ISO 27001 is the most widely recognised international standard for information security management. Achieving certification signals to clients, partners, and regulators that an organisation has implemented a structured approach to managing information security risks - not just point-in-time controls, but a management system with defined governance, ongoing measurement, and continuous improvement.
But the path from "we need ISO 27001" to a certificate issued by an accredited certification body is not always well understood. This article explains what the standard actually requires, how certification audits work, and how to structure a readiness programme that produces a durable result rather than a documentation exercise that collapses under scrutiny.
What ISO 27001 Actually Is
ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The standard is not a checklist of controls. It is a management framework that requires organisations to:
- Define the scope of the ISMS
- Understand the context - the organisation's internal and external environment - and identify interested parties and their requirements
- Identify information security risks and assess their likelihood and impact
- Select controls to treat those risks, and document the rationale for controls that were excluded
- Implement, operate, monitor, review, and improve the ISMS
The controls themselves are documented in Annex A of the standard, which references ISO 27002 for implementation guidance. The 2022 revision of the standard consolidated the control set from 114 controls in 14 domains to 93 controls in 4 themes (Organisational, People, Physical, Technological). The structure changed; the substance expanded.
Critically, the standard does not require organisations to implement every control. It requires organisations to implement the controls that are appropriate given their risk assessment, and to document why excluded controls are not applicable or not required. This Statement of Applicability (SoA) is a central document in the certification process.
What the Certification Audit Tests
ISO 27001 certification is granted by an accredited certification body (CB) following a two-stage audit process.
Stage 1 (Documentation Review) is typically a desk-based review of the ISMS documentation. The auditor is assessing whether the organisation has established an ISMS that meets the standard's requirements: whether there is a defined scope, an information security policy approved by management, a completed risk assessment, a Statement of Applicability, and documented objectives and metrics. Stage 1 identifies any major non-conformities in the documentation before Stage 2.
Stage 2 (Implementation Audit) is an on-site assessment (or remote assessment, increasingly common since the pandemic). The auditor tests whether the documented ISMS is actually operating as described. This is the part that organisations underestimate.
The auditor will interview staff at multiple levels - not just the ISMS owner or CISO, but developers, HR managers, finance staff, operations personnel. They will ask: "Tell me how you handle a security incident." "Show me how you onboard a new vendor." "What access controls protect this system?" They are looking for evidence that the processes documented in the ISMS are understood and practiced, not just written down.
Non-conformities are classified as major (a failure to meet a requirement of the standard) or minor (a weakness that, if not addressed, could develop into a major non-conformity). Major non-conformities prevent certification until closed. Minor non-conformities must be addressed within the surveillance cycle.
After initial certification, the CB conducts surveillance audits (typically annual) to verify that the ISMS continues to operate. A recertification audit occurs every three years.
Common Readiness Mistakes
Treating ISO 27001 as a documentation project. Organisations sometimes engage consultants to produce the required documentation - policy suite, risk register, SoA - and then attempt certification without embedding the ISMS into operational practice. Stage 2 auditors are experienced at identifying this pattern. The controls must be operating, not just described.
Underestimating the risk assessment. The risk assessment is the foundation of the ISMS. A cursory risk assessment - a generic list of risks with no meaningful likelihood or impact analysis - produces a risk treatment plan and SoA that will not withstand audit scrutiny. The risk assessment should reflect the organisation's actual environment: the assets it holds, the threats relevant to its sector and geography, and the vulnerabilities in its systems and processes.
Defining scope too broadly. Organisations often try to certify their entire organisation in the first cycle. A broader scope means a more complex ISMS, more controls to implement, and more to defend in the audit. First-time certifications typically go better when the scope is defined around a specific product, business unit, or data environment. The scope can be extended in subsequent cycles.
Neglecting management involvement. ISO 27001 requires demonstrated leadership commitment. The standard asks for evidence that top management has approved the information security policy, allocated resources to the ISMS, and is actively involved in management reviews. An ISMS that lives only in the IT department will fail the management and leadership clauses.
Ignoring the operational controls. Annex A controls in the Technological theme - access control, cryptography, secure development, vulnerability management - require technical implementation, not just policy documentation. Organisations need to demonstrate that access reviews happen, that vulnerability scans are conducted and findings tracked, that change management controls are operating.
How to Structure a Readiness Programme
A pragmatic readiness programme for a first ISO 27001 certification runs approximately four to nine months, depending on the scope, the organisation's starting maturity, and the resource capacity available for the work.
Month 1–2: Gap assessment and project setup. Conduct a structured gap assessment against all clauses of ISO 27001:2022. This produces a prioritised work plan and an estimate of the remediation effort. Establish a project team, define governance (who owns the ISMS, who sits on the management review?), and get leadership sign-off on the scope and timeline.
Month 2–4: ISMS documentation and risk assessment. Develop or update the core documentation: information security policy, ISMS scope statement, context and interested parties analysis, risk assessment methodology, risk register and risk treatment plan, and Statement of Applicability. These documents need to be consistent with each other and with operational reality.
Month 3–6: Control implementation. Work through the controls identified in the risk treatment plan. This is typically where the bulk of the effort sits - implementing access review processes, establishing a vulnerability management programme, defining and testing the incident response procedure, formalising supplier security assessment processes, and hardening technical environments where gaps exist.
Month 5–7: Internal audit and management review. ISO 27001 requires an internal audit before certification. Conduct a structured internal audit against all clauses of the standard, document findings, and address non-conformities. Follow this with a formal management review - a documented meeting at which management reviews ISMS performance, risk posture, and objectives.
Month 7–9: Certification audit. Engage the certification body for Stage 1 and Stage 2. Plan for a two to four week gap between Stage 1 and Stage 2 to address any Stage 1 findings.
Choosing a Certification Body
Not all certification bodies are equal. Accredited CBs operate under national accreditation bodies (UKAS in the UK, DAkkS in Germany, QCI in India, NABCB in India, ANAB in the US). Choose a CB that is accredited by a recognised national body and is a member of the IAF (International Accreditation Forum) - this ensures mutual recognition across borders.
Consider the CB's sector experience. A CB with experience auditing technology or financial services organisations will bring more relevant context to the audit than one whose primary practice is in manufacturing.
Get quotes from at least two CBs. Audit fees vary significantly, and the cheapest option is not always the most credible in your clients' eyes.
The Ongoing Commitment
ISO 27001 certification is not a one-time achievement. It commits the organisation to continuous improvement of the ISMS, annual surveillance audits, and a three-year recertification cycle. Budget accordingly - for internal resource time, CB audit fees, and ongoing control operation.
The organisations that get genuine value from ISO 27001 are those that treat it as a management discipline, not a badge. The standard's continuous improvement requirement, taken seriously, provides a structured mechanism for responding to new threats, technology changes, and business developments in a way that keeps the security programme relevant and effective.
The certificate is the output. A functioning ISMS is the objective.
Scope Expansion Over Time
After a successful first certification, many organisations look to expand their ISMS scope. This might mean including additional business units, geographic locations, products, or data environments. Each expansion requires a re-scoped risk assessment, review of the Statement of Applicability, and potentially new or updated controls.
Scope expansion is best planned ahead of a recertification cycle rather than attempted between surveillance audits. Certification bodies can accommodate scope changes, but the process requires advance notification and may result in additional audit days.
A phased approach - certify the core, expand systematically - produces a more resilient ISMS than attempting to certify everything at once. Each phase builds organisational capability and cultural familiarity with the ISMS requirements, making subsequent expansions progressively easier to execute.
The organisations that are best prepared for first certification are those that treated the readiness programme as an opportunity to build genuine security management capability, not just a project to be finished. The certification is a point on a continuum, not an endpoint.