The Certification Journey
Getting ISO 27001 certified is a journey, not a destination. Here's your roadmap from initial planning to maintaining certification.
Phase 1: Preparation (1-3 months)
Get Buy-In
- Present the business case to leadership
- Secure budget and resources
- Assign project ownership
Initial Assessment
- Gap analysis against ISO 27001
- Identify existing controls
- Estimate implementation effort
Project Planning
- Define scope boundaries
- Create implementation timeline
- Identify team members and responsibilities
Phase 2: Implementation (3-9 months)
Build the Foundation
- Establish the ISMS framework
- Document the information security policy
- Define roles and responsibilities
Risk Assessment
- Identify information assets
- Assess threats and vulnerabilities
- Calculate and prioritize risks
- Create risk treatment plan
Implement Controls
- Select applicable Annex A controls
- Implement technical controls
- Create policies and procedures
- Train staff
Documentation
- Statement of Applicability
- Risk assessment reports
- Procedures and work instructions
- Evidence of implementation
Phase 3: Internal Audit (1-2 months)
Prepare for Internal Audit
- Train or hire internal auditors
- Develop audit program and checklists
- Schedule departmental audits
Conduct Internal Audit
- Review documentation
- Interview staff
- Test control effectiveness
- Document findings
Address Findings
- Categorize nonconformities
- Implement corrective actions
- Verify corrections are effective
Management Review
- Present audit results to management
- Review ISMS performance
- Decide on improvements
- Document decisions
Phase 4: Certification Audit
Stage 1 Audit (Documentation Review)
Duration: 1-2 days
What happens:
- Auditor reviews your documentation
- Verifies scope is appropriate
- Checks mandatory documentation exists
- Identifies any major gaps
Outcome:
- Report of findings
- Confirmation you're ready for Stage 2
- Or findings to address before Stage 2
Gap Period (1-3 months)
- Address any Stage 1 findings
- Final preparations
- Staff briefings on audit process
Stage 2 Audit (Implementation Assessment)
Duration: 2-5 days (depends on scope size)
What happens:
- On-site (or hybrid) assessment
- Interviews with staff at all levels
- Review of evidence and records
- Testing of control effectiveness
- Verification of risk treatment
Outcome:
- Certificate issued (if successful)
- Or corrective action required
Phase 5: Maintaining Certification
Year 1: Surveillance Audit
- Partial scope review
- Verify ongoing compliance
- Check corrective actions
Year 2: Surveillance Audit
- Different areas reviewed
- Continued compliance verification
- Improvement progress
Year 3: Recertification Audit
- Full scope review
- Similar to initial Stage 2
- New 3-year certificate issued
Certification Timeline
Month 1-3: Preparation & Planning
Month 4-9: Implementation
Month 10-11: Internal Audit & Fixes
Month 12: Stage 1 Audit
Month 13-14: Address Findings
Month 15: Stage 2 Audit
Month 15: 🎉 CERTIFICATION!
Choosing a Certification Body
Consider:
- Accreditation - Must be accredited (UKAS, ANAB, etc.)
- Experience - In your industry
- Availability - Auditor scheduling
- Cost - Competitive quotes
- Reputation - References from peers
Cost Expectations
| Item | Small Org | Medium Org |
|---|---|---|
| Implementation | $20-50K | $50-150K |
| Certification Audit | $15-25K | $25-45K |
| Annual Surveillance | $5-10K | $10-20K |
Tips for Success
- Start early - Don't rush implementation
- Get help - Consider consultants for guidance
- Involve everyone - ISMS is not just IT's job
- Document as you go - Don't leave it until the end
- Use tools - GRC platforms save time
Next Lesson: Test your knowledge with the Readiness Assessment quiz!