ISO 27001 Certification Process: Detailed Breakdown Of Phases

‍Unsure which tasks to perform to achieve the ISO 27001 certification process? If so, this article will provide you with the guidance you need to successfully attain the ISO 27001 certification process. 

ISO 27001 is an information security standard introduced by the International Organization for Standardization. It mandates the implementation of security controls specified in Annex A to keep sensitive data secure.

You may ask – 'Is it compulsory to comply with ISO 27001?' Well, it's not a legal obligation. In simple words, organizations are not bound to comply with ISO 27001 regulations. Then – 'Why would any organization go through the hassle of securing ISO 27001 certification?'

Generally, organizations get ISO 27001 certified to demonstrate their commitment to protecting data and gain the trust of stakeholders, partners, and clients (whose prime concern is data security). By earning their trust, organizations open doors for partnership and investment opportunities.

However, the real issue is that organizations often struggle to secure ISO certification. Why? The ISO 27001 certification process involves performing a series of intricate tasks, which can cause organizations to get confused about where to start and what needs to be done. If you are stuck in a similar situation, don't worry!

This confusion can easily be addressed with proper guidance; we are here to provide that. We'll guide you through each stage of the ISO 27001 certification process and explain what needs to be performed in every phase. So, let's dive in.

ISO 27001 Certification Process: 3 Key Phases

Below, we’ve outlined 3 key stages of the ISO 27001 certification process and explained what happens at each stage.

Phase 1: Planning & Preparation

In this phase of the ISO 27001 certification process, you have to perform the following tasks:

• Get Approval From Senior Management

First of all, get senior management approval to conduct the ISO 27001 certification process before even starting with your ISO 27001 certification process. This approval is very important because the ISO 27001 certification process requires considerable investment in terms of resources and money, and they are the only ones that can provide you with the necessary support required to successfully complete the ISO 27001 certification process. Suppose, in case unexpected expenses arise during the ISO 27001 process, the senior management will be the one to help and allocate the required funds to ensure the ISO 27001 certification process continues smoothly.

With a single approval, you can ensure your ISO 27001 certification process is not interrupted or delayed due to finance or resource constraints. 

• Form A Dedicated Team For Internal Audit Process

Once you secure the approval, the next step is to assemble a dedicated team and assign each member distinct roles and responsibilities to avoid conflict of interest or biasness in the ISO 27001 certification process. For example, designate one member the role of supervising the information security management system (ISMS) review process, another to address any identified issues or scope for improvement (basically, they need to work on the review outcomes), and another member to verify if those issues have been addressed. This way, you can ensure every step of the ISO 27001 certification process is handled effectively. Also, if any mistakes occur while managing the process, you can quickly identify who is accountable.

• Define Scope Of Information Security Management System (ISMS)

Every organization handles different types of data (like financial records, customer personal data, PHI, employee details, and others). So, when you define the scope of an information security management system (ISMS), you will have to clearly mention the types of data that you want the system to cover. This way, you can create a setup that will protect the information categories crucial for your organization.

• Implement Annex A ISO 27001 Controls & List Them In Statement Of Application (SoA)

Once you have identified what type of information you want to protect, the next step is to select and implement the relevant controls from Annex A ISO 27001. Note that Annex A includes 93 controls, but you are not required to apply all of them. Instead, you can choose relevant controls, which means they align with your data protection needs.

After selecting the relevant controls, you have to list them further in a statement of application (SoA), so you cannot skip this part. This is because, in the later phase of the ISO 27001 certification process, this SoA will play a crucial role. The ISO 27001 auditor will request this record and go through it to understand which ISO 27001 controls you have implemented, and based on that, they will conduct an ISMS audit.

• Perform Pre-Assessment & Generate Report

After implementing the Annex A controls, you need to conduct a risk assessment (internally) – just like a pre-assessment – to prepare for the official ISO 27001 certification audit. 

This assessment will help you determine whether the controls and security measures you have put in place are functioning as intended. For example, can they safeguard your critical data from security breaches or vulnerabilities? If any gaps or scope of improvements are found, address them before the official audit.

However, your work doesn't end here. You further need to generate a pre-assessment report detailing the controls you have implemented, the security practices, and the measures you have followed to mitigate threats. Keep in mind that the auditor will review this report to understand your preparedness and commitment to maintaining a strong security setup.

Also Read: 10-Step ISO 27001 Checklist

Phase 2: ISO 27001 Audit Stage

Once you are done with your planning & preparation, in this next phase of the ISO 27001 certification process, you have to start with an official audit to finally get the ISO 27001 compliance certificate — and for that, you need to perform the following tasks:

• Hire An External ISO 27001 Auditor 

The International Organization for Standardization (ISO) does not issue certifications; ISO 27001 certifications are granted by authorized third-party bodies (such as consulting firms or independent external auditors). 

So, to get the official ISO 27001 compliance certification, you have to bring in (hire) an external independent ISO 27001 auditor to review your ISMS. 

However, you must ensure the auditor you choose must comply with the conformity assessment (CASCO) guidelines set forth by ISO’s committee. In case you get reviewed by a non-compliant auditor, the certification they provide will be deemed ‘invalid’. Therefore, make sure to check compliance status thoroughly when choosing an external auditor.

• Conduct 2-Stage Certification Review

Note: The steps mentioned below are handled by the external auditor you choose.

The external ISO 27001 certification process auditor will conduct two audits: stage 1 and stage 2.

Stage 1: ISO 27001 Certification Audit

First, the auditor will perform a Stage 1 ISO 27001 certification review to evaluate your information security management system to ensure it aligns with the mandatory ISO 27001 requirements. They will also examine the internal pre-assessment documents (initial audit report) that you have prepared for the auditor in phase 1 of the ISO 27001 certification process. 

Note: The effectiveness of your ISMS won’t be reviewed in this stage; it will be assessed in stage 2 

Generally, in this audit stage, the auditor looks for ‘nonconformities’ — gaps or issues where your ISMS does not meet the ISO 27001 obligations. If in case any nonconformities are found, the auditor requests you to fix the issue/gap in your ISMS and asks you to submit corrective action records (evidence that will demonstrate that you have genuinely resolved the problem). 

Note: There are two types of nonconformities – major nonconformities and minor nonconformities. If you have major nonconformities (huge issues in your ISMS), then you have to create a corrective action plan, work on the issue, and present evidence of correction & evidence of remediation. On the other hand, if you have minor nonconformities, you can simply create an action plan and present evidence of correction. There is no need for remediation evidence.

Once you submit the record, auditors will evaluate the evidence again. If everything is found to be in order, they will grant you permission to proceed to the next stage 2 ISO 27001 certification audit. 

Stage 2: ISO 27001 Certification Audit

In stage 2, ISO 27001 certification audit, the auditor reviews whether the security practices and controls you have implemented work as expected. Also, they review the statement of application (SoA) – which lists the specific controls from Annex A that you have applied to your ISMS. 

However, during the stage 2 audit, the auditor focuses more on reviewing the effectiveness of your ISMS. For that, they even perform risk penetration tests, where they create a scenario to see how your ISMS responds and holds up (basically examines how your ISMS performs). 

In case any non-conformities are detected, auditors provide you with a few suggestions for improvement. Much like stage 1, you have to work on the issues detected during the test and present proof that the issues have been resolved. Once the evidence is submitted, the auditors will again review it, and if everything is found to be fine, they will further give the official ISO 27001 certification. 

Phase 3: ISO 27001 Certification Maintenance

Your journey doesn’t end after achieving ISO 27001 certification — it’s just the start of an ongoing commitment! You further have to undergo the last phase of the ISO 27001 certification process, i.e., certification maintenance. Here are the tasks that performed in this stage:

• Conduct Biannual or Annual Internal Reviews

You must conduct biannual or annual reviews of your information security management system to ensure that the security practices and controls you have implemented continue to perform as expected (i.e., can respond to and withstand breaches). 

In addition, if you hire an external auditor for the annual audit, they will check previously minor nonconformities records and evaluate whether you have made any improvements to your system.

• Perform Recertification Audit

Note that your ISO 27001 certification is only valid for 3 years, so once the time period expires, you will have to undergo a re-certification audit.

You may ask – ‘aren’t official certifications supposed to be valid for longer duration?’ ‘Why is there a need to conduct a re-audit?’

Think about it – 3 years is a long duration, and generally, most organizations’ security policy, structure, and practice change during this time frame. These changes make your original or previous ISO 27001 certification invalid/outdated (in simple words, the ISO auditor reviewed your old ISMS; based on that, they gave you the initial certification, so if you make any new changes, you have to update your certification). To show stakeholders, partners, and clients that your organization’s updated policies and practices are effective enough to withstand breaches, you have to undergo a recertification process and get a new ISO certification.

Note: This will be an ongoing process—you must perform a certification audit once again every three years.

After going through all the phases of the ISO 27001 certification process, you may have realized that it involves performing multiple tasks with precision. Although some of the tasks are performed by external ISO 27001 auditors, the prime part of the process needs to be handled solely by your internal team.

So, if you opt for a manual approach to performing tasks like implementing controls, working on review outcomes, conducting internal reviews, and more, then your team needs to put in a lot of effort and invest a good amount of time—but there is no guarantee of accuracy! This can later compromise the chances of attaining the compliance certificate.

What can be done? The solution is to opt for an access review platform like Zluri. How does it help? Let’s quickly find out.

How An Access Review Solution Can Help You Simplify the ISO 27001 Certification Process?

Zluri’s access review solution takes the burden from your team by automating the access review process (the process that requires the utmost attention to detail). Your team just needs to simply specify a few details like – which user type and applications need to be reviewed and what action needs to be taken (whether to modify the user’s access or revoke access) if misalignment or discrepancies are found – the rest is taken care of by Zluri. Here’s how it does that:

• Simplifying Review Process 

First, Zluri's access review brings all the details about the users who are accessing the specific application (your team needs to specify the application) and displays them in a centralized dashboard by integrating with the app. Then, based on the specified type of users (you can set up which type of user –manager or employees you want to be reviewed), a thorough user access review is performed. When any misalignment is detected, like excessive access permission being held by the user or the user holding unauthorized access, then remediation actions are automatically run, fixing users' access rights without any manual intervention.

Finally, it generates a detailed UAR audit report demonstrating which users and applications it has reviewed and what action it has taken to mitigate discrepancies/misalignments. The best part is that you can directly present this report as a pre-assessment report to the ISO 27001 certification process auditors, as it acts as proof that you have taken necessary action to maintain data security by managing access.

So, what will take your team days to review will be done within minutes—saving a significant amount of time and speeding up the reviewing process by 10 times. This also means you will secure your ISO 27001 certification faster.

To get more clarity on how Zluri's access review conducts assessment, you can go through this access review tour.

Also Read: ISO 27001 Automation: Enhancing efficiency and security

• Makes Control Implementation Easier

However, Zluri is not just restricted to simplifying the access review process; it also helps you implement access control to protect your critical data from unauthorized users. Zluri offers an access management solution that allows your team to set up automation rules to grant, modify, and revoke user access (which Zluri will run once triggered). 

Your team just simply needs to specify the ‘when,’ ‘condition,’ and ‘then’ in an automation workflow. Let’s suppose you want to grant Asana access only to users whose role is project manager. So your team needs to specify in the rule: ‘when’ —  ‘user’ > ‘condition’ – ‘role’ equals ‘project manager’ (when the role will match the project manager) > ‘then’ — ‘grant Asana access.’ Once the rule is created and your team triggers it, Zluri will automatically grant all the project managers access to Asana. 

This is how Zluri’s access management simplifies control implementation—with just a few setups and a single click. In fact, this way, you can meet ISO 27001 data security requirements without any hassle and better prepare your ISMS for official audit. 

Also Read: A Guide to ISO 27001 IAM Implementation

Give Undivided Attention To Each Phase Of the ISO 27001 Certification Process

In order to successfully attain ISO 27001 certification, you have to give undivided attention to each phase of the process, whether implementing Annex A ISO 27001 control, conducting pre-assessment, or working on external ISO auditor's suggestions (nonconformities feedback). We understand that the ISO 27001 certification process can be demanding and challenging, but the long-term benefits of securing an ISO 27001 certification will make the effort worthwhile. 

Moreover, by following data security protocols/mandates set by ISO 27001, you will not only achieve the legal certification but also help close attack gaps and minimize the risk of breaches. In addition, you’re well aware of the devastating consequences of security breaches; therefore, the effort you put into improving your security system today will act like an investment in long-term security and resilience.

Frequently Asked Questions (FAQs)

1. How Much Time Does It Take To Complete the ISO 27001 Certification Process?

On average, it takes 6-12 months to complete the entire ISO 27001 certification process (from implementing all the relevant controls to internally reviewing them and responding to suggestions given by external auditors). However, this duration will vary depending on your organization's size and the sensitivity of the data you handle.

2. How Much Does It Cost To Get ISO 27001 Certified?

ISO certification process audit costs typically range between $30,000 to $60,000 (both stage 1 and stage 2 combined expenses)

‍