How do I get ISO 27001 certified?

The journey to ISO 27001 certification typically involves two (2) steps: Implementation and Certification


Step 1: ISO 27001 Implementation

Before you can get certified you will need to implement an ISO 27001 compliant program. To implement ISO 27001, you may choose to do it yourself or engage a consulting firm to help build an ISO 27001 compliant program. This typically consists of program elements such as building out your Information Security Management System (ISMS) (clauses 4-10), establishing a governance structure, risk management program, policies and procedures, and implementing the 114 technical requirements described in ISO 27001 Annex A. For most companies, this takes 6-18 months dependent upon current maturity, organization complexity, and certification scope.


Step 2: Year 1 ISO 27001 Certification

To get ISO 27001 certified, you must engage an ISO-accredited certifying body (CB) and go through Stage 1 and Stage 2 audits.

Stage 1 audits serve to review the design of the security program and give the auditor a sense of the organizationโ€™s readiness for their Stage 2 certification and is largely a documentation review and interview-based audit.

This stage is usually 1-3 days in duration (scope dependent)

Stage 2 audits occur 30-60 days after Stage 1. Stage 2 is an evaluation of the implementation and effectiveness of the organizationโ€™s management system and is performed through documentation review, interviews, site inspection, and controls testing.

Stage 2 is usually 1-3 weeks in duration (scope dependent).

Following the Stage 2 audit, and the remedying of any non-conformities, a CB can issue an ISO 27001 certification.

๐—ฌ๐—ฒ๐—ฎ๐—ฟ ๐Ÿฎ ๐—ฎ๐—ป๐—ฑ ๐Ÿฏ ๐—ฆ๐˜‚๐—ฟ๐˜ƒ๐—ฒ๐—ถ๐—น๐—น๐—ฎ๐—ป๐—ฐ๐—ฒ ๐—”๐˜‚๐—ฑ๐—ถ๐˜๐˜€

In years two (2) and three (3) of your audit, you will have to undergo surveillance audits. The surveillance audits include roughly 50% of the full scope of controls at the auditorโ€™s discretion.

In year four, the cycle starts over.