The journey to ISO 27001 certification typically involves two (2) steps: Implementation and Certification
Step 1: ISO 27001 Implementation
Before you can get certified you will need to implement an ISO 27001 compliant program. To implement ISO 27001, you may choose to do it yourself or engage a consulting firm to help build an ISO 27001 compliant program. This typically consists of program elements such as building out your Information Security Management System (ISMS) (clauses 4-10), establishing a governance structure, risk management program, policies and procedures, and implementing the 114 technical requirements described in ISO 27001 Annex A. For most companies, this takes 6-18 months dependent upon current maturity, organization complexity, and certification scope.
Step 2: Year 1 ISO 27001 Certification
To get ISO 27001 certified, you must engage an ISO-accredited certifying body (CB) and go through Stage 1 and Stage 2 audits.
Stage 1 audits serve to review the design of the security program and give the auditor a sense of the organization’s readiness for their Stage 2 certification and is largely a documentation review and interview-based audit.
This stage is usually 1-3 days in duration (scope dependent)
Stage 2 audits occur 30-60 days after Stage 1. Stage 2 is an evaluation of the implementation and effectiveness of the organization’s management system and is performed through documentation review, interviews, site inspection, and controls testing.
Stage 2 is usually 1-3 weeks in duration (scope dependent).
Following the Stage 2 audit, and the remedying of any non-conformities, a CB can issue an ISO 27001 certification.
𝗬𝗲𝗮𝗿 𝟮 𝗮𝗻𝗱 𝟯 𝗦𝘂𝗿𝘃𝗲𝗶𝗹𝗹𝗮𝗻𝗰𝗲 𝗔𝘂𝗱𝗶𝘁𝘀
In years two (2) and three (3) of your audit, you will have to undergo surveillance audits. The surveillance audits include roughly 50% of the full scope of controls at the auditor’s discretion.
In year four, the cycle starts over.