Skip to content

What are the 6 stages of the ISO 27001 certification process?


Overview of ISO 27001 certification

ISO 27001 is an internationally recognized standard for information security management systems (ISMS). Achieving ISO 27001 certification demonstrates an organization's commitment to effectively managing and protecting its information assets. The certification process consists of six stages, including the development of policies and procedures, conducting a risk assessment, implementing controls, conducting internal and external audits, management reviews, and finally, certification audit. Each stage is designed to ensure the organization's compliance with ISO 27001 requirements and to continuously improve its information security practices. By obtaining ISO 27001 certification, organizations can enhance their reputation, meet customer and regulatory requirements, and effectively manage security risks and threats to their information assets.

Benefits of ISO 27001 certification

ISO 27001 certification offers numerous benefits for organizations looking to enhance their information security management systems. By obtaining this certification, businesses can gain the trust of their customers and stakeholders by demonstrating their unwavering commitment to protecting sensitive information and ensuring its confidentiality, integrity, and availability.

With ISO 27001 compliance, organizations can provide infosec certainty to their clients, which can lead to increased customer satisfaction and loyalty. In an ever-evolving digital landscape, where data breaches and cyber threats are prevalent, obtaining ISO 27001 certification can give organizations a competitive edge. It can open new business opportunities with customers who require their partners to have robust information security protocols in place.

Beyond gaining trust and expanding clientele, ISO 27001 compliance supports business growth and brand safeguarding. By effectively managing security risks and addressing vulnerabilities, organizations can protect their brand reputation from potential breaches or data leaks. This certification also helps businesses streamline processes by implementing a risk management framework, ensuring that information security is efficiently integrated into daily operations.

Ultimately, ISO 27001 certification empowers organizations to proactively mitigate risks, improve decision-making, and enhance performance. It provides a structured approach to information security management and sets a clear roadmap for continual improvement.

Stage 1 - preparation

Stage 1 - Preparation: The first stage of the ISO 27001 certification process involves preparation. This stage is crucial in laying the groundwork for a successful certification journey. Organizations need to establish their commitment to information security management by forming a dedicated project team and appointing a project manager. The project team is responsible for assessing the organization's current information security practices, identifying gaps and vulnerabilities, and developing an implementation plan. This plan outlines the necessary actions and resources needed to achieve ISO 27001 compliance. Additionally, organizations may choose to conduct a gap analysis to evaluate their current security controls against the requirements of the ISO 27001 standard. This analysis helps identify areas that need improvement and serves as a benchmark for progress throughout the certification process. By diligently preparing and establishing a solid foundation, organizations can set themselves up for success as they move forward with ISO 27001 certification.

Gathering information and documentation

Gathering information and documentation is a crucial step in the ISO 27001 certification process. It involves the collection and analysis of data to assess and manage security risks within an organization's information management system.

The first step in gathering information is to conduct a risk assessment. This involves identifying and evaluating potential security risks and vulnerabilities. Various methods can be used, including interviews, workshops, and providing detailed instructions to employees. These methods allow for a comprehensive understanding of the organization's security controls and risks.

Interviews provide an opportunity to engage with key stakeholders and gather insights into current practices. Workshops can be used to facilitate discussions and brainstorming sessions to identify potential risks and develop risk treatment plans. Providing detailed instructions ensures that all necessary information is gathered consistently from different areas of the organization.

Documentation plays a vital role in the ISO 27001 certification process. It is essential to have clear and accurate documentation of policies, procedures, controls, and processes related to the information management system. Mandatory documents required for the certification include a security policy, risk assessment methodology, risk analysis, risk treatment plan, and an implementation plan.

Risk assessment methodology

One of the key components of the ISO 27001 certification process is the risk assessment methodology. This methodology is used to evaluate and determine the level of risk associated with an organization's information management system.

The risk assessment methodology involves assessing three main elements: asset value, threat, and vulnerability. Firstly, the asset value refers to the importance and value of the assets within an organization's information management system. This includes data, hardware, software, and any other resources critical to the organization's operations.

Secondly, threats are assessed. Threats are potential events or incidents that could harm the assets of an organization. These can include natural disasters, cyber-attacks, unauthorized access, or any other potential risks to the integrity or availability of the information management system.

Lastly, vulnerabilities are identified and evaluated. Vulnerabilities are weaknesses or gaps in the security controls or processes of an organization. These vulnerabilities can make the organization more susceptible to threats and increase the potential impact of those threats.

By assessing these three elements, the risk assessment methodology indirectly evaluates the consequences and likelihood of risks. The consequence refers to the potential negative impact of a risk, such as financial loss or reputational damage. Likelihood refers to the probability of the risk occurring.

The combination of asset value, threat, vulnerability, consequences, and likelihood collectively determine the risk level associated with an organization's information management system. This risk level is then used to prioritize the implementation of security controls and develop a risk treatment plan to mitigate and manage the identified risks.

Identifying non-conformities and remedial actions

Identifying non-conformities and taking remedial actions is a crucial part of the ISO 27001 certification process. Non-conformities refer to instances where the organization's practices, processes, or controls do not meet the requirements of the ISO 27001 standard.

During the certification audit, the external auditor conducts a comprehensive review of the organization's security management systems. This includes examining policies, procedures, security controls, and documentation to assess compliance with ISO 27001.

If any non-conformities are identified during the audit, the organization will be informed through an audit report. These non-conformities need to be addressed and resolved to achieve ISO 27001 certification.

The first step in addressing non-conformities is to develop corrective actions. This involves analyzing the root causes of the non-conformities and designing practical and effective solutions. Corrective actions should be aimed at eliminating the non-conformities, preventing their recurrence, and improving overall compliance with the ISO 27001 standard.

Once the corrective actions have been developed, they need to be implemented within a specified timeframe. This may involve making necessary changes to policies, procedures, security controls, or training programs. The organization should ensure that all relevant stakeholders are aware of the corrective actions and their roles in implementing them.

It is important to regularly monitor and review the effectiveness of the corrective actions to ensure that they are addressing the non-conformities adequately. This can be done through follow-up audits or internal assessments.

By effectively identifying non-conformities and taking remedial actions, organizations can demonstrate their commitment to achieving and maintaining compliance with ISO 27001, enhancing their overall security and risk management capabilities.

Developing an implementation plan

Developing an implementation plan is a crucial step in the ISO 27001 certification process. It involves setting out high-level policies, establishing roles and responsibilities, and creating rules for continual improvement.

To begin with, an organization needs to develop high-level policies that outline its approach to information security. These policies should clearly define the organization's commitment to protecting information, address the needs of stakeholders, and align with ISO 27001 requirements. These policies serve as a foundation for the implementation plan and guide the organization's security objectives.

Next, roles and responsibilities should be defined to ensure that everyone in the organization understands their specific obligations and accountabilities related to information security. This includes assigning a management representative who acts as the primary contact point for the certification process and coordinating security activities across the organization.

Continual improvement should be incorporated into the implementation plan to ensure that the organization's information security management system (ISMS) evolves over time. This includes establishing mechanisms for monitoring, measuring, and evaluating the ISMS, as well as identifying areas for enhancement and setting improvement objectives.

Raising awareness about the implementation plan is crucial for its successful execution. Internal and external communication channels should be utilized to inform employees, stakeholders, and relevant external parties about the organization's commitment to information security and the steps being taken to achieve ISO 27001 certification. This helps to create a shared understanding of the objectives and expectations of the certification process.

Training employees on security policies & procedures

Training employees on security policies and procedures is a crucial aspect of the ISO 27001 certification process. This training ensures that employees understand their roles and responsibilities in protecting sensitive information and complying with the organization's security requirements.

Employee training is important for several reasons. Firstly, it helps to create a culture of security awareness within the organization. By educating employees about the importance of data security and their own role in safeguarding information, the organization can significantly reduce the risk of human error and negligence.

Secondly, training ensures compliance with ISO 27001 requirements. The standard emphasizes the need for employees to be aware of and adhere to security policies and procedures. Effective training helps employees understand the specific controls and measures that are in place to protect information and ensures their compliance with these requirements.

To conduct effective training sessions, organizations should follow a structured approach. This includes creating comprehensive training materials that cover all relevant security policies and procedures. The materials should be clear, concise, and easily understandable, using language that is accessible to all employees.

In addition, assessments should be conducted to verify employees' understanding of the content. These assessments can take the form of quizzes, tests, or interactive exercises to ensure that employees have grasped the key concepts.

By investing in employee training on security policies and procedures, organizations can enhance their data security posture and increase compliance with ISO 27001 standards. This ultimately helps to safeguard sensitive information, protect the organization's reputation, and mitigate the risk of data breaches.

Stage 2 - system documentation development and implementation

Stage 2 of the ISO 27001 certification process involves the development and implementation of system documentation. This stage is crucial as it sets the foundation for the organization's security management system. System documentation includes policies, procedures, and other relevant documents that outline the organization's approach to managing security risks and protecting information. During this stage, the organization identifies and documents its security objectives and controls, taking into account the specific requirements of ISO 27001. The documentation serves as a guide for employees and provides a framework for the implementation of security measures. It is important for the organization to ensure that the documentation is comprehensive, aligns with ISO standards, and addresses both internal and external requirements. By successfully completing this stage, the organization establishes a solid foundation for the subsequent stages of the certification process.

Developing the statement of applicability (SOA)

Developing the statement of applicability (SOA) is a crucial step in the ISO 27001 certification process. The SOA serves as a guiding document that outlines the scope of the information security management system (ISMS) and provides evidence of security compliance.

The purpose of the SOA is to identify and document the security controls that are applicable to the organization and its assets. This includes identifying the controls that have been implemented, as well as those that are not applicable or are planned for future implementation. The SOA helps organizations to assess the risks and make informed decisions about the security controls they need to implement to protect their information.

To develop the SOA, organizations must carefully analyze the requirements of the ISO 27001 standard and conduct a thorough risk assessment. They must identify the security controls that are necessary to address the identified risks. This involves considering factors such as legal and regulatory requirements, customer requirements, contractual obligations, and the organization's own risk appetite.

Key elements that must be included in the SOA include the established security controls, justifications for including or excluding controls, and whether the controls have been implemented or not. The justifications should be based on the results of the risk assessment and should demonstrate that the chosen controls are appropriate and effective in mitigating the identified risks.

The SOA is a fundamental document in obtaining ISO 27001 certification. It demonstrates an organization's commitment to information security and provides assurance to stakeholders that appropriate security controls are in place. It also acts as a roadmap for future security improvements and serves as a reference for internal and external audits. By developing a comprehensive and well-documented SOA, organizations can streamline the certification process and ensure ongoing compliance with the ISO 27001 standard.

Developing the information security policy manual (ISPM)

Developing the Information Security Policy Manual (ISPM) is a crucial step in the ISO 27001 certification process. The ISPM serves as a comprehensive guide that outlines an organization's information security policies, procedures, and controls. It provides a framework for managing security risks and ensuring the confidentiality, integrity, and availability of information assets.

The purpose of the ISPM is to clearly define the organization's commitment to information security and establish a structured approach to managing security risks. It sets the foundation for implementing and maintaining an effective information security management system (ISMS) in accordance with the ISO 27001 standard.

The ISPM should include key components such as the organization's information security policy statement, which demonstrates senior management's commitment to information security. It should also define roles and responsibilities, outlining the expectations for employees and stakeholders. Additionally, the manual should provide guidance on risk management processes, incident response procedures, and security awareness and training.

To develop the ISPM, organizations typically begin by conducting a gap analysis to assess their current security practices against the requirements of ISO 27001. This helps identify any shortcomings and areas for improvement. Next, organizations establish security objectives and define the scope of the manual. Policies and procedures are then documented based on best practices and the organization's specific needs.

Creating operating procedures, work instructions, and guidelines

Creating operating procedures, work instructions, and guidelines is an essential step in implementing the ISO 27001 certification process. This step helps organizations to establish clear guidelines for employees regarding information security practices. Here are the steps to be taken for creating these important documents:

  1. Identify Control Requirements: Begin by reviewing Annex A of the ISO 27001 standard, which provides a list of control objectives and controls that organizations can implement. Determine which controls are relevant to your organization's context and security objectives.
  2. Assess Applicability: For each control recommended by Annex A, verify whether it applies to your organization or not. If a control is not applicable, provide a justification for its exclusion, based on the organization's risk assessment and risk treatment plan.
  3. Document Controls: Once the applicable controls have been identified, develop operating procedures, work instructions, and guidelines that outline how these controls will be implemented and maintained. Specify the roles and responsibilities of individuals involved in implementing the controls.
  4. Incorporate Compliance Requirements: Consider other areas of compliance that affect your organization, such as customer requirements and regulatory requirements. Ensure that your operating procedures, work instructions, and guidelines align with these requirements to meet legal and contractual obligations.
  5. Verify Implementation: Regularly verify whether the controls recommended by Annex A have been applied effectively. Conduct internal audits to assess the implementation and effectiveness of the controls. This helps identify any gaps or areas for improvement.
  6. Continual Improvement: Establish a management framework to ensure the ongoing effectiveness of the ISMS. This includes asserting ISMS accountability, scheduling activities such as management reviews and internal audits, and conducting regular audits for continuous improvement. These activities help monitor the performance of the ISMS and identify opportunities for enhancement.

By following these steps, organizations can create robust operating procedures, work instructions, and guidelines that align with ISO 27001 requirements, compliance obligations, and risk management principles.

Identifying and implementing technical controls for IT systems

Identifying and implementing technical controls for IT systems is a critical part of ensuring the security and protection of sensitive information. The process involves several steps to effectively mitigate security risks and adhere to the ISO 27001 standard.

  1. Identify Control Requirements: Begin by evaluating the specific technical control requirements necessary for your IT systems. This involves reviewing Annex A of the ISO 27001 standard, which provides a comprehensive list of control objectives and recommended controls. Identify the controls relevant to your organization's context and security objectives.
  2. Define New Rules: Once the relevant controls are identified, define new rules and procedures that outline how these controls will be implemented within your IT systems. These rules should address areas such as access controls, network security, system development, and maintenance. Consider industry best practices and regulatory requirements to ensure comprehensive coverage.
  3. Implement New Technology: Implementing new technology is often necessary to effectively enforce technical controls. This may involve deploying firewalls, intrusion detection systems, encryption mechanisms, or access management tools. Ensure that the chosen technology aligns with the identified control objectives and is capable of adequately protecting your IT systems.
  4. Change Organizational Structure: Implementing technical controls may also require changes to the organizational structure. This could involve assigning specific roles and responsibilities to individuals responsible for implementing and maintaining the controls. It may also involve creating cross-functional teams to oversee control implementation and enforcement.
  5. Include Controls in the Statement of Applicability (SoA): The Statement of Applicability is a crucial document that outlines the controls selected for implementation. It should clearly specify which controls from Annex A are applicable to your organization and provide the necessary justifications for their inclusion. Ensure that the SoA is regularly updated to reflect any changes to the technical controls implemented.

By following these steps, organizations can effectively identify and implement the necessary technical controls to protect their IT systems and comply with ISO 27001 standards.

Stage 3 - internal audit planning and execution

Stage 3 - Internal Audit Planning and Execution: Once the technical controls have been implemented, the next stage in the ISO 27001 certification process is internal audit planning and execution. Internal audits are crucial to assess the effectiveness and compliance of the implemented controls. During this stage, an audit plan is developed, outlining the objectives, scope, criteria, and methods for conducting the internal audit. The audit team, comprised of trained and independent auditors, conducts the audit by gathering evidence, evaluating the controls' performance, and identifying any non-conformities or areas of improvement. The internal audit process ensures that the organization's security management system is adequately designed, implemented, and maintained. It also assesses the organization's compliance with its established security policies, procedures, and legal and regulatory requirements. The findings from the internal audit provide valuable insights for addressing gaps, enhancing security controls, and achieving continual improvement in security management practices.

Establishing internal audit program

Establishing an internal audit program is a crucial step in achieving ISO 27001 certification. To ensure compliance with the security standard's requirements and identify areas for improvement, organizations must implement a robust internal audit process. This involves conducting regular assessments of the organization's security controls, risk management processes, and overall security management system.

The internal audit program begins with the selection of qualified auditors, who can be either internal personnel or external contractors. These auditors should possess the necessary knowledge and expertise in ISO 27001 and its requirements. Once selected, the auditors play a vital role in assessing the organization's compliance and identifying any gaps or non-conformities.

The process of planning and executing internal audits includes several steps. Firstly, the scope and objectives of the audit are defined, taking into consideration the organization's security objectives and goals. Next, a risk assessment is conducted to identify areas that require priority attention. Based on this assessment, an audit plan is developed, outlining the specific activities and timelines for conducting the audit.

During the audit, auditors collect and analyze evidence to determine the organization's compliance with ISO 27001 requirements. Any non-conformities or areas for improvement are documented in an audit report, which is then reviewed by senior management.

It is important to select an accredited registrar for registration audits, as this ensures that the certification body has met specific criteria for competence and impartiality. Accredited registrars conduct the final certification audit, which confirms the organization's compliance with ISO 27001 standards. The certification process involves a thorough evaluation of the organization's security management system and controls.

General thought leadership and news

6clicks receives ISO 42001 certification for its AI Management System

6clicks receives ISO 42001 certification for its AI Management System

Melbourne, Australia – 18 November 2024. 6clicks, pioneer of the first AI-powered GRC (Governance, Risk, and Compliance) software, is proud to...

Hailey’s newest updates: Risk & issue generation + compliance mapping

Hailey’s newest updates: Risk & issue generation + compliance mapping

At 6clicks, we’re continually evolving our AI capabilities to make the process of risk management and compliance faster, smarter, and more intuitive....

Understanding the NIST RMF: Breaking down the 7 key steps

Understanding the NIST RMF: Breaking down the 7 key steps

The NIST Risk Management Framework (NIST RMF) is a flexible framework that can be tailored to your specific organizational profile and regulatory...

Past, present, and future themes in cybersecurity: Are you keeping up?

Past, present, and future themes in cybersecurity: Are you keeping up?

In the ever-evolving landscape of cybersecurity, understanding where we've been, where we are, and where we're going is essential. By examining the...

Why 6clicks is outpacing legacy GRC platforms like Archer, ServiceNow and Diligent

Why 6clicks is outpacing legacy GRC platforms like Archer and more

For years, Archer, ServiceNow, and Diligent were the go-to names in GRC software. Archer’s rich functionality made it a leader, while ServiceNow’s IT...

ServiceNow GRC pricing: Is it worth it in 2025?

ServiceNow GRC pricing: Is it worth it in 2025?

Concerned about ServiceNow GRC’s pricing plans and total cost of ownership? You’re not alone. With a custom pricing structure, determining the...