ISO 27001 certification path: from gap assessment to recertification

Step 1: gap assessment (optional but recommended)

A gap assessment maps your current state against the ISO 27001 clauses and the 93 Annex A controls. It produces a list of gaps, a rough remediation effort estimate, and a target timeline.

It is optional in the sense that you can go straight to ISMS implementation, but for most SMEs the gap assessment saves more time than it costs. It is also a good way to evaluate whether a particular consultancy or platform is a fit before committing to a long engagement.

Step 2: ISMS implementation

The longest phase, typically six to twelve months for an organisation starting from scratch. Three to six months for an organisation with mature security practices that need formal documentation.

Deliverables: information security policy, risk assessment methodology, risk register, statement of applicability, controls implementation evidence, incident response and business continuity plans, training records, third-party risk register.

Step 3: internal audit and management review

Before the certification body audits, you must audit yourself. An internal audit covers the management system clauses (4 to 10) and the Annex A controls in the SoA. The audit must be performed by someone independent of the controls being audited.

A management review follows. The leadership team reviews the audit findings, the risk register status, the incident log, and the planned changes to the ISMS. The management review minutes are inspected at Stage 1.

Step 4: Stage 1 audit (documentation review)

Stage 1 is performed by the certification body and lasts one to three days for an SME. The auditor reviews the ISMS documentation, confirms that the management system is in place, and identifies any major nonconformities that would prevent Stage 2.

Most organisations enter Stage 1 with some Stage 1 findings. The certification body issues a Stage 1 report; nonconformities must be closed before Stage 2 can be passed.

Step 5: Stage 2 audit (operational testing)

Stage 2 is the substantive audit. It lasts two to ten days depending on the size of the organisation and the scope of the ISMS. The auditor tests controls in operation: interviews staff, inspects evidence, observes processes, reviews logs.

The output is a Stage 2 report. Minor nonconformities are common and addressed in a corrective action plan; major nonconformities prevent certification and require remediation followed by a re-audit. If no major nonconformities are open at the end of Stage 2, the certification body recommends certification.

Step 6: certification issued

The certification body issues the ISO 27001 certificate, valid for three years from the date of issuance. The certificate names the scope of certification (the products, services, sites, or business units covered). Scope drift is one of the most common reasons certificates are limited or revoked, so the scope statement matters.

Step 7: surveillance audits

Year one and year two of the three-year cycle each include a surveillance audit. Surveillance audits are smaller than Stage 2 (typically one to three days) and focus on continued operation of the ISMS, treatment of any open nonconformities, and any significant changes to the organisation or its environment.

Step 8: recertification (year three)

Year three is recertification. The audit is more substantial than surveillance (close to a Stage 2 in effort) and renews the certificate for another three-year cycle.

Picking a certification body

• Accreditation matters. The certification body itself must be accredited by a national accreditation body that is a signatory to the IAF Multilateral Recognition Arrangement. Without accreditation, the certificate carries no weight in procurement.
• Sector experience matters more than name recognition. A certification body that has audited dozens of similar SaaS organisations will move faster and ask better questions than one that has primarily audited industrial firms.
• Cost varies, but for a typical European SME (50 to 200 employees), full Stage 2 cost is in the €15,000 to €30,000 range. The internal cost of preparing for certification (consulting, platform, internal time) is typically 3 to 5x the audit cost.