Understanding the ISO 27001 Certification Audit Process

It’s one of the most common questions we get asked as organisations pursue ISO 27001. What happens at the certification audit? Firstly, the certification audit is undertaken in two parts a Stage 1 audit and a Stage 2 audit, both undertaken by a certification body. The audits have two distinct roles.

Stage 1: Documentation Review

The first stage is primarily a desk-based assessment where auditors examine your Information Security Management System (ISMS) documentation to see if you are ready to progress to Stage 2 so this stage focuses on evaluating whether your documented system meets the requirements of ISO 27001.

What the auditors review:

  • Information security policy and objectives
  • Risk assessment methodology and documentation
  • Statement of Applicability (SoA)
  • Mandatory documented procedures
  • Risk register and treatment plans
  • ISMS scope and boundaries

Duration: Typically 1-2 days, depending on organisation size and complexity.

Outcome: Auditors identify any gaps or non-conformities in your documentation that must be addressed before progressing to Stage 2. They’ll also confirm the scope of the certification and assess your organisation’s readiness for the Stage 2 audit.

Key focus areas: The auditors are looking for completeness, consistency, and compliance with ISO 27001 requirements in your documented approach to information security management. They are not expecting you to have everything in place at this stage.

Stage 2: Implementation Assessment

The second stage involves an on-site assessment (or remote where appropriate) that evaluates how effectively your ISMS operates in practice. This is where auditors verify that your documented system is actually implemented and working and they will look at a large part of your ISMS against the clauses and controls.

What auditors assess:

  • Practical implementation of documented procedures
  • Effectiveness of selected security controls
  • Staff awareness and competence
  • Evidence of risk management in action
  • Management commitment and oversight
  • Incident management capabilities
  • Continuous improvement activities

Duration: Usually 2-5 days, varying based on organisation size, complexity, and scope.

Methods used: Auditors conduct interviews with staff at various levels, review records and evidence, observe processes in operation, and test security controls identified in your Statement of Applicability.

Outcome: Following Stage 2, the certification body makes a decision on whether to award ISO 27001 certification. Minor non-conformities may be addressed through a corrective action plan, whilst major non-conformities typically require re-audit.

The Certification Decision

After both stages are completed successfully, the certification body’s technical review team evaluates the audit findings and makes the final certification decision. If approved, your organisation receives an ISO 27001 certificate valid for three years, subject to annual surveillance audits.

The two-stage approach ensures that organisations not only have robust documentation but can demonstrate effective implementation of their information security management system in practice.

Questions

If you have questions about the certification audit or need guidance throughout the audits, then please contact us and we’ll be happy to help.