Self-paced

Explore our extensive collection of courses designed to help you master various subjects and skills. Whether you're a beginner or an advanced learner, there's something here for everyone.

Bootcamp

Learn live

Join us for our free workshops, webinars, and other events to learn more about our programs and get started on your journey to becoming a developer.

Upcoming live events

Learning library

For all the self-taught geeks out there, here is our content library with most of the learning materials we have produced throughout the years.

It makes sense to start learning by reading and watching videos about fundamentals and how things work.

Search from all Lessons

LoginGet Started
← Back to Lessons
Edit on Github

ISO 27001 Auditing and Certification Process

Certification Process Overview
1) Preparation & Documentation
2) Internal Audits 1
  • Conducting Internal Audits:
3) Implementation of ISMS
4) External Audits
5) Addressing Non-conformities
6) Certification Decision
7) Surveillance Audits

ISO 27001 certification is a rigorous process that demonstrates an organization's commitment to information security management. This document outlines the certification process, audit preparation, common findings, and maintenance of certification.

iso-27001-certification-process

Certification Process Overview

  1. Preparation & Documentation
  2. Stage 1 Audit (Documentation Review)
  3. Implementation of ISMS
  4. Stage 2 Audit (On-site Assessment)
  5. Addressing Non-conformities
  6. Certification Decision
  7. Ongoing Surveillance Audits and Recertification (every three years)

1) Preparation & Documentation

The preparation and documentation phase involves laying the groundwork for the Information Security Management System (ISMS). This includes defining the scope, developing policies, conducting risk assessments, and creating necessary documentation. For a detailed explanation of this step, please refer to the article ISMS Framework Implementation and Risk Assessment, where we cover the preparation and documentation process in depth.

2) Internal Audits 1

An internal audit is a process where an auditor reviews the ISMS documentation and practices to ensure compliance with ISO 27001 standards. This is a crucial step to ensure the ISMS is functioning effectively before external certification audits.

Conducting Internal Audits:

  1. Plan the audit schedule
  2. Select and train internal auditors
  3. Prepare audit checklists
  4. Conduct the audit
  5. Document findings and non-conformities
  6. Present results to management
  7. Implement corrective actions

3) Implementation of ISMS

Based on the results of the internal audit, the organization should implement corrective actions to address any non-conformities found. This is a crucial step to ensure the ISMS is functioning effectively before external certification audits.

4) External Audits

External audits are conducted by an accredited certification body to verify compliance with ISO 27001 standards. During the external audit, the auditor will:

  • Detailed examination of ISMS implementation
  • Interviews with staff
  • Observation of processes
  • Verification of records
  • Review of relevant documentation
  • Verification of compliance with ISO 27001 standards
  • Identification of non-conformities
  • Recommendation for improvements

External Audit Preparation

In order to make sure that the external auditor doesn't find any non-conformities, the organization should:

  1. Review and update all ISMS documentation
  2. Conduct a thorough internal audit
  3. Address any identified non-conformities
  4. Ensure management commitment and involvement
  5. Train staff on ISO 27001 requirements and their roles
  6. Prepare evidence of ISMS implementation and effectiveness

5) Addressing Non-conformities

The following are common findings that the auditor may find during the external audit.

  1. Incomplete risk assessments
  2. Inadequate internal audit processes
  3. Lack of measurable objectives
  4. Insufficient management review
  5. Incomplete asset inventory
  6. Inadequate access control measures
  7. Lack of incident management procedures
  8. Insufficient business continuity planning

6) Certification Decision

After the external audit, the auditor will provide a report of the findings and recommendations for improvements. The organization will have the opportunity to address any non-conformities found during the audit. Once all non-conformities are addressed, the organization will be certified.

7) Surveillance Audits

Congratulations! You have successfully completed the ISO 27001 certification process and you are now a part of the 40,000 organizations that are certified. However, maintaining certification is an ongoing process and you are required to re-certify every three years in something called a "surveillance audit".

Surveillance audits are conducted by an accredited certification body to verify compliance with ISO 27001 standards. During the surveillance audit, the auditor will:

  • Detailed examination of ISMS implementation
  • Interviews with staff
  • Observation of processes
  • Verification of records

Ongoing Maintenance

Aside from the surveillance audits, there are other things you can do to maintain your certification:

  1. Conduct regular internal audits
  2. Perform annual management reviews
  3. Continuously improve the ISMS
  4. Address non-conformities promptly
  5. Stay updated on information security threats and ISO 27001 changes
  6. Prepare for and pass surveillance audits