ISO 270019 min read
ISO 27001 Certification Process: Your Complete Roadmap
The ISO 27001 certification process can seem daunting, but with the right approach, it's manageable. This guide provides a complete roadmap from initial planning to certification.
Key Takeaways
| Point | Summary |
|---|---|
| 7 phases | Planning → ISMS Development → Implementation → Internal Audit → Stage 1 → Stage 2 → Certification |
| Timeline | 3-4 months with managed service (6+ months traditional approach) |
| Two-stage audit | Stage 1: Documentation review; Stage 2: Implementation verification |
| Key milestones | Risk assessment (Week 8), internal audit (Week 20), Stage 1 (Week 22), certification (Week 26) |
| Your time | ~20-25 hours total with managed service |
Quick Answer: ISO 27001 certification involves a two-stage audit. Stage 1 reviews your documentation; Stage 2 verifies implementation. With expert guidance, the entire process takes 3-4 months and about 20-25 hours of your time.
Certification Process Overview
The Journey at a Glance
ISO 27001 Certification Journey
────────────────────────────────────────────────────────
Phase 1: Planning & Gap Analysis (Weeks 1-4)
│
▼
Phase 2: ISMS Development (Weeks 4-10)
│
▼
Phase 3: Implementation (Weeks 10-18)
│
▼
Phase 4: Internal Audit & Review (Weeks 18-20)
│
▼
Phase 5: Stage 1 Audit (Week 21-22)
│
▼
Phase 6: Stage 2 Audit (Weeks 23-26)
│
▼
Phase 7: Certification & Maintenance (Ongoing)
Key Milestones
| Milestone | Typical Timing | Deliverable |
|---|---|---|
| Project kickoff | Week 1 | Project plan, team formed |
| Gap analysis complete | Week 3 | Gap assessment report |
| ISMS scope defined | Week 4 | Scope document |
| Risk assessment done | Week 8 | Risk register, SoA |
| Controls implemented | Week 16 | Operational ISMS |
| Internal audit complete | Week 20 | Audit report |
| Stage 1 passed | Week 22 | Ready for Stage 2 |
| Certification achieved | Week 26 | ISO 27001 certificate |
Phase 1: Planning and Gap Analysis
Week 1-2: Project Setup
Establish the Foundation
| Task | Output |
|---|---|
| Secure executive sponsorship | Commitment letter |
| Appoint ISMS manager | Named responsible person |
| Form project team | Team roster |
| Define project timeline | Project plan |
| Allocate budget | Approved budget |
Key stakeholders to involve:
- Executive sponsor (CEO, CTO, or equivalent)
- ISMS manager (security lead or vCISO)
- IT/Engineering representative
- HR representative
- Legal/Compliance representative
- Operations representative
Week 2-4: Gap Analysis
Assess Current State Against ISO 27001
| Activity | Purpose |
|---|---|
| Review existing policies | Identify documentation gaps |
| Assess current controls | Map to Annex A requirements |
| Interview key personnel | Understand actual practices |
| Review technical configurations | Verify security settings |
| Document findings | Create gap report |
Gap Analysis Output:
Gap Assessment Summary:
| Requirement Area | Status | Gap Level |
|---|---|---|
| ISMS Documentation | Partial | Medium |
| Risk Assessment | Partial | High |
| Access Controls | Implemented | Low |
| Change Management | Partial | Medium |
| Incident Response | Not Started | High |
| Business Continuity | Not Started | High |
| Internal Audit | Not Started | High |
| Management Review | Not Started | Medium |
Phase 2: ISMS Development
Week 4-6: Establish Context and Scope
Define Your ISMS Foundation
| Deliverable | Contents |
|---|---|
| Context analysis | External and internal factors |
| Stakeholder register | Interested parties and requirements |
| Scope document | What's included and excluded |
| Security policy | High-level direction |
Scope Considerations:
- Which business functions?
- Which locations?
- Which systems and data?
- What are the boundaries?
- What's explicitly excluded?
Week 6-8: Risk Assessment
Identify and Assess Risks
Risk Assessment Process:
Step 1: Asset Identification:
- Information assets (data types)
- Physical assets (servers, devices)
- Software assets (applications)
- Service assets (cloud services)
Step 2: Threat Identification:
- External threats (hackers, malware)
- Internal threats (employees)
- Environmental threats (disasters)
- Technical threats (system failures)
Step 3: Vulnerability Assessment:
- Technical vulnerabilities
- Process weaknesses
- People-related vulnerabilities
- Physical vulnerabilities
Step 4: Risk Analysis:
- Likelihood assessment
- Impact assessment
- Risk calculation
Step 5: Risk Evaluation:
- Compare to criteria
- Prioritize risks
- Determine treatment
Risk Treatment Options:
| Option | When to Use | Example |
|---|---|---|
| Modify | Risk too high, controls available | Implement MFA |
| Accept | Risk within tolerance | Document acceptance |
| Avoid | Risk unacceptable | Discontinue activity |
| Share | Transfer possible | Cyber insurance |
Week 8-10: Create Statement of Applicability
Map Controls to Your Environment
| For Each Control | Document |
|---|---|
| Applicable? | Yes/No with justification |
| Implemented? | Full/Partial/Planned |
| How implemented? | Control description |
| Evidence? | Where to find proof |
SoA Structure:
| Control | Title | Applicable | Justification | Implementation | Evidence |
|---|---|---|---|---|---|
| 5.1 | Policies for information security | Yes | Required for ISMS | Full | Policy document |
| 8.4 | Access to source code | Yes | SaaS company develops software | Partial | GitHub settings |
| 7.1 | Physical security perimeters | No | Cloud-only, no physical servers | N/A | Cloud provider SOC 2 |
Phase 3: Implementation
Week 10-14: Policy and Procedure Development
Create Required Documentation
| Document Type | Examples |
|---|---|
| Policies | Information security, access control, acceptable use |
| Standards | Encryption standards, hardening standards |
| Procedures | Incident response, backup, access provisioning |
| Guidelines | Password guidelines, remote work guidelines |
Documentation Hierarchy:
Level 1: Information Security Policy
(What we commit to)
│
Level 2: Domain Policies
(What we require)
│
Level 3: Standards
(Technical specifications)
│
Level 4: Procedures
(How we do it)
│
Level 5: Work Instructions
(Step-by-step guides)
Week 12-16: Technical Control Implementation
Deploy Required Controls
| Control Area | Implementation Tasks |
|---|---|
| Access Control | Configure SSO, implement MFA, set up RBAC |
| Endpoint Security | Deploy MDM, configure device policies |
| Network Security | Configure firewalls, implement segmentation |
| Monitoring | Set up SIEM, configure alerting |
| Vulnerability Management | Deploy scanner, establish remediation process |
| Backup | Configure backups, test restores |
Week 14-16: Training and Awareness
Prepare Your People
| Activity | Target Audience |
|---|---|
| ISMS awareness training | All employees |
| Role-specific training | Control owners |
| Policy acknowledgment | All employees |
| Incident reporting training | All employees |
| Secure development training | Engineering team |
Week 16-18: Operating the ISMS
Run the System
| Activity | Frequency |
|---|---|
| Monitor controls | Continuous |
| Collect evidence | Ongoing |
| Manage access | As needed |
| Handle incidents | As they occur |
| Process changes | Per change management |
Phase 4: Pre-Audit Verification
Week 18-19: Internal Audit
Verify ISMS Effectiveness
| Audit Scope | Focus Areas |
|---|---|
| Clauses 4-10 | All mandatory requirements |
| Annex A controls | Sample of applicable controls |
| Documentation | Required documents in place |
| Implementation | Controls operating effectively |
| Evidence | Records available |
Internal Audit Process:
Internal Audit Flow:
1. Plan the Audit:
- Define scope and criteria
- Create audit checklist
- Schedule interviews
2. Conduct the Audit:
- Document review
- Staff interviews
- Control testing
- Evidence examination
3. Report Findings:
- Nonconformities identified
- Observations noted
- Positive findings recorded
4. Follow Up:
- Corrective actions defined
- Actions implemented
- Effectiveness verified
Week 19-20: Management Review
Executive Oversight
| Input | Discussion |
|---|---|
| Internal audit results | Findings and remediation status |
| Risk assessment status | Current risk posture |
| Performance metrics | ISMS effectiveness |
| Improvement opportunities | Enhancement proposals |
| External changes | New requirements or threats |
| Output | Action |
|---|---|
| Improvement decisions | Approved changes |
| Resource allocation | Budget/staffing |
| ISMS changes | Modifications needed |
Week 20-21: Audit Preparation
Get Ready for External Audit
| Task | Details |
|---|---|
| Review documentation | All documents current and approved |
| Verify evidence | Complete and accessible |
| Brief staff | Audit process and expectations |
| Prepare logistics | Room, access, contacts |
| Select certification body | If not already done |
Phase 5: Stage 1 Audit
What Happens in Stage 1
Documentation and Readiness Review
| Auditor Focus | Looking For |
|---|---|
| ISMS scope | Clearly defined, appropriate |
| Security policy | Approved, communicated |
| Risk assessment | Methodology followed, results documented |
| Statement of Applicability | Complete, justified |
| Internal audit | Conducted, findings addressed |
| Management review | Conducted, documented |
Stage 1 Outcomes:
| Outcome | Next Steps |
|---|---|
| Ready for Stage 2 | Schedule Stage 2 (typically 2-4 weeks later) |
| Minor gaps | Address before Stage 2 |
| Major gaps | Delay Stage 2, significant remediation needed |
Typical Stage 1 Timeline
| Day | Activities |
|---|---|
| Day 1 AM | Opening meeting, scope confirmation |
| Day 1 PM | Documentation review |
| Day 2 AM | Continue review, readiness assessment |
| Day 2 PM | Closing meeting, Stage 2 planning |
Phase 6: Stage 2 Audit
What Happens in Stage 2
Implementation and Effectiveness Verification
| Auditor Focus | Methods |
|---|---|
| Control implementation | Interviews, observation |
| Evidence review | Document examination |
| Control effectiveness | Testing and sampling |
| Staff competence | Interviews across organization |
| ISMS operation | Process observation |
Stage 2 Audit Techniques
Stage 2 Audit Methods:
Interviews:
- Ask about policies and procedures
- Verify understanding
- Confirm control operation
Documentation Review:
- Policies and procedures
- Records and evidence
- Meeting minutes
Observation:
- Watch processes in action
- Physical security walkthrough
- System demonstrations
Testing:
- Sample access reviews
- Check change records
- Verify backup restores
- Review incident handling
Handling Audit Findings
| Finding Type | Definition | Response |
|---|---|---|
| Major NC | Significant ISMS failure | Must resolve before certification |
| Minor NC | Gap not affecting ISMS overall | Address within 90 days |
| Observation | Improvement opportunity | Consider addressing |
| Positive | Good practice noted | Continue! |
Stage 2 Outcomes
| Outcome | Next Steps |
|---|---|
| Certification recommended | Certificate issued (2-4 weeks) |
| Minor NCs | Submit corrective action plan/evidence |
| Major NCs | Resolve and potential follow-up audit |
Phase 7: Certification and Maintenance
After Certification
Immediate Actions:
- Celebrate with your team!
- Communicate achievement internally
- Update website/marketing
- Notify customers
- Plan for ongoing maintenance
Certification Cycle
3-Year Certification Cycle:
Year 1:
- Certification audit (Stage 1 + Stage 2)
- Certificate issued
Year 2:
- Surveillance audit 1
- Verify continued compliance
Year 3:
- Surveillance audit 2
- Prepare for recertification
Year 4:
- Recertification audit
- New 3-year cycle begins
Surveillance Audits
| Aspect | Details |
|---|---|
| Frequency | Annually (some auditors do semi-annually) |
| Duration | Typically 50-70% of initial audit days |
| Focus | Sample of controls, any changes, previous findings |
| Outcome | Maintain certification or address issues |
Recertification
| Aspect | Details |
|---|---|
| Timing | Before certificate expiration (Year 3) |
| Scope | Full ISMS review (like initial certification) |
| Duration | Similar to initial Stage 1 + Stage 2 |
| Outcome | New 3-year certificate |
Choosing a Certification Body
Selection Criteria
| Criteria | Consideration |
|---|---|
| Accreditation | ANAB, UKAS, or other recognized body |
| Experience | ISO 27001 expertise, industry knowledge |
| Reputation | References, track record |
| Cost | Competitive pricing |
| Availability | Can meet your timeline |
| Approach | Practical, helpful auditors |
Accreditation Bodies
| Body | Region |
|---|---|
| ANAB | United States |
| UKAS | United Kingdom |
| DAkkS | Germany |
| JAS-ANZ | Australia/New Zealand |
| COFRAC | France |
The Bastion Advantage
Streamlined Certification Process
Bastion accelerates every phase:
| Phase | Traditional | With Bastion |
|---|---|---|
| Gap analysis | 2-4 weeks | 1-2 weeks |
| ISMS development | 6-8 weeks | 3-4 weeks |
| Implementation | 8-10 weeks | 4-6 weeks |
| Audit prep | 2-4 weeks | 1-2 weeks |
| Total | 18-26 weeks | 9-14 weeks |
What Bastion Provides
| Phase | Bastion Support |
|---|---|
| Planning | Expert-led kickoff and project planning |
| Gap analysis | Automated assessment + expert review |
| ISMS development | Pre-built policies, guided customization |
| Implementation | Prioritized roadmap, automated evidence |
| Internal audit | Audit support, finding remediation |
| Stage 1 & 2 | Audit preparation, coordination |
| Maintenance | Continuous monitoring, renewal support |
Ready to start your certification journey? Talk to our team →