Academy home
Blogs
ISO 27001 certification: What happens in the certification audit?

ISO 27001 certification: What happens in the certification audit?

ISO 27001 collection
ISO 27001 certification: What happens in the certification audit?
NIS2 collection
ISO 27001 certification: What happens in the certification audit?
Cyberday blog
ISO 27001 certification: What happens in the certification audit?

The main point of audits is to carry out independent and systematic evaluations of organization's ISMS and information security.

Audits will help you find outdated parts in your ISMS, that are not anymore accurate. They will help you find areas for improvement and identify gaps. They are one method for ensuring continuous improvement and accountability related to your information security. Audits keep you honest (when done well).

This blog post gives an overall intro to information security auditing and a detailed go-through of the ISO 27001 certification audit process.

What are information security audits?

Information security audits are systematic evaluations of organization's information security. They may audit either specific systems or generally organization's policies, procedures, and controls around information security.

Audits aim to ensure the organization actually operates according to set requirements or chosen best practices to safeguard its information assets.

Goals of an information security audit usually include:

  1. Assessing compliance: Verify that the organization is complying in reality with set or internal policies or chosen frameworks (e.g. ISO 27001, NIS2, GDPR, HIPAA).
  2. Identifying non-conformities: Detect parts of policies that are not being properly implemented or more technical vulnerabilities in systems or applications that could be exploited by threats.
  3. Evaluate controls: Analyze whether the defined controls are effective in protecting information assets and find areas where improvement is most critical.
  4. Demonstrate accountability: Provide evidence of due diligence in running the ISMS and managing risks.

Audits can be implemented internally by competent and employees that have the proper authorities (internal audit) or externally by chosen independent partners (external audit). Some audits are done mainly from compliance point-of-view (compliance audits) and some from a more technical point-of-view (technical audits), focusing e.g. on specific data systems or topics (e.g. network security, application security).

What is an ISO 27001 certification audit?

ISO 27001 certification audit is a specific information security audit, that gets implemented by an accredited auditor and according to auditing guidelines defined in ISO 27000 standard series.

The goal in ISO 27001 certification audit is to verify that the organization's information security management system (ISMS) complies with the requirements of the ISO 27001 standard.

What happens in the ISO 27001 certification audit?

An ISO 27001 certification audit is a structured process where a third-party certification body evaluates an organization’s ISMS against the requirements of the ISO/IEC 27001 standard. There are many usually many organizations in each country that are accredited by

The actual audit is carried out in two main stages: a preliminary assessment (Stage 1) and a detailed review (Stage 2). In addition an organization can optionally go through a readiness assessment before the actual audit. Post-audit activities then ensure, that the ISMS is continuously improved and properly maintained.

Below are more detailed explanations of what happens in each stage of the certification audit.

1. Pre-audit preparation

Before the certification audit begins, the organization should of course prepare itself and make sure they feel they're appropriately compliant with the ISO 27001 standard.

You can read more about the key ISMS implementation steps in a separate article.

2. Readiness assessment (optional)

A readiness assessment for an ISO 27001 certification audit is an optional, preparatory evaluation done to determine whether an organization is adequately prepared for the formal certification audit.

This assessment can be carried out by the same auditor, that will implement the latter parts of the process.

Readiness assessment can help identify the biggest gaps in the ISMS relative to the requirements of ISO 27001.

Readiness assessment is voluntary. It should be utilized if the organization is unsure about their compliance towards ISO 27001.

3. Stage 1 Audit: Review of main ISMS documentation

Stage 1 audit is carried out to assess the organization's readiness for Stage 2 and identify any critical gaps.

This phase is mostly focused on your most important ISMS documentation and can also be implemented remotely. The auditor will review some key documents to determine, whether you have the main ISMS processes in place and running properly.

Key documents you'll usually need to share for on auditor on stage 1 ISO 27001 audit include: 

  • Statement of Applicability (SoA): Listing all the controls of ISO 27002 and details of each controls status (e.g. your implementation status of the control, short description of implementation and controls deemed non-applicable).
  • ISMS description and scope: This document needs to explain for the auditor, how the organization's ISMS is structured, operated and monitored. It also explains which parts of the organization the ISMS covers, what are related key roles, what kind of information is connected to the ISMS and how that is controlled. By looking through this document the auditor will know, how he will find the main information related to the certification audit.
  • Information security policy: Your top-level document describing your organization's commitment to compliance and e.g. top management's role in ensuring compliance and needed support for the work.
  • Risk management procedure: Describes your process for identifying, evaluating and treating information security risks.
  • Internal audit procedure (+ main results): Describes your process for carrying out internal audits and maintaining an audit schedule. You will need to be able to present the results of an internal audit that has been carried out according to the procedure, before the certification audit (or it will be a major non-conformity).
  • Management review procedure (+ main results): Describes your process for carrying out management reviews. This is one of the key ways your organization's top management will participate in information security. You will need to be able to present the results of a management review that has been carried out according to the procedure, before the certification audit (or it will be a major non-conformity)
  • Personnel awareness procedure: Describes your process for ensuring employees, contractors, and relevant third parties are aware of their roles and responsibilities in maintaining information security. This document should e.g. describe, how you train employees, provide guidelines of secure operating for them and ensure they commit to following the guidelines.

At the end of stage 1 audit, the auditor will provide a list of findings, which may include major or minor non-conformities. Non-conformities need to be fixed with corrective actions before moving forward in the audit process.

When auditors report non-conformities, they always point to the section of the standard (e.g. 9.1.1) which is not being complied with.

4. Stage 2 Audit: Review of ISMS implementation and effectiveness

Stage 2 audit is the main part of the certification audit. It is carried out confirm whether the ISMS is fully implemented, effective, and compliant with ISO 27001.

This phase is implemented on-site, which is relevant not only or better information sharing, but also for confirming physical security controls.

Basically during this phase, the auditor will need do get appropriate evidence of your compliance with your own ISMS documentation and with the ISO 27001 standard. To enable this, the auditor will:

  • Conduct interviews:
    • Auditors will ask the responsible persons for different ISMS areas to explain, show and give more details on policy and control implementation.
    • Auditors will also interact with "basic" employees, that don't necessarily have any special roles in the ISMS maintenance, to evaluate their awareness of security policies and guidelines.
  • Review evidence:
    • Review ISMS content, examine relevant logs, incident records, training records, risk treatment plans, audit reports, and anything relevant to proof things have actually been implemented as defined.
  • Evaluate the appropriateness of controls:
    • Verify that security controls listed in the SoA are implemented and effective.
    • Test controls related to physical security, access management, incident response, and more.

As the main result of his work, the auditor will:

  • Identify non-conformities:
    • Major non-conformities: Critical issues that must be fixed with corrective actions and presented for the auditor, before certification.
    • Minor non-conformities: Less critical issues that require corrective action (e.g. a plan of one to be presented for the auditor during next 3 months) but do not prevent certification.
  • Provide recommendations and any other relevant observations: 
    • Overall the auditors will also observe the explanations you give and observe your daily operations to verify compliance.
    • When auditors spot topics, that should be improved, they can point them out as recommendations or other observations. Recommendations are things that could be improved from auditor's point-of-view, but not non-conformities (at least yet). If recommendations are not reacted to e.g. before the next audit, they may turn into non-conformities.

When no major non-conformities are found anymore, the organization is recommended for certification.

Auditors gather the results of the audit to an audit report, that explains through all the different findings and gets sent to the auditees.

5. Post-audit activities

After the actual certification audit is concluded, there's still some important things to do:

  • Issuing the certificate:
    • After the organization passes the audit, the certification body issues the ISO 27001 certificate.
    • The certificate is valid for three years, subject to regular monitoring.
  • Conduct yearly surveillance audits:
    • Shorted audits, conducted annually, to ensure the ISMS remains compliant.
    • Focus on selected areas of the ISMS and relevant changes since the last audit.
  • Conduct a recertification audit every 3 years:
    • Performed every three years to renew the certification.
    • Includes a comprehensive assessment similar to the initial certification process.
The certificate's message is "Auditing organization X verified that Organization Y complies with this standard Z" (example from Cyberday.ai)

Popular questions related to ISO 27001 certification audits

How long does it take from organizations to get ready for ISO 27001 certification audit?

We're currently working with around 600 organizations through our Cyberday ISMS app. We've seen the initial road towards compliance take anything from a couple of weeks to 12 months and everything in between. And yes, there are those initiatives too that never get finished.

Typically, the process takes something between 3 to 9 months. Main factors influencing the timeline are the complexity and size of your operations, current information security maturity level, resources and expertise you can dedicate for the work and the tools used to run the ISMS.

How long does the actual ISO 27001 certification audit take?

Acceptably carried out ISO 27001 certification audits have clear minimum durations for the time the audit needs to take described in ISO 27000 standard series.

In a small organization (under 10 employees), you'll need a total of 7-14 days of auditor work in a single 3-year certification period. In a large organization (10 000+ employees), the amount will be around 50 days of auditor work in a single 3-year certification period.

Typical audit durations by organization size

What are the costs of ISO 27001 certification?

The direct cost of ISO 27001 certification audit is easy to estimate if you look at the question above related to audit duration. Main cost there is what you pay for the auditor's work, where a good roughly estimate is 1000 € per day in the EU.

So the direct bill to pay for the auditing organizations carrying out the certification audit will range from 10 000 € - 50 000 € in the whole 3 year period, depending on the size of your organization.

Internal costs (e.g. needed ISMS work, personnel time, software solutions, other technology investments, needed training) depend totally on your starting information security maturity.

How often are ISO 27001 audits conducted?

Certification (or re-certification) audit will be carried out once every 3 years. Surveillance audits are shorter yearly audits, that will be carried our during the remaining years to ensure continuous improvement and proper ISMS maintenance.

What happens, if you "fail" the ISO 27001 certification audit?

"Failing" an ISO 27001 certification audit can basically mean, that the organization didn't meet all the requirements of the standard at the time of the audit, and thus some non-conformities were identified.

After this the organization will have the opportunity to address the non-conformities with corrective actions and continue the certification process. This means coming up with a corrective action plans and implementing those corrections. For major non-conformities, the corrections need to be verified by the auditor. For minor non-conformities, just verifying the plan will be enough.

When the follow-up on the corrective actions demonstrates compliance, certification can then be granted.

It's important to understand there's really no failure in the certification audit process. The auditor will just help you identify non-conformities, which are topics to improve on. Even when non-conformities are spotted (which is quite normal), you will have a to-do list towards certification and have improved your information security.

Written by
Aleksi Pulkkanen
22.1.2025
@
apulkkanen
LinkedIn

Content

Other articles in same topic

Share article

Other similar content from Academy

Blogs

ISO 27001 certification: What happens in the certification audit?

This blog post gives an overall intro to information security auditing and a detailed go-through of the ISO 27001 certification audit process.
22.1.2025

What is ISO 27001? Intro to the global information security gold standard.

Whether you're new to ISO 27001 or looking to strengthen your current practices, this post will walk you through its essentials, why it matters, and how it can improve your approach to information security.
22.1.2025

Password Security: Avoid these 5 common mistakes

Password security is something that no one should underestimate in the face of today's threats. One sensible option for secure password management is to use software designed for this purpose.
16.1.2025

Get started today

Start free, in your familiar Teams environment.
If you have some questions first, book a meeting with us.

Start free 14-day trial
Book a meeting
How it works?
SummarySecurity tasks and assuranceDocumentation workflowsEmployee guidelinesReporting templates
Use cases
By frameworkAll frameworksISO 27001NIS2 directiveNIST CSFCSA CCMISO 27701GDPRISO 27017ISO 27018
By methodCyber risk managementEmployee awarenessCompliance reportingControl managementAsset managementDynamic policy documentsPrivacy management
Resources
AcademyWebinarsBlogHelp articlesVideo coursesWeekly news digestsSubscribe to AcademyLeave a reviewPartner programTeamTerms of usePrivacy policy
Contact us
+358 10 231 6010
team@cyberday.ai
App works in:
Known in Finland as Digiturvamalli
© Cyberday Inc. Kalevantie 2 33100 Tampere, Finland
Cyberday.ai - Improve and certify your cyber security