A black and white drawing of a rock formation.

Getting an ISO 27001 certification demonstrates that your company has high security standards and that you are serious about protecting your customers’ data. To be ISO 27001 certified, your information security management system (ISMS) must meet the requirements of ISO 27001 and must be verified via a third-party auditor. In this guide, we’ll walk you through the process of getting ISO 27001 certified and how to prepare your organization for a smooth and cost-effective certification process. 

The ISO 27001 certification process

There are generally three phases of the ISO 27001 certification process: planning and preparation, the audit, and maintaining your certification. We’ll break down each of these steps in the following sections:

Three phases of the ISO 27001 certification process.
Three phases of the ISO 27001 certification process.

Phase 1: Planning and preparation

You’ll start your journey to ISO 27001 compliance by aligning your team and understanding the scope of your ISO 27001 project.

Step 1: Assign roles and prepare your team

Reaching ISO 27001 compliance involves various members of your organization. Certain elements of ISO 27001 require action from your leadership team, HR department, engineering department, and more. The first step of an ISO 27001 compliance project is to assign aspects of your compliance project to specific employees or contractors to oversee and ensure that everyone understands their roles and responsibilities.

Step 2: Define your ISMS scope

ISO 27001 has requirements that you must meet, but the way you meet those requirements will vary from one organization to the next depending on your information assets, your operations, and other factors. It’s important to establish the scope of your compliance project before you get started: what information assets need to be protected, how your ISMS is constructed, and what your ISMS may be missing.

Step 3: Access your current security position

Next you’ll need to see how much work must be done and how far away you are from being ISO 27001 compliant by conducting an internal risk assessment. An internal risk assessment is an analysis of the potential ways your ISMS could be breached or could fail, like a compromised employee password, stolen equipment, or equipment failures. Based on the risks you identify, you’ll determine how to implement ISO 27001 in a way that minimizes your risks.

Step 4: Implement security controls and document policies

Now that you have a full account of your potential risks, take the results of your internal assessment and address each security gap you’ve identified and determine which controls in Annex A to implement to minimize them. Use this to create a list of controls you will implement to ensure that you’re complying with ISO 27001 standards. 

In doing this, you should also prepare the initial documents you’ll need for your audit: your Statement of Applicability and your Risk Treatment Plan. The Statement of Applicability is a document that lists the ISO 27001 security controls, explaining which ones you’ve included or omitted and why, how you implemented them, and where the auditor can find them in your ISMS.

Your Risk Treatment Plan details the risks you’ve identified in your risk assessment. It gives an account of how you plan to address and minimize each high- and medium-priority risk.

Step 5: Train your internal team

One of the essential requirements of ISO 27001 is to train your internal staff on information security basics and techniques to avoid a data breach. Virtually any team member could unknowingly provide a data thief a way into your organization. Staff training should provide your organization with data security education and how employees can help reduce the risk of a data breach.

Step 6: Collect evidence and prepare audit documents

After you’ve implemented the necessary security controls in ISO 27001, make sure you can provide proof of these controls to your auditor. Your auditor will request a variety of documents, including:

  • Scope of your ISMS
  • Statement of Applicability
  • Definition of security roles and responsibilities
  • Information security policy
  • Information security objectives
  • Risk assessment process and methodology
  • Internal risk assessment report of results
  • Risk Treatment Plan
  • Results of information security risk treatment
  • Evidence of security monitoring, including measurement of results
  • Documented internal audit process
  • Evidence of your audit programs and audit results
  • Evidence of management review results
  • Evidence of the results of any corrective actions you’ve taken
  • Any other documentation you’ve deemed necessary to show the effectiveness of your ISMS

You’ll be able to create many of these documents during the course of your ISO 27001 implementation, but others will need to be created afterward.

{{cta_withimage2="/cta-modules"}}

Phase 2: The ISO 27001 audit process

Now that all the required controls are in place, it’s time to begin your official audit and achieve your ISO 27001 certification. 

Step 1: Choose an ISO 27001 auditor 

Now that you’ve implemented the ISO 27001 controls, it’s time to prepare for your assessment by hiring an external auditor. The International Organization for Standardization does not provide ISO certifications itself, but through independent certification bodies. Be sure to choose an auditor that adheres to ISO’s Committee on Conformity Assessment (CASCO) standards.

Step 2: Readiness assessment

Most auditors will begin with a preliminary screening to see if you meet basic necessities for ISO 27001 certification. If you’ve completed the above steps, this should be relatively easy. If your readiness assessment reveals critical gaps, the auditor will let you know what areas of your ISMS need to be addressed. If you pass your initial screening, you’re ready to move on to the next step.

Step 3: Stage 1 audit

Next, you’ll move on to stage 1 of your ISO 27001 certification audit, also known as a documentation audit. During this stage, the audit will examine the documentation for your ISMS to see what security controls are in place. If you don’t pass this evaluation, the auditor will issue corrective actions you’ll need to take. Once you’ve made those changes, you’ll move on to the next step.

Step 4: Stage 2 audit

The stage 2 audit of your ISO certification audit is often called the compliance audit. During the stage 2 audit, your auditor will test the controls within your ISMS and verify they’re functioning properly.

If this audit reveals gaps or failures that compromise your security, the auditor will tell you which corrective actions you need to take. If you pass this stage, you’ll officially receive your ISO 27001 certification.

Phase 3: Maintaining your ISO 27001 certification

After you’ve achieved your ISO 27001 certification, you’ll need to maintain that certification each year. This is done on a three-year cycle.

Year 1: Surveillance audit

One year after you receive your first ISO 27001 certification, your auditor will conduct a surveillance audit. This is a brief, cursory audit to check that you’re still in compliance with key elements of ISO 27001. If you pass, your ISO 27001 certification remains active for another year. If you don’t pass, you’ll need to start over with a new ISO 27001 certification process, including a pre-screening, stage 1 audit, and stage 2 audit.

Year 2: Surveillance audit round 2

Two years after your initial ISO 27001 certification, you’ll go through another basic surveillance audit. Successfully passing the year 2 surveillance audit allows you to retain your certification. If you don’t pass, you’ll need to start over with another full audit.‍

Year 3: Full audit

Three years after your initial certification, you’ll need to go through the full audit and certification process again. If you successfully pass your renewal, the three-year cycle begins again.

Get started on your ISO 27001 certification process

With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like: 

  • Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
  • Assess your risk holistically from one unified view.
  • Identify areas of non-compliance with in-platform notifications.
  • Get a checklist of actions to help you make the needed changes. 
  • Automate evidence collection and centralize all your documents in one place.
  • Find a Vanta-vetted auditor within the platform. 
  • Complete your ISO 27001 certification in half the time. 

By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo

{{cta_testimonial3="/cta-modules"}}

Preparing for an ISO 27001 audit

Your guide to the ISO 27001 certification process‍

A black and white drawing of a rock formation.

Getting an ISO 27001 certification demonstrates that your company has high security standards and that you are serious about protecting your customers’ data. To be ISO 27001 certified, your information security management system (ISMS) must meet the requirements of ISO 27001 and must be verified via a third-party auditor. In this guide, we’ll walk you through the process of getting ISO 27001 certified and how to prepare your organization for a smooth and cost-effective certification process. 

The ISO 27001 certification process

There are generally three phases of the ISO 27001 certification process: planning and preparation, the audit, and maintaining your certification. We’ll break down each of these steps in the following sections:

Three phases of the ISO 27001 certification process.
Three phases of the ISO 27001 certification process.

Phase 1: Planning and preparation

You’ll start your journey to ISO 27001 compliance by aligning your team and understanding the scope of your ISO 27001 project.

Step 1: Assign roles and prepare your team

Reaching ISO 27001 compliance involves various members of your organization. Certain elements of ISO 27001 require action from your leadership team, HR department, engineering department, and more. The first step of an ISO 27001 compliance project is to assign aspects of your compliance project to specific employees or contractors to oversee and ensure that everyone understands their roles and responsibilities.

Step 2: Define your ISMS scope

ISO 27001 has requirements that you must meet, but the way you meet those requirements will vary from one organization to the next depending on your information assets, your operations, and other factors. It’s important to establish the scope of your compliance project before you get started: what information assets need to be protected, how your ISMS is constructed, and what your ISMS may be missing.

Step 3: Access your current security position

Next you’ll need to see how much work must be done and how far away you are from being ISO 27001 compliant by conducting an internal risk assessment. An internal risk assessment is an analysis of the potential ways your ISMS could be breached or could fail, like a compromised employee password, stolen equipment, or equipment failures. Based on the risks you identify, you’ll determine how to implement ISO 27001 in a way that minimizes your risks.

Step 4: Implement security controls and document policies

Now that you have a full account of your potential risks, take the results of your internal assessment and address each security gap you’ve identified and determine which controls in Annex A to implement to minimize them. Use this to create a list of controls you will implement to ensure that you’re complying with ISO 27001 standards. 

In doing this, you should also prepare the initial documents you’ll need for your audit: your Statement of Applicability and your Risk Treatment Plan. The Statement of Applicability is a document that lists the ISO 27001 security controls, explaining which ones you’ve included or omitted and why, how you implemented them, and where the auditor can find them in your ISMS.

Your Risk Treatment Plan details the risks you’ve identified in your risk assessment. It gives an account of how you plan to address and minimize each high- and medium-priority risk.

Step 5: Train your internal team

One of the essential requirements of ISO 27001 is to train your internal staff on information security basics and techniques to avoid a data breach. Virtually any team member could unknowingly provide a data thief a way into your organization. Staff training should provide your organization with data security education and how employees can help reduce the risk of a data breach.

Step 6: Collect evidence and prepare audit documents

After you’ve implemented the necessary security controls in ISO 27001, make sure you can provide proof of these controls to your auditor. Your auditor will request a variety of documents, including:

  • Scope of your ISMS
  • Statement of Applicability
  • Definition of security roles and responsibilities
  • Information security policy
  • Information security objectives
  • Risk assessment process and methodology
  • Internal risk assessment report of results
  • Risk Treatment Plan
  • Results of information security risk treatment
  • Evidence of security monitoring, including measurement of results
  • Documented internal audit process
  • Evidence of your audit programs and audit results
  • Evidence of management review results
  • Evidence of the results of any corrective actions you’ve taken
  • Any other documentation you’ve deemed necessary to show the effectiveness of your ISMS

You’ll be able to create many of these documents during the course of your ISO 27001 implementation, but others will need to be created afterward.

{{cta_withimage2="/cta-modules"}}

Phase 2: The ISO 27001 audit process

Now that all the required controls are in place, it’s time to begin your official audit and achieve your ISO 27001 certification. 

Step 1: Choose an ISO 27001 auditor 

Now that you’ve implemented the ISO 27001 controls, it’s time to prepare for your assessment by hiring an external auditor. The International Organization for Standardization does not provide ISO certifications itself, but through independent certification bodies. Be sure to choose an auditor that adheres to ISO’s Committee on Conformity Assessment (CASCO) standards.

Step 2: Readiness assessment

Most auditors will begin with a preliminary screening to see if you meet basic necessities for ISO 27001 certification. If you’ve completed the above steps, this should be relatively easy. If your readiness assessment reveals critical gaps, the auditor will let you know what areas of your ISMS need to be addressed. If you pass your initial screening, you’re ready to move on to the next step.

Step 3: Stage 1 audit

Next, you’ll move on to stage 1 of your ISO 27001 certification audit, also known as a documentation audit. During this stage, the audit will examine the documentation for your ISMS to see what security controls are in place. If you don’t pass this evaluation, the auditor will issue corrective actions you’ll need to take. Once you’ve made those changes, you’ll move on to the next step.

Step 4: Stage 2 audit

The stage 2 audit of your ISO certification audit is often called the compliance audit. During the stage 2 audit, your auditor will test the controls within your ISMS and verify they’re functioning properly.

If this audit reveals gaps or failures that compromise your security, the auditor will tell you which corrective actions you need to take. If you pass this stage, you’ll officially receive your ISO 27001 certification.

Phase 3: Maintaining your ISO 27001 certification

After you’ve achieved your ISO 27001 certification, you’ll need to maintain that certification each year. This is done on a three-year cycle.

Year 1: Surveillance audit

One year after you receive your first ISO 27001 certification, your auditor will conduct a surveillance audit. This is a brief, cursory audit to check that you’re still in compliance with key elements of ISO 27001. If you pass, your ISO 27001 certification remains active for another year. If you don’t pass, you’ll need to start over with a new ISO 27001 certification process, including a pre-screening, stage 1 audit, and stage 2 audit.

Year 2: Surveillance audit round 2

Two years after your initial ISO 27001 certification, you’ll go through another basic surveillance audit. Successfully passing the year 2 surveillance audit allows you to retain your certification. If you don’t pass, you’ll need to start over with another full audit.‍

Year 3: Full audit

Three years after your initial certification, you’ll need to go through the full audit and certification process again. If you successfully pass your renewal, the three-year cycle begins again.

Get started on your ISO 27001 certification process

With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like: 

  • Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
  • Assess your risk holistically from one unified view.
  • Identify areas of non-compliance with in-platform notifications.
  • Get a checklist of actions to help you make the needed changes. 
  • Automate evidence collection and centralize all your documents in one place.
  • Find a Vanta-vetted auditor within the platform. 
  • Complete your ISO 27001 certification in half the time. 

By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo

{{cta_testimonial3="/cta-modules"}}

Your checklist to ISO 27001 certification

Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.

Your checklist to ISO 27001 certification

Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.

Your checklist to ISO 27001 certification

Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.

Vanta has made our lives much easier. Instead of compliance being a chaotic, complex process, Vanta is a simple platform that we manage.”

Peter Simpson-Young Key Accounts and Compliance Coordinator | Coviu

Get started with ISO 27001

Start your ISO 27001 journey with these related resources.

ISO 27001

The ISO 27001 Compliance Checklist

ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

The ISO 27001 Compliance Checklist
The ISO 27001 Compliance Checklist
ISO 27001

ISO 27001 Compliance for SaaS

On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.

ISO 27001 Compliance for SaaS
ISO 27001 Compliance for SaaS
ISO 27001

ISO 27001 vs. SOC 2: Which standard is right for my business?

Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001 vs. SOC 2: Which standard is right for my business?
ISO 27001 vs. SOC 2: Which standard is right for my business?