For all its reputation, ISO 27001 certification follows a well-defined process. Knowing that process in advance removes most of the anxiety: you can plan, resource, and track each step rather than feeling your way through an opaque standard. The same sequence applies whether you do it in-house or with a partner.
This guide lays out the full ISO 27001 certification process step by step — the internal work, the external audit, and what follows — so your route to iso 27001 certification is a map rather than a maze.
An overview of the process
The certification process has two broad halves: the internal work of building and operating the ISMS, and the external work of being audited and certified by an accredited body. The internal half is the bulk of the effort; the external half confirms it.
Within those halves sit the recognisable steps: scoping, risk assessment, control implementation, documentation, operation, internal audit, management review, and then the Stage 1 and Stage 2 audits. Maintenance follows.
Understanding this shape lets you see where you are at any moment and what comes next.
Step 1: Scope and leadership
The process opens with defining the ISMS scope, understanding context and interested parties, and securing top-management commitment. These foundational decisions shape everything that follows, so they deserve focused attention even though they take little calendar time.
The outputs are a documented scope statement and an engaged executive sponsor — both prerequisites for a smooth project and both examined early by the auditor.
Rushing this step to reach the ‘real’ work is a common and costly mistake.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
Step 2: Risk assessment and treatment
Next you establish a risk methodology, identify and evaluate risks, and decide treatments, producing a risk treatment plan. This step is the engine of the process because it determines which controls you will implement.
Done well, it makes every later decision defensible; done poorly, it undermines the whole ISMS. Auditors scrutinise the link between risks and controls closely.
The output feeds directly into the Statement of Applicability.
Step 3: Implement controls and documentation
Guided by the risk treatment plan, you implement the selected Annex A controls and produce the required documentation: policies, the Statement of Applicability, and supporting procedures. This is typically the longest phase of the process.
The focus should be on controls that genuinely operate and on documents that match practice. Templates and ISO 27002 guidance accelerate this work considerably.
Evidence collection should begin here, captured as a by-product of the controls running.
Step 4: Operate the ISMS
Before certification, the ISMS must run for a period so it generates a track record. Controls operate, evidence accumulates, and any practical problems surface while you can still fix them. ISO 27001 does not mandate a fixed window, but auditors expect genuine operation.
This operating period is what lets Stage 2 test operating effectiveness rather than just design. A few weeks to a couple of months is common, depending on your situation.
Continuous, automated evidence collection makes this phase painless.
Step 5: Internal audit and management review
ISO 27001 requires you to audit your own ISMS and hold a management review before the external audit. The internal audit, ideally by someone independent of the build, surfaces gaps while you can still address them quietly.
The management review puts results before leadership for decisions, satisfying a clause requirement and demonstrating ownership. Both produce records the external auditor expects to see.
Treating these as genuine rehearsals is what makes the external audit anticlimactic.
Step 6: Choose and engage a certification body
In parallel with the later internal steps, select an accredited certification body and book your audit. Accreditation is the crucial check; reputation, industry fit, cost, and scheduling matter too. Booking early prevents the body’s availability from becoming a bottleneck.
Remember the body must be independent of whoever helped you prepare. A preparation partner can help you select an appropriate body while staying separate from the certification decision.
Getting this lined up in good time keeps the end of the process smooth. Getting this right is a significant part of a smooth path to iso 27001 certification.
Step 7: Stage 1 audit
The external audit begins with Stage 1, a documentation review. The auditor checks that your ISMS is designed and documented correctly — scope, policy, risk assessment, Statement of Applicability, and the mandatory records — and identifies anything that must be fixed before Stage 2.
Stage 1 is also where the auditor confirms you are ready to proceed. Findings here are normal and addressable; the point is to enter Stage 2 with no documentation surprises.
A well-prepared documentation set makes Stage 1 straightforward.
Step 8: Stage 2 audit
Stage 2 is the main audit, testing whether your controls actually operate. The auditor samples evidence, interviews control owners, and assesses operating effectiveness across your ISMS. This is where the operating period and continuous evidence pay off.
Any nonconformities are recorded by severity; minor ones are typically addressed through corrective-action plans, while major ones may need resolving before certification. Pass Stage 2 and the auditor recommends you for the certificate.
For a well-run ISMS, Stage 2 confirms what your evidence already shows.
Step 9: Certification decision and certificate
After Stage 2, the certification body’s independent reviewers consider the auditor’s recommendation and, once any required actions are closed, make the certification decision and issue your certificate. The certificate states your scope and is valid for three years.
At this point you can display the certificate, share it with customers, and use it to clear security reviews. The internal effort has produced a recognised, external credential.
It is a genuine milestone — and the start of the maintenance cycle.
Step 10: Maintain and recertify
The process does not end at the certificate. Surveillance audits in years one and two, and recertification in year three, require the ISMS to keep operating. Recurring controls, evidence, internal audits, management reviews, and risk updates continue throughout.
Building these into a maintenance rhythm keeps the certificate valid and the audits routine. Treating certification as a finish line, by contrast, leads to stressful surveillance audits.
A sustainable ISMS makes the ongoing process almost invisible.
The bottom line
The ISO 27001 certification process is a clear sequence: scope and leadership, risk assessment, control implementation and documentation, an operating period, internal audit and management review, choosing a certification body, Stage 1 and Stage 2 audits, the certification decision, and then maintenance and recertification.
Knowing the steps lets you plan and resource each one, so the project feels like a map rather than a maze. The internal work is the bulk; the external audit confirms it.
ISpectra runs clients through this entire process — from gap analysis to certificate and beyond — with free VAPT and a multi-framework discount, turning the sequence above into a smooth, supported journey.
Running the process in parallel
Although the steps are sequential in logic, a well-run project overlaps them in practice to save time. Documentation can progress while controls are being implemented; evidence collection can begin as soon as the first controls go live; and certification-body selection can happen while the ISMS is still operating its early period.
This parallelism is the main way experienced teams compress the timeline without cutting corners — the substance of each step is still done properly, just not strictly one after another. A simple project plan with owners and dependencies makes the overlaps safe.
The result is a process that flows continuously rather than stalling between discrete phases, which is what turns a twelve-month effort into a five- or six-month one.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.