The ISO 27001 Certification Process: What You Actually Need to Know
If you are trying to understand the ISO 27001 certification process, you are probably dealing with one of two situations. Either a client or government tender has asked for it, or you have had a close call with a data breach and want to get your information security in order. Either way, the process is more structured than most people expect, and knowing what is coming before you start saves a significant amount of time and money.
On this page
ISO 27001 is the international standard for Information Security Management Systems (ISMS). It gives organisations a systematic framework to protect sensitive data, manage risks, and demonstrate to clients and regulators that their security practices are credible. Getting certified means an independent, accredited certification body has audited your organisation and confirmed your ISMS meets the requirements of the standard.
This guide walks you through every step of the ISO 27001 certification process in plain language, from the initial gap analysis all the way through to maintaining your certificate over the three-year certification cycle.
Step 1: Understand What You Are Getting Into
Before anything else, you need to understand the scope and commitment involved. ISO 27001 is not a quick tick-box exercise. The 2022 version of the standard (formally known as ISO/IEC 27001:2022) contains 93 controls across four themes: organisational, people, physical, and technological. You will not necessarily implement all 93, but you need to assess each one and document your reasoning if you exclude any.
Most small to medium-sized businesses in Australia take between six and twelve months to achieve certification for the first time. Larger organisations or those with complex IT environments can take longer. If you want a realistic picture of what the timeline looks like for your situation, read our detailed breakdown on how long ISO 27001 certification takes.
The other thing to understand upfront is cost. Certification involves consultant fees, internal staff time, and audit fees from your certification body. Our guide on ISO 27001 certification cost in Australia gives you real numbers so you can budget properly before committing.
Get 3 ISO Quotes. 24 Hours Response
Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.
Trusted by 400+ businesses like yours
Step 2: Conduct a Gap Analysis
A gap analysis is where the process actually begins. You are comparing your current information security practices against the requirements of ISO 27001 and identifying where the gaps are.
This is typically done by an experienced ISO 27001 consultant or by a senior internal resource who understands the standard well. The output is a report that tells you what you already have in place, what is partially in place, and what is missing entirely. It also gives you a rough estimate of the effort required to close those gaps.
Common findings at this stage include:
- No formal risk assessment process or methodology documented
- Access controls that are inconsistent or undocumented
- No asset register covering information assets
- Incident response procedures that exist informally but are not documented or tested
- Supplier agreements that do not include security requirements
Do not skip the gap analysis or rush it. It is the foundation for your entire implementation plan. If you underestimate the gaps at this stage, you will either blow your timeline or walk into your audit underprepared.
Step 3: Define the Scope of Your ISMS
One of the most important decisions you will make is defining the scope of your ISMS. The scope determines which parts of your organisation, which locations, which systems, and which processes will be covered by your certification.
You can certify your entire organisation, or you can limit scope to a specific business unit, product, or service. For example, a software company might scope their ISMS to cover their cloud-hosted SaaS platform and the team that develops and operates it, rather than the entire business.
Scope definition has real consequences. A narrower scope is faster and cheaper to certify, but it may not satisfy a client who wants your whole business covered. A broader scope takes more effort but gives you a more meaningful certificate.
Whatever you decide, the scope must be documented clearly and must reflect the actual boundaries of your ISMS. Auditors will check that your scope statement is accurate and that you are not excluding things simply to avoid dealing with them.
Step 4: Conduct a Risk Assessment
This is the technical heart of ISO 27001. The standard requires you to identify information security risks, assess their likelihood and impact, and decide how to treat them. This is not optional and it is not something you can do superficially.
Your risk assessment methodology needs to be documented. You need to define how you identify risks, how you score or rate them, and what criteria you use to decide whether a risk is acceptable or requires treatment.
The outputs of your risk assessment feed directly into your Statement of Applicability (SoA), which is one of the key documents your auditor will scrutinise. The SoA lists all 93 controls from Annex A of the standard, states whether each one is applicable to your organisation, and explains your justification for any exclusions.
If you are a business owner without a technical background, the risk assessment process can feel overwhelming. Our ISO 27001 risk assessment guide for non-technical business owners breaks this down in plain English and gives you practical examples of how to approach it.
Step 5: Implement Controls and Build Your ISMS Documentation
Once you know your gaps and have completed your risk assessment, you implement the controls needed to address the risks you have identified. This is the longest phase of the project for most organisations.
Implementation involves a mix of technical controls, procedural controls, and people-related controls. Examples include:
- Setting up multi-factor authentication and access control policies
- Documenting your information security policy and getting it approved by leadership
- Creating and maintaining an asset register
- Establishing a formal incident management procedure
- Running information security awareness training for all staff
- Reviewing supplier contracts and adding security clauses where required
- Implementing logging, monitoring, and vulnerability management processes
Alongside the technical work, you are also building your ISMS documentation. ISO 27001 requires a specific set of documented information, including your ISMS scope, information security policy, risk assessment and treatment records, SoA, objectives, and evidence of controls being operational.
Good documentation does not mean mountains of paperwork. It means the right documents, kept current, and actually used by the people responsible for them. Auditors are not impressed by thick folders of policies nobody reads. They want to see evidence that your system is working.
Step 6: Run Internal Audits
Before you invite an external auditor in, you need to run internal audits of your ISMS. This is a mandatory requirement of the standard, not a nice-to-have.
Internal audits serve two purposes. First, they check whether your ISMS is operating as intended. Second, they demonstrate to your certification body that you have a functioning audit program, which is itself a requirement of the standard.
Your internal auditor needs to be competent and objective. They cannot audit their own work. In smaller organisations, this sometimes means using a consultant or a staff member from a different part of the business. The audit needs to be planned, documented, and the results need to be reported to management.
Any non-conformities found during internal audit need to be addressed through corrective action before your Stage 2 certification audit. Finding and fixing problems internally is far better than having your certification auditor find them.
For practical advice on running internal audits that actually find real issues rather than just ticking boxes, our guide on how to run ISO internal audits that actually find problems is worth reading before you start.
Step 7: Conduct a Management Review
ISO 27001 requires top management to review the ISMS at planned intervals. This is not a formality. The management review needs to cover specific inputs defined by the standard, including the results of your internal audits, feedback on information security performance, risk assessment results, and any changes that could affect the ISMS.
The outputs of the management review must be documented and must include decisions about continual improvement, resource needs, and any changes to the ISMS.
Your certification auditor will ask to see evidence of management review. If you cannot produce it, that is a non-conformity. Make sure this happens before your Stage 2 audit and that the minutes or records are thorough enough to demonstrate genuine management engagement, not just a checkbox meeting.
Step 8: Select an Accredited Certification Body
Choosing the right certification body matters more than most businesses realise. Not all certification bodies are equal in terms of auditor competence, industry experience, and the rigour of their audits.
The certification body must be accredited by a recognised accreditation body. In Australia, that means accreditation through JAS-ANZ (Joint Accreditation System of Australia and New Zealand), which ensures the certification body meets international standards for competence and impartiality.
When evaluating certification bodies, look at their experience auditing organisations in your industry, the qualifications of the auditors they assign, their process for handling non-conformities, and their pricing structure for the three-year certification cycle including surveillance audits.
Our guide on how to select the best ISO certification body includes a practical checklist you can use when comparing options.
Step 9: Stage 1 Audit (Documentation Review)
The formal certification process involves two audit stages. Stage 1 is often called the documentation review or readiness audit. Your auditor reviews your ISMS documentation to confirm that you have the required documented information in place and that your system is ready for a full audit.
Stage 1 is typically conducted remotely or on-site over one to two days, depending on the size and complexity of your organisation. The auditor is checking whether your ISMS is sufficiently developed to proceed to Stage 2.
Common Stage 1 findings include incomplete risk assessments, a Statement of Applicability that has not been formally approved, missing mandatory procedures, or a management review that has not yet been conducted.
Stage 1 findings are not failures. They are issues you need to address before Stage 2. Most certification bodies allow a few weeks between Stage 1 and Stage 2, which gives you time to close any gaps identified.
To prepare thoroughly, our checklist on 8 things to do before an ISO Stage 1 readiness audit covers what auditors look for and how to avoid the most common problems.
Step 10: Stage 2 Audit (Certification Audit)
Stage 2 is the main certification audit. Your auditor spends time on-site (or remotely, depending on the arrangement) reviewing evidence that your ISMS is not just documented but actually implemented and operating effectively.
This is where auditors look at real evidence. They will interview staff, observe processes, test controls, and check records. They are not just reading your policies. They want to see that your people understand their responsibilities, that controls are working, and that your system is producing the outcomes it is supposed to.
The Stage 2 audit typically takes between one and three days for small to medium organisations. Larger organisations with multiple sites or complex environments will require more audit days.
If the auditor finds non-conformities, they are classified as either major or minor. A major non-conformity means a critical requirement of the standard has not been met and certification cannot be granted until it is resolved. A minor non-conformity is a less significant gap that needs to be addressed within a defined timeframe, usually before the next surveillance audit.
If no major non-conformities are found, the auditor recommends certification and the certification body issues your ISO 27001 certificate.
Step 11: Maintaining Your Certification
Receiving your certificate is not the end of the process. ISO 27001 certificates are valid for three years, but you are required to maintain your ISMS throughout that period and undergo annual surveillance audits in years one and two, followed by a recertification audit in year three.
Surveillance audits are shorter than the initial certification audit, but they are still substantive. The auditor checks that your ISMS continues to meet the standard's requirements, that you are managing risks, conducting internal audits, running management reviews, and addressing non-conformities.
Organisations that treat certification as a one-off project and let their ISMS go stale between audits consistently struggle at surveillance. The ones that do well treat their ISMS as a living system, update their risk assessments when things change, keep their documentation current, and run meaningful internal audits every year.
Working With an ISO 27001 Consultant
Most organisations, particularly those going through ISO 27001 for the first time, benefit from working with an experienced consultant. A good consultant brings knowledge of the standard, practical implementation experience, and the ability to keep your project on track when it inevitably gets complicated.
The challenge is finding a consultant who is genuinely qualified and has relevant experience in your industry. Our guide on how to compare ISO 27001 consultants gives you a framework for evaluating your options and asking the right questions before you commit.
If you are ready to get quotes from vetted ISO 27001 consultants and certification bodies, CertBetter connects you with up to three competing providers through a single form. The service is completely free for businesses, and all providers on the platform are verified. It is a straightforward way to compare your options without spending weeks chasing quotes individually.
