A breakdown of the ISO 27001 audit and certification process

Person reviews documents as part of an ISO 27001 audit

Oro provides content designed to educate and help audiences on their compliance journey.

It’s time to tackle your ISO 27001 audit! So far, you’ve:

Now, it’s time to make it official ahead of certification.

What comes after your internal audit and audit report?

After delivering an internal audit report to management, the team will need to determine if remediation is necessary. If major nonconformities were identified in the internal audit, there should be a pause to remediate the nonconformities prior to executing the external audit.

Once management feels the root cause of internal audit findings were successfully remediated, they can move to external audits and the certification process.

Ready for your external audit? Who can audit your ISMS?

Only ISO 27001-certified auditors can examine your framework, and only a certification body can issue the final certification. This differs significantly from SOC 2, which can be performed by any CPA. Any ISO 27001 auditor must work with a certification body and must complete a specified number of audits and hours of training to qualify.

Stages of an ISO 27001 Audit

ISO 27001 certification audit is broken into two stages. This section covers both and the official certification process.

Stage 1

During the first stage, the auditor(s) reviews your company’s information security management system (ISMS) from a design perspective. This usually takes place in person but can continue via conference call if needed. Learn more about ISMS for ISO 27001 here.

Your auditor will examine the policies and procedures listed in your ISMS. During stage 1, findings are categorized as critical or non-critical findings. This stage determines if your company is ready to start stage 2 of the audit. 

In stage 2, however, findings are categorized as:

  • Major non-conformities
  • Minor nonconformities
  • Observations
  • Opportunities for improvement

Auditors look at the clauses, or requirements, of ISO 27001 but do not necessarily examine Annex A controls. Using your Statement of Applicability, they determine if the correct level of information security has been designed with the ISMS.


Person writes a math formula on the whiteboard to calculate ISO 27001 certification cost
Recommended for you
How much does ISO 27001 certification cost?

Getting ISO 27001 certified is an investment of time and resources and how much can depend on the scale of your business and ISMS.

How much does ISO 27001 certification cost? icon-arrow-long

Stage 2

Once the auditor returns a preliminary report to management and provides them with an opportunity to solve any major or minor nonconformities, they can commence stage 2. Like the first stage, these can take place onsite, but there is a growing trend of remote audits.

This stage dives into policies and procedures in action. That means collecting evidence of each clause and control that has been put into place during implementation. Using your Statement of Applicability as a reference, auditors confirm the requirements and examine configurations, protections, roles, and more.

Stage 2 dives into the operating effectiveness of the ISMS rather than just the controls. The audit is actually over the ISMS (management system) rather than a controls audit. Your team likely needs to explain the intentionality of the design, and how you anticipate dealing with particular circumstances like employee discipline, and re-perform controls as needed.

The process of inspection, observation, and inquiry into each control requires significant time from each control owner. Expect your team to be involved in audit meetings for a full week.

ISO 27001 certification

Finally, the certification! After stage 2 of the audit, your auditor will hold a closing meeting where the results of the audit will be provided to management, including any nonconformities that require remediation. Management should respond in the form of a corrective action plan, which includes: 

  • The root cause of the issue
  • The actions to remediate, and 
  • A timeline for completion. 

Once those action plans have been drafted, the auditor will include them within the audit report which is normally completed within 1-2 days of the closing meeting.

At this point, auditors should be able to indicate if they believe you will be ISO 27001 certified, but the final decision lies with the certification body. 

Periodic surveillance audits

ISO 27001 does not require an annual certification, but you will need to perform a surveillance audit in the off-years. The 2 years following your certification, an auditor from a certification body will perform a surveillance audit to ensure that the organization is still operating the ISMS and controls as designed.

Surveillance audits include all clauses in the ISO 27001 framework, but each year only 50% of Annex A requirements are examined–how it is divided is up to the auditor.  Additionally, the auditor will revisit any nonconformities found during the initial certification audit and determine if the organization remediated the issues properly.

At the end of these audits, the auditor will share any findings with management, similar to the first year, and produce an audit report to the certification body indicating whether the organization is still satisfying the requirements of the standard to maintain certification.

ISO 27001 recertification audit

In the 3rd year after certification, you’ll need to repeat the whole certification process. During this time, your business has likely grown and changed. This means your ISMS and SoA should have changed with it, as reflected in your annual surveillance audits.

How long does an ISO 27001 certification audit take?

ISO 27001 certification has historically involved an in-person audit process, performed by an ISO 27001 certification body, but remote audits are becoming more common.

However, in the time of remote work, ISO 27001 audits can move forward via video conferencing. If the design of the ISMS is found to be sufficient, the second stage can commence. Otherwise, the company must remediate any nonconformities in a reasonable amount of time to avoid re-doing the first stage.

The second stage examines the controls and requirements, and can similarly take place over a video conference. This typically lasts about twice the amount of time as the stage one audit.

The ISO 27001 audit report will be authored after completion of the audit and passed to the certification body for review. Because ISO 27001 is a fairly rigid framework, you’ll likely need expert guidance on how to scale your controls up as your business grows. We get that. Reach out to our team with questions, comments, or concerns as you tackle the ISO 27001 process!


This post was originally published in June, 2021 and was updated for context and accuracy.

Share this post with your network:

LinkedIn