 rules for how your processes and controls are set up and how well they work. After this check, your ISO 27001 certification is good for another three years.

What You Need to Show for ISO 27001 evidence

When you have your ISO 27001 certification check, the auditor will need to look at various parts of your security system. This includes your rules, how your business works, and proof that you’re following the rules.

Here’s a basic list of what you’ll need to give your auditor:

Your ISMS Scope: What your information security system covers.
Information Security Rules: Your company’s policies for keeping information safe.
Risk Assessment Process: How you check for information security risks.
Risk Treatment Process: How you deal with those risks.
Statement of Applicability: Which ISO 27001 controls apply to you.
Information Security Goals: What you aim to achieve with your security.
Proof of Skill: Evidence that your staff is capable.
Security Training Program and Results: Details of your security awareness training and who completed it.
Results of Risk Assessment: What you found when you checked for risks.
Results of Risk Treatment: How you addressed the risks.
Proof of Monitoring and Measurement: How you track and measure your security efforts.
Written Internal Audit Process: How you conduct your own internal security checks.
Proof of Audit Programs and Results: Records of your internal audits and their findings.
Results of Management Reviews: Evidence of discussions and decisions made by management regarding security.
Proof of Issues and Fixes: Records of any security problems found and how they were corrected.
Proof of Fixes: Evidence that those corrections worked.
Annex A Control Activities Evidence: Proof that you are following the specific security controls listed in Annex A.

ISO 27001 Certification Process Summary

Here is a summary of the for ISO 27001 certification:

Project Plan: First, learn all about the ISO 27001 rules and what they cover. You’ll also need to pick a project leader, set up a timeline for getting certified, and get approval from company leaders.
ISMS Scope: Next, decide exactly what information your security system needs to keep safe. What do your customers hope to see covered by your ISO 27001 certificate?
Risk Check & Gap Analysis: Carry out a risk assessment and a plan to fix any weak spots. This helps you see where your security stands now and what you still need to do before an audit.
Rules & Controls: Decide how your company will handle the risks and gaps you found earlier. You’ll also need to write a Statement of Applicability and a Risk Treatment Plan.
Security Training: Make sure all your employees complete official security training to meet the ISO 27001 requirements.
Gathering Evidence: Write down your processes and rules. This shows your auditor that you have met the ISO 27001 requirements.
Certification Audit: You’ll go through a Stage 1 audit where the auditor checks your security system’s design and documents. During a Stage 2 audit, the auditor will review your processes and controls to decide if you earn the ISO 27001 certification.
Ongoing Compliance: To keep your ISO 27001 certification, you’ll need to watch and improve your security system. You’ll also need to complete internal checks, regular surveillance audits, and recertification audits.

Do It Yourself ISO27001

Stop Spanking £10,000s on consultants and ISMS online-tools.

The Ultimate ISO27001 Toolkit

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.