The certification process is distinct from the implementation process. Implementation is everything you do to build your ISMS — policies, risk assessments, controls, evidence. Certification is the external audit that verifies you have done this correctly. Many organisations spend 12 to 18 months on implementation before reaching the audit stage. Understanding how the audit process works will help you prepare more effectively and avoid common failures.
The 3-Year Certification Journey
Choose certification body & book audits
Get 3 quotes · verify IAF accreditation · agree audit days
Document Review
Auditor reviews SoA, risk register, policies, internal audit report
Implementation Audit (2–3 days)
Interviews · evidence sampling · control verification
Certificate Issued (3-year validity)
Year 1 & 2: surveillance audits · Year 3: full recertification
Step 1: Choosing a Certification Body
The certification body (CB) is the accredited organisation that audits you and issues the certificate. Not all certification bodies are equal. The key criterion is accreditation — specifically, accreditation by a member of the International Accreditation Forum (IAF). In the UK, the accreditation body is UKAS. In Germany, it is DAkkS. In the US, ANAB. An ISO 27001 certificate issued by a body that is not accredited through an IAF member is not widely recognised and will not satisfy enterprise procurement requirements.
Well-known accredited certification bodies include BSI Group, Bureau Veritas, DNV, TUV SUD, Schellman, Coalfire, and A-LIGN. Each has different strengths: some are better known in specific industries, others in specific geographies. Request quotes from at least three bodies, and ask specifically about their auditor experience with your industry and organisational size. Price differences of 20-40% between equivalent quotes are common and worth the effort of comparison.
When comparing quotes, pay attention to the assumed number of auditor days — this is the primary driver of cost. Auditor day rates typically range from €1,000 to €1,800. The number of days is calculated based on your in-scope employee headcount, using formulas set by IAF guidance. A scope covering 15 employees will require fewer audit days than one covering 150.
Step 2: Stage 1 Audit — The Document Review
Stage 1 is a documentation review, typically conducted remotely or in a single on-site day. The auditor's goal is to assess whether your ISMS is sufficiently developed to proceed to Stage 2. They are not testing whether your controls work — they are checking whether your documentation is complete, coherent, and addresses the right things.
What the Stage 1 auditor reviews:
- Information security policy — signed, version-controlled, and appropriate to your organisation
- ISMS scope document — clear definition of what is in and out of scope
- Risk assessment methodology and risk register — evidence of a systematic process
- Statement of Applicability — all 93 controls addressed with justifications
- Risk treatment plan — documented decisions on how each risk will be treated
- Objectives for information security — specific, measurable targets
- Evidence that internal audit has been conducted
- Evidence that management review has been conducted
What Fails Stage 1
Stage 1 failures are almost always documentation failures. The most common issues are: a risk register that does not connect to Annex A controls, an SoA that excludes controls without documented justification, absence of a management review record, and an internal audit that was completed too recently to have generated and closed any findings. Auditors are also alert to scope definitions that seem designed to avoid complexity rather than reflect where information assets actually live.
Stage 1 typically results in a report listing observations and, in some cases, areas of concern that must be addressed before Stage 2 can proceed. These are not the same as nonconformities — they are advisory. Treat them seriously regardless. If your Stage 1 report contains concerns, request a specific list and address each one before scheduling Stage 2.
Step 3: Stage 2 Audit — The Implementation Audit
Stage 2 is the substantive audit where the auditor verifies that your ISMS is actually implemented and operating as described. For a 15-to-50-person organisation, this typically takes two to three auditor days, often conducted over two consecutive days on-site (or remotely, with evidence provided via shared screen).
During Stage 2, the auditor will:
- Interview staff at different levels — not just the ISMS owner, but also developers, HR, and management
- Review evidence of control implementation — access control lists, training records, vulnerability scan results, backup logs
- Sample incidents and test that the incident management process was followed
- Check that internal audit findings were addressed with corrective actions
- Verify that the risk register has been updated and reviewed within the required period
- Confirm that Annex A controls listed as implemented in the SoA are genuinely operating
Major vs Minor Nonconformities
During Stage 2, the auditor may raise nonconformities. A minor nonconformity is a single failure or gap in an otherwise effective system — for example, a training record missing for one employee, or a risk register entry without an assigned owner. A major nonconformity is a systemic failure — no evidence that a required process exists at all, or a fundamental clause requirement that is unaddressed. Minor nonconformities can be closed post-audit through a corrective action plan submitted to the certification body. Major nonconformities typically require a follow-up audit before the certificate is issued.
After Certification: Surveillance Audits and Recertification
ISO 27001 certificates are valid for three years. However, maintaining the certificate requires annual surveillance audits in years one and two, with a full recertification audit in year three. The surveillance audits are lighter than the initial Stage 2 — typically one to two auditor days — but they do verify that your ISMS is still operating and that you have addressed any findings from the previous audit cycle.
Surveillance audits catch organisations that treat certification as a one-time project rather than an ongoing programme. The most common issues in surveillance audits are: risk register not updated since the last audit, management review not conducted in the preceding 12 months, internal audit overdue, and corrective actions from the previous audit cycle not closed. None of these are difficult to address if you maintain a simple compliance calendar. They become problems when the ISMS is left unmaintained between audit cycles.
Our ongoing compliance support service keeps your ISMS audit-ready between cycles, handling the annual review processes that frequently slip when internal teams are focused on other priorities.