Resources · Guides & How-Tos

How ISO 27001 Certification Works, Step by Step

A clear walk-through from “we should get certified” to holding the certificate — so there are no surprises.

Scoping

Decide what the certification covers — which parts of the business and which systems. Getting scope right keeps the project focused and the cost sensible.

Pre-audit (optional)

An optional readiness review — an honest look at where you are versus ISO 27001, with a clear list of what’s already in place and what needs work before the formal audit.

Build the ISMS & remediate

Put the policies, processes and controls in place (or tidy up what you have). Usually the longest stage.

Stage 1 audit — documentation

A Lead Auditor reviews your ISMS documentation and readiness, flagging anything to fix before the main audit.

Stage 2 audit — certification

The auditor tests your controls in practice. Pass, and certification is recommended.

Certificate & surveillance

You receive a 3-year certificate, with a lighter surveillance audit each year to keep it current.

Talk to a Lead Auditor →