ISO 27001: How Certification Works

When pursuing certification to ISO 27001, you are guaranteed to come across the terms ‘certification body’ and ‘accreditation body’  It is important to understand the difference between the two, as they are both central to the certification process but play very different roles.

Certification bodies are the organisations that conduct certification audits and issue ISO 27001 certificates. They assess whether your information security management system (ISMS) meets the requirements of the Standard, and whether your organisation can be awarded certification.  There are a substantial number of certification bodies in the UK and they fall into 2 basic camps, namely accredited or non-accredited.  

On the other hand, an accreditation body supervises and evaluates certification bodies to ensure they are competent to perform ISO 27001 audits.  Across the globe, most countries follow a ‘single national accreditation body’ model, e.g., DAkkS (Germany), COFRAC (France), JEB (Japan).  And in turn, these certification bodies are members of international organisations like the International Accreditation Forum (IAF), which is the main global organisation for accreditation in the context of management system standards like ISO 27001, ISO 9001, ISO 22301, etc.

In the UK, there is only 1 accreditation body and that is the appropriately named United Kingdom Accreditation Service (UKAS). Its function is to oversee the activities of all the UKAS-accredited certification bodies in the UK, and ensure that they remain impartial, competent, and capable of delivering the services they offer.  

When selecting a certification body, it is highly advisable to choose one with UKAS accreditation.  Using a UKAS-accredited certification body will enable you to receive an accredited ISO 27001 certification following a successful audit, as opposed to a non-accredited certification, which you will receive if you work with a non-accredited certification body.  A certificate issued by a non-accredited body is still valid and acceptable in some forums, however will not provide as much assurance as an accredited certification.

Stage 1 - The readiness assessment

During the Stage 1 audit, sometimes referred to as the ‘documentation review’ or ‘readiness review’, the auditor is looking to understand whether you have a documented information security management system (ISMS) in place that is likely to pass the Stage 2 audit.  So, they will want to establish that you have the appropriate policies, processes, procedures, and other documentation that comprise an ISO 27001-conformant ISMS.   Some examples of documentation you will need to provide to the auditor include:

• Information security policy
• A documented risk assessment and risk treatment plan
• A maintained risk register
• Statement of Applicability (SoA)
• Documented objectives, scope, and governance arrangements.

The auditor may also look at physical security if a site visit is included.  This was more common pre-pandemic, however it is still included in some audits, particularly for high-risk or multi-site organisations.

You won’t receive a certificate following your Stage 1 audit, but you will receive a report outlining any gaps or issues that need attention.  These reports are really useful in helping you prepare for your Stage 2 audit.  

It’s important to note that you will have a maximum of six months between your Stage 1 and Stage 2 audits.  So, if your Stage 1 takes place in May, the latest you could schedule Stage 2 would be November.  However, it is not recommended to leave Stage 2 until the last minute, as auditor availability can be limited (especially towards the end of the year).  As such, most organisations book both Stage 1 and Stage 2 at the same time, typically spacing them around five to five-and-a-half months apart.  This enables you to stay within the six-month window without the stress of last-minute scheduling.

‍

‍

Stage 2 - The certification audit

The Stage 2 audit is much more in-depth than Stage 1, as this is where the certification body conducts a detailed assessment of how the Standard has been implemented within your organisation.  Typically, a Stage 2 audit will be conducted by more than one auditor.

Auditors will use a common method known informally as the ‘3 P’s’:

• Policy
• Procedure
• Prove it.

In layman’s terms, this means that they will be looking to establish what you say you do (i.e., your policies), how you say you do it (i.e., your procedures), and whether you are doing it in practice (i.e., the evidence - meeting minutes, logs, reports, etc.).

During the audit, the auditors will conduct comprehensive reviews of your processes and Annex A controls, especially those relevant to your scope, as well as reviewing evidence, including access reviews, incident reports, internal audits, training records, supplier assessments, and change logs.  In addition, they will conduct interviews across the organisation – not only IT, but HR, finance, leadership, and anyone involved in operating or supporting the ISMS.  You should also expect practical testing, such as checks of whether terminated staff accounts have really been deactivated or whether backups were tested when you said they were.

Ultimately, certification body auditors are looking for consistency between what’s written or claimed, and what’s actually happening on the ground.

At the end of your Stage 2 audit, the auditor may identify findings that fall into one or more of the following categories:

• Major nonconformities – Serious issues or breakdowns that must be resolved before certification can be granted (i.e., a complete failure of a system or process).  Each major nonconformity is dealt with individually and a corrective action agreed, along with an appropriate timeframe for implementation, after which the auditor will come back and verify that the issue has been resolved.
• Minor nonconformities – Small gaps that need to be addressed (usually with evidence of corrective action within an agreed-upon timeframe), but will not prevent certification unless there are multiple in the same area, which would then be raised to a major nonconformity.  Any minor nonconformities identified will be reviewed at your next scheduled audit.
• Opportunities for improvement  – Improvements, flagged for awareness, but action is optional.

If you’re ever unsure what a finding means or how it was reached, don’t be afraid to ask.  Auditors are usually happy to explain their reasoning, and sometimes findings can even be reworded or withdrawn if you present strong evidence during the close-out meeting.

‍

Audit duration is determined by certification bodies using a UKAS audit time calculator, which factors in aspects such as the number of employees your organisation has, the number of physical sites it operates, and the complexity and scope of your services, systems, and infrastructure.

So, a small organisation with a single office and a narrow scope might receive a one-day audit.  However, a large, multi-site organisation with hundreds of employees might need several days.  The certification body should be transparent and explain the rationale when quoting you.

Passing your Stage 2 audit means that the certification body is satisfied with the level of security and conformance demonstrated, and, crucially, that there were no major nonconformities found or multiple minors in a single specific area.

Once your auditor has completed your Stage 2 audit, they will prepare an audit report with findings and a recommendation for certification (assuming no major issues).  The certification body’s internal certification review team (not the auditor) will typically review all evidence, including audit reports, findings, and any corrective actions taken.  This step in the process is designed to ensure impartiality as the person who audited you is not the one who actually approves your certificate.

If the internal review team agrees, the certification body officially approves the certification and issues your ISO 27001 certificate.  Your organisation will also be added to the UKAS public register of certified organisations.  When you receive your ISO 27001 certificate, this will include a written scope statement outlining the scope of your certification.  The scope statement is useful, as it clearly informs clients, partners and regulators of what is included in your ISMS, i.e., whether it’s your entire organisation or just a specific department, region, or service line.  Having successfully certified to the Standard, you can use your ISO 27001 certification in a marketing context to enhance your brand.

To help you prepare for a successful certification audit, you can leverage practical tools and resources such as ISO 27001 document templates and toolkits, supplier verification platforms that show you which vendors are certified, internal audit and readiness checklists, and consultancy to steer you along the right path.

Even tools like version control systems, SharePoint, or Microsoft Teams can be extremely useful in helping you demonstrate evidence of control and policy communication, which auditors often request.

Once you have certified to ISO 27001, your certificate will be valid for 3 years, after which you will need to recertify.  However, in the years between recertifications, you will still be subject to ongoing oversight designed to ensure your ISMS remains effective over time.

Each year, the certification body conducts a continuing assessment visit (CAV), also known as a surveillance audit.  These are typically conducted annually and are a formal requirement to maintain your certification.  CAVs will follow a three-year audit plan, usually developed immediately following your initial certification.

Each CAV has a narrower scope than your Stage 2 audit, but is allowed to go much deeper into specific areas or controls.  Auditors may re-sample high-risk areas, focus on how you’ve handled incidents, or test how well improvements have been maintained.

While the Stage 2 audit confirms that you have implemented the ISMS, CAVs are aimed at testing how effectively it is being maintained and matured.  They’re an opportunity to demonstrate progress, address recurring issues, and proactively mitigate any risks before they escalate into nonconformities.

At the end of the third year, you’ll undergo a recertification audit, similar in scope and depth to the Stage 2 audit, and the cycle begins again.

While the ISO 27001 certification process may initially seem complex, with the appropriate preparation and understanding, it becomes far more manageable.  The certification audit process itself is specifically designed to give organisations the best chance at success by highlighting areas for improvement early on and allowing time to address gaps; as such, it should be viewed not as a pass-or-fail exercise, but as an opportunity to strengthen your information security posture and demonstrate a genuine commitment to continual improvement.