ISO 27001 Certification Process: 8-Step Path to Certified ISMS
Consultant Manager
Six Sigma White Belt (AIGPE), Internal Auditor - Integrated Management System (ISO), Gold Medalist MBA, 8+ years in cloud and cybersecurity content
ISO 27001 Certification Process: 8-Step Path to Certified ISMS
The path from "we should get ISO 27001" to a framed certificate on the wall is well-trodden. The standard prescribes the management system requirements; the Plan-Do-Check-Act methodology prescribes the operating loop; the certification body prescribes the audit process. The 8-step path below is the one we run with customers and is consistent with the ISO 19011 audit guidelines that govern certification body practice.
Step 1: Define the ISMS Scope
Scope is the first decision and the most important one. The ISMS scope statement names the boundary of the management system: which parts of the organisation, which sites, which products, which information assets are inside. Everything inside the scope must be covered by controls. Everything outside is excluded β and external interfaces must be controlled as if they were third parties.
Scope choices have direct cost implications. A scope covering "the SaaS product platform and the engineering team that builds it" is much cheaper to certify than a whole-company scope. The right scope is the smallest one that satisfies your customers' needs and that you can defend as a meaningful boundary at audit.
Step 2: Run a Gap Analysis
Gap analysis compares the existing organisation against the standard's requirements. The output is a register of gaps: missing policies, missing controls, missing processes, weak documentation, no internal audit programme, etc. Most first-time programmes start with 60-80% of the standard already partially in place β there is rarely a true greenfield ISMS.
Plan 2-4 weeks for a thorough gap analysis. Output is an action register prioritised by criticality and effort. This action register becomes the project plan for the next 6 months.
Need expert help with iso 27001 certification process?
Our cloud architects can help you with iso 27001 certification process β from strategy to implementation. Book a free 30-minute advisory call with no obligation.
Step 3: Conduct the Risk Assessment
The risk assessment is the engine of the ISMS. It identifies information assets, threats to those assets, vulnerabilities, and the risk treatment for each combination. The standard does not prescribe a specific risk methodology β qualitative, quantitative, threat-led, or asset-led approaches all comply, provided the methodology is documented and consistently applied.
Common methodologies:
- ISO 27005 asset-threat-vulnerability model β most common
- NIST 800-30 risk model β popular in US-influenced organisations
- OCTAVE β heavier-weight, suited to larger organisations
- FAIR (Factor Analysis of Information Risk) β quantitative, finance-friendly
The risk assessment output drives the Statement of Applicability and the risk treatment plan. Both are auditor-facing documents.
Step 4: Build the Statement of Applicability
The SoA names every Annex A control (93 in the 2022 edition), declares each one applicable or excluded, and references where the control is implemented. Excluded controls require justification β the auditor will probe these. The SoA is the auditor's roadmap to your ISMS.
For a typical cloud-native SaaS organisation, 80-92 of the 93 controls are applicable. Common exclusions: physical security controls if you have no physical premises; some legacy controls that genuinely don't apply.
Step 5: Implement Controls and Author Policies
The implementation phase is the longest. Policy authoring (15-25 documents typical), control implementation, training rollout, and evidence collection happen in parallel. The standard mandates documented information for: ISMS scope, security policy, risk assessment methodology, SoA, risk treatment plan, security objectives, evidence of competence, and operational evidence of controls.
Documentation is not the goal. Operations is the goal. Auditors care about whether the policy is operating, not whether the document is well-written.
Step 6: Run Internal Audit and Management Review
Two activities are mandatory before the certification audit:
- Internal audit β independent review of the ISMS against the standard, conducted by trained internal auditors or contracted external auditors who are not the certification body. Documents conformance and nonconformance findings
- Management review β formal meeting of senior leadership reviewing ISMS performance, audit results, risk landscape changes, and resource needs. Documented outputs are required
Both are check-and-act activities in the PDCA cycle. The auditor will ask to see evidence of both.
Step 7: Pass the Stage 1 Audit
The certification audit splits into two stages. Stage 1 is a documentation review: the CB auditor reviews the ISMS scope, policies, SoA, risk assessment, internal audit results, and management review records. The auditor confirms that the ISMS is documented, internally consistent, and ready for Stage 2.
Stage 1 typically lasts 1-3 days on-site or remote. Outcomes: ready to proceed to Stage 2, or findings to address before Stage 2 can run.
Step 8: Pass the Stage 2 Audit
Stage 2 is the controls-operation audit. The auditor samples evidence across the SoA, interviews staff, observes operations, and tests whether the documented controls are actually running as described. Findings are classified as:
- Major nonconformities β fundamental ISMS failures. Block certification until corrected
- Minor nonconformities β isolated or limited-impact issues. Do not block certification but require corrective action plans
- Observations / opportunities for improvement β non-blocking, advisory
Stage 2 lasts 3-15 days depending on organisation size. The CB issues a recommendation to its certification panel, which makes the final certificate decision typically 4-8 weeks after Stage 2 closes.
What Happens After Certification
The certificate is valid for 3 years. The CB conducts annual surveillance audits in years 2 and 3 (lighter than Stage 2 β typically half the audit days). Year 4 is recertification, similar in scope to the original Stage 2.
The risk in years 2 and 3 is letting the ISMS go quiet. The standard requires continuous operation: annual internal audits, annual management reviews, ongoing risk reviews, ongoing control operation. Surveillance audits exist to verify the system is alive, and major nonconformities at surveillance can suspend the certificate.
How Opsio Helps
Opsio runs the complete 8-step path with customers as an end-to-end engagement. Our ISMS implementation services service covers scope definition, gap analysis, risk assessment, SoA, policy authoring, control implementation in cloud environments, internal audit, and CB liaison through certification. We tie the audit evidence to platform-native telemetry from Opsio's cloud security and managed pipeline services so evidence is generated by the platform rather than collected by hand each year.
About the Author
Consultant Manager at Opsio
Six Sigma White Belt (AIGPE), Internal Auditor - Integrated Management System (ISO), Gold Medalist MBA, 8+ years in cloud and cybersecurity content
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence β we recommend solutions based on technical merit, not commercial relationships.