How to Get ISO 27001 Certification: Step by Step
How to get ISO 27001 certification is a question that thousands of organizations ask every year — and the answer is more structured, more systematic, and more demanding than most initially expect. ISO 27001 certification is not achieved by completing a questionnaire or purchasing a policy template library. It requires building a genuine Information Security Management System, operating it for a sufficient period to produce evidence of effectiveness, and having it independently audited by an accredited certification body.
According to ISMS.online, organizations that attempt ISO 27001 implementation without a structured roadmap are significantly more likely to encounter major nonconformities during their Stage 2 audit — driving up total certification cost and delaying time-to-certificate. The ISO/IEC 27001:2022 standard introduced 11 new controls and restructured Annex A from 14 domains to 4 themes — meaning organizations building their first ISMS today need a current, 2022-aligned implementation approach.
This guide covers the full nine-stage ISO 27001 certification process — from scope definition through certificate maintenance — with specific guidance on what each stage requires, what auditors look for, and where first-time certification engagements most commonly go wrong.
Tl; DR:
Concern: Organizations attempting to get ISO 27001 certification without a clear implementation roadmap routinely underestimate the preparation required, miss critical documentation requirements, and encounter major nonconformities during their Stage 2 audit — delaying certification by months and significantly increasing total cost.
Overview: Getting ISO 27001 certification requires building a conformant ISMS, completing a gap analysis, implementing all applicable Annex A controls, passing a two-stage independent audit by an accredited certification body, and maintaining the ISMS through annual surveillance. The process typically takes six to twelve months for first-time certification.
Solution: Organizations that follow a structured ISO 27001 implementation roadmap — scoping correctly, building documentation systematically, and preparing evidence before the audit — consistently achieve certification more efficiently, with fewer nonconformities and lower total cost. CertPro CPA LLC guides organizations through every stage of the certification journey.
The ISO 27001 Certification Process — Overview
| Stage | Activity | Typical Duration |
|---|---|---|
| 1 | Define ISMS scope | 1–2 weeks |
| 2 | Conduct ISO 27001 gap analysis | 2–4 weeks |
| 3 | Build risk assessment and treatment framework | 3–6 weeks |
| 4 | Build Statement of Applicability | 1–2 weeks (concurrent with Stage 3) |
| 5 | Implement policies, procedures, and controls | 8–16 weeks |
| 6 | Run internal audit programme | 2–4 weeks |
| 7 | Conduct management review | 1 week |
| 8 | Stage 1 audit (certification body) | 1–2 days |
| 9 | Stage 2 audit (certification body) | 2–5 days (4–8 weeks after Stage 1) |
Stage 1 — Define the ISMS Scope
The first and most strategically important step is defining the ISMS scope. The scope statement establishes the boundaries of your ISMS — which business units, physical locations, information assets, systems, and services fall within the certification boundary. Scope decisions affect everything that follows: implementation effort, audit duration, and ultimately what the certificate will say to enterprise buyers and regulators.
Key scope definition inputs include: customer requirements (which systems and services do enterprise buyers care about?), regulatory obligations (which data types and processing activities are subject to regulations?), and implementation feasibility (which parts of the organization can realistically be brought to certification readiness within the target timeline?). For a detailed guide with scope statement examples, see ISO 27001 scope. For broader ISMS design context, see ISO 27001 ISMS.
Stage 2 — Conduct an ISO 27001 Gap Analysis
Before building any new documentation or implementing any new controls, conduct a thorough gap analysis to understand the current state of ISMS conformance against ISO/IEC 27001:2022 requirements. The gap analysis maps current practices against each clause requirement and each anticipated Annex A control, identifying three categories: conformant, partially conformant, and non-conformant.
For organizations with existing security programmes — particularly those that have previously operated against ISO 27001:2013 or that hold SOC 2 attestation — the gap analysis frequently reveals significant ISMS infrastructure that can be formalized rather than rebuilt from scratch. For organizations managing multi-standard audit preparation, aligning gap analysis across frameworks simultaneously reduces total remediation effort. See our complete gap analysis guide at ISO 27001 gap analysis.
Stage 3 — Build the Risk Assessment and Treatment Framework
The risk assessment is the operational foundation of the ISO 27001 ISMS — and the source of justification for every Annex A control selection decision. The risk assessment must define a documented methodology, systematically identify information assets within the ISMS scope, identify threats and vulnerabilities for each asset, assess likelihood and impact using a documented scale, evaluate each risk against an acceptance threshold, and produce a risk treatment plan.
For guidance on building a comprehensive asset catalogue as the foundation for the risk assessment, see how to build an asset inventory for ISO 27001. For a detailed risk assessment methodology guide including risk register structure and treatment plan format, see ISO 27001 risk management.
Stage 4 — Build the Statement of Applicability
The Statement of Applicability (SoA) formally connects the risk assessment to the Annex A control framework. It must list all 93 Annex A controls with specific justifications for inclusion or exclusion and current implementation status for each applicable control.
The SoA is mandatory under ISO/IEC 27001:2022 Clause 6.1.3(d) and is one of the most carefully reviewed documents during Stage 1 audit. Common SoA failures include: generic justifications that do not reference specific risks, missing the 11 new 2022 controls, and claiming full implementation for controls that are only partially operational. For a complete guide, see ISO 27001 Statement of Applicability. The full controls reference is at ISO 27001 controls list.
Stage 5 — Implement Policies, Procedures, and Controls
Documentation Layer
Build all mandatory clause-level documented information plus control-level policies and procedures. For a complete guide to mandatory documents and key policies, see ISO 27001 policies and procedures and information security policy.
Technical Controls Layer
Implement the technical Annex A controls selected in the SoA — access control configurations, vulnerability management, encryption, logging and monitoring, network segmentation, and secure development practices. Use automated evidence collection platforms to begin harvesting implementation evidence from day one of technical control deployment.
Human Controls Layer
Deliver security awareness training to all in-scope personnel, conduct role-specific training for personnel with elevated security responsibilities, establish reporting channels for security events, and document completion records. Organizations using compliance automation platforms streamline training delivery and completion tracking across large organizations.
Stage 6 — Run the Internal Audit Programme
Before engaging the certification body for Stage 1 audit, complete at least one full internal audit cycle covering all ISMS clauses and all applicable Annex A controls. Internal audit findings should be documented, root-cause analysed, and resolved — with corrective action records maintained.
Certification auditors review internal audit records carefully. An internal audit programme that has never identified a nonconformity is itself a red flag — suggesting the audit was superficial rather than genuinely independent. For guidance on building an effective internal audit capability, see how to build an effective internal audit function and internal audit procedures.
Stage 7 — Conduct Management Review
The management review must be conducted by top management — typically the CEO, CISO, or equivalent — and must produce documented decisions about ISMS performance, resource allocation, and improvement actions. Auditors look for substantive management review records that demonstrate senior leadership actively engages with ISMS performance data, not a one-page meeting agenda with no substantive outputs. For more context, see management review meeting and its importance.
Stage 8 — Stage 1 Audit (Documentation Review)
The Stage 1 audit is conducted by the accredited certification body — typically one to two days for a mid-sized organization. Its purpose is to assess whether the ISMS is designed to meet ISO/IEC 27001:2022 requirements. The auditor reviews:
- ISMS scope statement and context documentation
- Information security policy — formal approval, communication evidence
- Risk assessment methodology and risk register
- Risk treatment plan and Statement of Applicability
- Key policies and procedures covering mandatory clause requirements
- Internal audit programme documentation and management review records
Stage 1 findings — typically minor nonconformities and observations — must be addressed before the Stage 2 audit proceeds. Organizations that have completed thorough gap analysis and documentation work consistently clear Stage 1 with minimal findings.
Stage 9 — Stage 2 Audit (Implementation Audit)
The Stage 2 audit — conducted four to eight weeks after Stage 1 — verifies that the ISMS is not only documented but actively implemented and producing evidence of effectiveness. Activities include:
- Opening meeting: Senior management attendance is itself evidence of top management engagement
- Personnel interviews: Auditors interview personnel at multiple organizational levels — not just the CISO — to verify that ISMS awareness and control operation extend beyond the security team
- Evidence review: Systematic sampling of control implementation evidence across all applicable Annex A controls
- Technical walkthroughs: Review of access control configurations, logging systems, vulnerability management records, and development security practices
- Closing meeting: Preliminary findings presented with nonconformity classifications
Organizations using automated evidence collection platforms significantly reduce Stage 2 evidence production effort and present more comprehensive, better-organized audit evidence. For full Stage 2 preparation guidance, see ISO 27001 audit.
After Certification — Maintaining ISO 27001
- Year 1 — First surveillance audit: Typically one to two days. Verifies continued ISMS conformance and reviews progress on any observations from the initial certification audit
- Year 2 — Second surveillance audit: Typically one to two days. Broader scope review, often sampling different control areas from Year 1
- Year 3 — Recertification audit: Full Stage 1 and Stage 2 reassessment to renew the certificate for the next three-year cycle
Organizations that maintain their ISMS continuously — operating the internal audit programme, updating risk assessments when the threat landscape changes, and reviewing policies annually — consistently pass surveillance audits without last-minute remediation efforts. For organizations managing ISO 27001 ISMS within broader GRC programmes, see GRC framework.
ISO 27001 Certification Cost — Key Cost Drivers
- ISMS scope: Number of in-scope organizational units, locations, and systems — directly drives audit duration and implementation effort
- Existing security maturity: Organizations with mature security programmes have lower incremental implementation costs
- Internal vs external implementation: Internal implementation using existing staff versus engaging an ISO 27001 implementation specialist
- Certification body: Audit fees vary by certification body. For evaluation criteria, see ISO 27001 certification companies
- Technology tools: GRC platforms and automated evidence collection tools add ongoing cost but significantly reduce implementation and ongoing maintenance effort
Ready to Get ISO 27001 Certified?
CertPro CPA LLC is a licensed CPA firm delivering ISO 27001 certification audits. Work with credentialed auditors who understand your business environment.
FAQ
How long does it take to get ISO 27001 certification?
A first-time ISO 27001 certification engagement typically takes six to twelve months from initial scoping to certificate issuance. Organizations with mature existing security programmes often achieve certification in four to six months. Larger, multi-site organizations or those building from scratch may require twelve to eighteen months.
What documents are required for ISO 27001 certification?
Mandatory documents include: ISMS scope statement, information security policy, risk assessment methodology, risk register, risk treatment plan, Statement of Applicability, information security objectives, competence records, operational planning and control documents, internal audit programme and reports, management review records, and nonconformity and corrective action records.
Can a small business get ISO 27001 certified?
Yes. ISO 27001 scales to any organization size. Many small technology companies, SaaS startups, and professional services firms achieve ISO 27001 certification with lean, well-governed ISMS programmes. The scope can be defined to match the organization’s operational reality.
What is the difference between ISO 27001 Stage 1 and Stage 2 audit?
Stage 1 is a documentation review assessing ISMS design and readiness. Stage 2 is an implementation audit assessing whether controls are operational and producing evidence of effectiveness. Both are conducted by the accredited certification body. Stage 1 typically precedes Stage 2 by four to eight weeks.
What happens if you fail the ISO 27001 audit?
If major nonconformities are identified during Stage 2, the certificate is not issued until they are resolved and verified. Minor nonconformities must have accepted corrective action plans but do not prevent certification. Organizations typically have three to six months to resolve major nonconformities before a follow-up assessment is required.
Do you need a specialist to get ISO 27001 certified?
No — but experienced guidance significantly reduces time-to-certificate and nonconformity rates. Organizations pursuing ISO 27001 for the first time, under time pressure from enterprise customer requirements, or managing complex multi-site scopes consistently achieve better outcomes with professional implementation support.
