Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu



We often come across the situation where one of our customers has decided that they need to become certified to the ISO/IEC 27001 standard, but they’re not sure how to go about it. Sometimes their customers have told them that it is a requirement so in order to carry on doing business it’s a must.

This blog article takes you briefly through the journey to certification and sets out the main stops along the way. If you want more detail, download and read our Implementation Guide available from the ISO27001 product page on the CertiKit website and check out some of our other blog articles.


The Certification Journey

Get management on board

The first and undoubtedly one of the most important steps is to make sure that you have the commitment of the top management of your organization. If the people in charge of the budgets and direction don’t think it’s a good idea then your ISO27001 management system is going to flounder at some point, no matter how much effort you put into it. So make sure they’re on board.

Scope and context

You don’t have to have everything within the scope of your management system so a necessary early step is to draw a ring around what’s included and be able to justify what’s not. You have to get this right because every step from here is affected by it so take your time. Also required is to set out what the standard calls the “context” of your management system – this is really the environment that your organization operates within, both outside and inside its boundaries.

Choose an auditor and assess where you are now

At this point you may like to get in touch with a Registered Certification Body (RCB) who will be in a position to carry out the certification audit later. We would recommend you choose an RCB reasonably early and start to get to know them, including when they are available and how much they charge. This prevents surprises later.

Ok, so the top management is on board, RCB chosen and you know what’s included; now you need to compare how your organization currently does things with the requirements of the standard to see how big the gap is. This will allow you to create a plan to put in place the policies, procedures, controls etc. that are missing. Another early task is to define your objectives for the management system and set up a structure of roles, responsibilities and authorities for information security within your organization.

Assess your risks

Now we come to one of the key foundations of an ISO/IEC 27001 management system – the risk assessment. This involves identifying actions you need to take to protect your assets from the various threats that are out there (and within your own organization of course). These actions are often referred to as controls and the ISO27001 standard provides a full set of reference controls within its Annex A. One of the key documents from an audit viewpoint is the Statement of Applicability which sets out which of these reference controls you feel are applicable to your particular organization.

Implement your controls

If some of these controls are not yet implemented then there is a piece of work to do to define and embed them and this can often be the longest part of any ISO27001 project.

Management review and internal audit

By this point you will have most of the things you need to show compliance to the standard. Before going for certification you will need to have completed a management review and a complete internal audit of the management system too, so it can be a good idea to get these started as early as you can.

And lastly the audit

Once these are done you’re ready for the auditor to make an appearance from the certification body which happens in two stages, conveniently called Stage One and Stage Two. Stage One is a document review to see how ready you are and how well your scope is defined. If the Stage One review encounters no major issues then you will be able to set a date for the Stage Two certification visit.

The Stage Two will be a more in depth review which will highlight any non-conformities it finds and make a recommendation about certification. Once these non-conformities are addressed you will then become officially certified to the ISO/IEC 27001 standard.

Of course, it doesn’t end there. The whole idea of the management system is that it allows you to continuously monitor your information security and fill any gaps you find along the way. The auditor will return about 9-12 months later for a surveillance visit and then every 12 months after that.

This has been a very quick run through of the certification journey and in future blogs we will start to fill in some of the detail around specific areas, so come back to the site as often as you can and hopefully we can tell you more.

We’ve helped more than 4000 businesses with their compliance


Great library of documents that helped tremendously in the development of our respective systems. The organization and hierarchy of the documents were easy to follow.

GC&E Systems Group, Inc.

View all Testimonials