Skip to main content
All CollectionsGetting Started1 | Project Setup
Key stages of ISO 27001 certification
Key stages of ISO 27001 certification

Get more insights on what to expect from your ISO 27001 audit stages with Secfix.

Fabiola Munguia avatar
Written by Fabiola Munguia
Updated over 2 months ago

Achieving and maintaining ISO 27001 certification is a detailed and structured process. This guide outlines the key stages, from preparation to recertification, ensuring your organization remains compliant.

Internal Audit

During the internal audit, the internal auditor will thoroughly review all prepared documents and evidence. This stage is designed to:

  • Identify any non-conformities or areas needing improvement.

  • Ensure all documentation and processes align with ISO 27001 standards.

  • Prepare your team for the external audit.

Please make sure to have all of the evidence uploaded on Secfix.

Read here:

How to prepare for an internal audit

External Audit

The external audit is conducted by an accredited certification body and involves two stages:

Stage 1: Documentation Review

The auditor will assess your Information Security Management System (ISMS) documentation to ensure it meets ISO 27001 requirements. This includes reviewing policies, the Statement of Applicability, the internal audit report, other procedures, and evidence of compliance.

Stage 2: Main Audit (On-Site)

During the on-site audit, the auditor will verify the implementation and effectiveness of your ISMS through interviews, reviewing your risk register, manual evidence upload, automated tasks, employee compliance, inventory and access management.

Upon successful completion of the external audit, the certification body will review the findings and make a certification decision. If all requirements are met, you will be awarded the ISO 27001 certification 🎊 .

Surveillance Audits

To maintain your ISO 27001 certification, you will undergo annual surveillance audits in year 1 and year 2. These audits ensure ongoing compliance and continuous improvement. The surveillance audits will be tougher than the first certification since the auditor expects that you have improved your ISMS. Make sure that you're making use of the Secfix platform to continuously review your compliance status.

Recertification Audit

Every three years, a recertification audit is required to maintain your ISO 27001 certification. This audit is as comprehensive as the initial certification audit and includes:

  • A complete review of your ISMS documentation.

  • On-site verification of compliance and effectiveness.

  • Addressing any areas of improvement identified during surveillance audits.

Be aware that the scope might change after three years. So, make sure to inform your auditor about any changes (e.g. new subsidiaries or offices, new cloud provider, etc.)

Tips for a Smooth Certification Process

  • Keep Documentation Updated: Regularly update and review all documentation to reflect current practices.

  • Engage Your Team: Ensure all employees understand the importance of ISO 27001 and their roles in maintaining compliance.

  • Continuous Improvement: Treat ISO 27001 as an ongoing process. Regularly review and improve your ISMS to stay compliant.

Audit timeline

  • Year 1: first and second stage audit.

  • Year 2: surveillance audit

  • Year 3: surveillance audit

  • Year 4: first and second stage audit (re-certification)

  • and so on...

Read next

How to choose a certification body for your audit

How to prepare for an internal audit

Related Articles
ISO 27001 Project Status Report
Purchasing the ISO 27001 Standard
How to prepare for the Stage I Audit
How to Prepare for the Stage II Audit
What is an Information Security Management System (ISMS)?
Did this answer your question?