Try for free

ISO 27001 certification step by step: a practical guide for companies

ISO/IEC 27001 is the world's most recognised standard for information security management. The certificate is increasingly demanded by customers in tenders, by insurers, and by regulations such as NIS2 and DORA. Here is a realistic look at how certification actually works — without the consultant marketing.

Phase 1: Scope and context (1–2 weeks)

Define what your information security management system (ISMS) will cover: which processes, locations and systems. A smaller scope means faster certification — most companies start with the whole organisation or a key service. The output is an ISMS scope document and an analysis of the organisation's context (Clause 4 of the standard).

Phase 2: Risk assessment and the SoA (2–4 weeks)

The core of the entire standard. You identify information assets (data, systems, people), evaluate risks by likelihood and impact, and decide how to treat them. The risks feed into the Statement of Applicability (SoA) — a document that states, for all 93 Annex A controls, whether they are applicable and why. The SoA is the first thing an auditor opens.

Phase 3: Documentation (traditionally 2–4 months, days with automation)

The standard requires a documented system: an information security policy, access control, incident management, business continuity, suppliers, training and more. Traditionally this is the most labour-intensive phase — a consultant will charge €10,000 and up for it, while template toolkits give you generic samples to fill in by hand.

This is the phase that ISOForge can automate today: based on a short guided questionnaire about your company, it generates complete documentation tailored to your organisation, with consistent cross-references throughout. Download a sample document and judge the quality yourself.

Phase 4: Implementation and operation (2–3 months)

The documents must come alive: roll out the controls, train employees (annual awareness training is mandatory), start logging incidents and collect records — the evidence that the system works. The auditor will want to see at least 2–3 months of operation.

Phase 5: Internal audit and management review

Before the certification audit, you are required to carry out an internal audit (Clause 9.2) and a management review (Clause 9.3). Findings from the internal audit are addressed through corrective actions. Without these two steps, the certification body will send you home.

Phase 6: Certification audit

It takes place in two stages: Stage 1 is a review of documentation and readiness, Stage 2 is an in-depth on-site audit of how the system operates. The auditor classifies findings as major nonconformities (which block the certificate), minor nonconformities (to be resolved by an agreed deadline) and observations. You choose the certification body yourself — it must be accredited by the national accreditation body in its country.

After certification: this is not the end

The certificate is valid for 3 years, but you undergo a surveillance audit every year and recertification after three years. Documents require annual reviews, risks need periodic reassessment, training is repeated. Most companies underestimate exactly this maintenance — and collect nonconformities at the surveillance audit for expired documents and missing records. The compliance calendar with reminders, the living risk register and document review tracking in ISOForge address precisely this.

Costs: a realistic budget

The most common mistakes

  1. An ISMS scope that is too broad on the first attempt.
  2. Documentation detached from the company's reality — auditors spot it immediately.
  3. No records — a system "on paper" with no evidence that it operates.
  4. Forgetting the internal audit and the management review.
  5. Underestimating maintenance after certification.
Need ISO documentation?

ISOForge generates audit-ready documentation tailored to your company — in English, at a fraction of consultant cost.

Learn more