![]() |
The journey to ISO 27001 certification typically involves two (2) steps: Implementation and Certification
Step 1: ISO 27001 Implementation
Before you can get certified you will need to implement an ISO 27001 compliant program. To implement ISO 27001, you may choose to do it yourself or engage a consulting firm to help build an ISO 27001 compliant program. This typically consists of program elements such as building out your Information Security Management System (ISMS) (clauses 4-10), establishing a governance structure, risk management program, policies and procedures, and implementing the 114 technical requirements described in ISO 27001 Annex A. For most companies, this takes 6-18 months dependent upon current maturity, organization complexity, and certification scope.
Step 2: Year 1 ISO 27001 Certification
To get ISO 27001 certified, you must engage an ISO-accredited certifying body (CB) and go through Stage 1 and Stage 2 audits.
Stage 1 audits serve to review the design of the security program and give the auditor a sense of the organizationโs readiness for their Stage 2 certification and is largely a documentation review and interview-based audit.
This stage is usually 1-3 days in duration (scope dependent)
Stage 2 audits occur 30-60 days after Stage 1. Stage 2 is an evaluation of the implementation and effectiveness of the organizationโs management system and is performed through documentation review, interviews, site inspection, and controls testing.
Stage 2 is usually 1-3 weeks in duration (scope dependent).
Following the Stage 2 audit, and the remedying of any non-conformities, a CB can issue an ISO 27001 certification.
๐ฌ๐ฒ๐ฎ๐ฟ ๐ฎ ๐ฎ๐ป๐ฑ ๐ฏ ๐ฆ๐๐ฟ๐๐ฒ๐ถ๐น๐น๐ฎ๐ป๐ฐ๐ฒ ๐๐๐ฑ๐ถ๐๐
In years two (2) and three (3) of your audit, you will have to undergo surveillance audits. The surveillance audits include roughly 50% of the full scope of controls at the auditorโs discretion.
In year four, the cycle starts over.