When you have finished your ISO 27001 implementation (typically when all elements of the management system have been executed at least once) you should be ready for certification. The certification takes place by an accredited certification body (or registrar).
How do I find a certification body?
Once you have contracted one, they will set you up with an auditor or audit team and the audit days are planned. An initial certification audit consists of two parts:
Stage 1 audit
Also dubbed the documentation review, the auditor takes a look at the documentation (risk analysis, policies and procedures) to estimate whether you are ready to undergo the second stage.
Stage 2 audit
This part is sometimes called an implementation audit. It consists of a series of interviews with representatives of the different departments (management, HR, IT, development, operations) to make sure they understand their responsibilities and are following the defined policies and procedures. In other words, do you “walk the talk”?
The (audit) circle of life
An ISO 27001 certificate, like any ISO management system, has a validity of three years. At the end of the first and second year, the auditor will come back for a so-called surveillance audit. This takes typically 1/3 of time (and cost) of the initial audit.
During this audit, the auditor will follow up on findings from the previous audit, and check if the management system is still functioning:
- Are you adhering to the monitoring plan?
- Have you conducted an internal audit and management review?
- Are you adequately following up incidents?
A few months before the certificate expires, a re-certification audit takes place. This means a full audit of the ISMS, much like the initial audit. You can transfer to another certification body, but if you stay with the same one, a stage 1 typically can be skipped.
Curious to see how prepared your organization is for ISO 27001? Answer 10 simple questions and get instant feedback. Your result will show your current strengths and highlight opportunities to improve security in a practical way.
More frequently asked questions
About Instant 27001 (the product)