Standardise
PricingSupportSign inGet started

The Certification Journey

Choosing a certification body, Stage 1 and Stage 2 audits, surveillance audits, recertification, and tips for success.

Overview

Achieving ISO 27001 certification demonstrates to customers, partners, and regulators that your organisation has implemented a robust information security management system. The certification process involves selecting an accredited certification body and passing a two-stage external audit, followed by ongoing surveillance and recertification.

Choosing a Certification Body

Your certification body (CB) must be accredited by a recognised accreditation body. In Australia, look for CBs accredited by JAS-ANZ (Joint Accreditation System of Australia and New Zealand) or an equivalent IAF member. When selecting a CB, consider:

  • Industry experience — does the CB have auditors experienced in your sector?
  • Reputation— ask peers for recommendations and check the CB's track record.
  • Cost and availability — get quotes from multiple CBs and confirm auditor availability for your timeline.
  • Approach — some CBs take a collaborative approach while others are more prescriptive. Choose one that aligns with your culture.

Stage 1: Documentation Review

The Stage 1 audit is a readiness assessment focused on your documentation. The auditor will review:

  • Your ISMS scope, information security policy, and risk assessment methodology.
  • The Statement of Applicability (SoA) — all 93 controls with applicability and implementation status.
  • Risk assessment results and risk treatment plan.
  • Key policies, procedures, and documented information required by the standard.
  • Evidence that internal audits and management reviews have been conducted.

Stage 1 is typically conducted on-site or remotely over 1-2 days. The auditor will identify any gaps that must be addressed before Stage 2 can proceed. There is usually a gap of 2-8 weeks between Stage 1 and Stage 2 to allow for remediation.

Stage 2: Implementation Audit

The Stage 2 audit assesses whether your ISMS is effectively implemented and operating. The auditor will:

  • Verify that controls are actually in place and working, not just documented.
  • Interview staff at various levels to confirm awareness and understanding of security policies.
  • Sample evidence — training records, access control logs, incident reports, change management records.
  • Check that the risk treatment plan is being executed and risks are being monitored.
  • Assess the effectiveness of the ISMS as a whole.

Stage 2 typically takes 3-5 days depending on the size and complexity of your organisation. Findings are classified as:

  • Major nonconformity— a significant failure that affects the ISMS's ability to achieve its intended outcomes. Must be resolved before certification can be granted.
  • Minor nonconformity — a less significant finding that does not undermine the overall ISMS. Must be addressed with a corrective action plan, typically within 90 days.
  • Opportunity for improvement — a suggestion, not a requirement. Good auditors will offer these to help you mature your ISMS.

Surveillance Audits (Annual)

After certification, your CB will conduct surveillance audits annually (typically at 12-month intervals). These are smaller in scope than the initial certification audit — the auditor will sample different areas of your ISMS each year to confirm it remains effective and is continually improving. Surveillance audits typically take 1-3 days.

If significant nonconformities are found during surveillance, the CB may suspend or withdraw your certification until they are resolved.

Recertification (3-Year Cycle)

ISO 27001 certification is valid for three years. Before the certificate expires, you must undergo a full recertification audit, similar in scope to the initial Stage 2 audit. The recertification audit evaluates the overall effectiveness of the ISMS over the certification period and confirms it remains suitable for the organisation's current context.

Tips for Success

  1. Start early and be realistic — most organisations need 6-12 months to prepare for certification. Do not underestimate the effort required.
  2. Get leadership buy-in first — without genuine support from top management, the ISMS will be seen as an IT project rather than a business priority.
  3. Focus on risk, not just compliance — auditors want to see that you understand your risks and have made thoughtful decisions about how to treat them, not just that you have ticked every box.
  4. Keep documentation proportionate — over-documentation is as much a problem as under-documentation. Policies should be concise, practical, and actually followed.
  5. Run a thorough internal audit — treat your internal audit as a dress rehearsal for Stage 2. Identify and fix nonconformities before the external auditor finds them.
  6. Prepare your people — auditors will interview staff. Ensure everyone understands the information security policy, their responsibilities, and how to report incidents.
  7. Use purpose-built tooling — managing an ISMS in spreadsheets and email becomes unsustainable. A dedicated platform like Standardise keeps everything organised, auditable, and connected.

Related Articles

ISO 27001 Guide
What is ISO 27001:2022?
An introduction to the international standard for information security management, why it matters, the benefits of certification, and what changed in the 2022 revision.
ISMS Modules
Internal Audits
Plan and conduct internal ISMS audits, track findings, manage corrective actions, and demonstrate continual improvement.
ISO 27001 Guide
Annex A: 93 Controls
Understanding the four control categories, how they map to the Statement of Applicability, and the difference between applicability and implementation.
← Back to Help Center