The ISO 27001 Certification Process: Time, Costs, and Steps
The ISO 27001 Certification Process: Time, Costs, and Steps
So, you’ve decided to go for the gold. You want the ISO 27001 badge on your website. But what does the actual process look like on the ground? How many meetings will there be? When do the auditors show up? And most importantly, how much will it cost?
Let’s pull back the curtain on the certification journey.
The Two Stages of the Certification Audit
The official certification audit is divided into two distinct phases, performed by an external Certification Body (CB).
The Path to Compliance
Getting certified is a journey that typically involves 5 key stages. While the timeline varies, having a clear roadmap is essential for project success.
Stage 1: Gap Analysis and Scoping
This is often called the "Ready for Stage 2" audit. The auditor reviews your ISMS documentation (policies, scope, risk assessment) to ensure it meets the requirements of the standard on paper.
- Goal: Identify any major non-conformities before the "real" audit.
- Duration: Typically 1 to 2 days.
Stage 2: Implementation Audit
This is the big one. The auditor comes onsite (or joins virtually) to see if you are actually doing what your documents say you are doing. They will interview staff, check server logs, and watch your processes in action.
- Goal: Verify evidence of implementation.
- Duration: 2 to 5 days, depending on company size.
Timeline: How Long Does It Take?
For a typical SME (20-100 employees), the timeline usually looks like this:
- Preparation (Gap Analysis & Implementation): 6 to 9 months.
- Internal Audit: 1 month before certification audit.
- Stage 1 Audit: Month 10.
- Stage 2 Audit: Month 11 or 12.
- Certification Issued: 4-6 weeks after Stage 2.
The 3-Year Certification Cycle
Getting certified isn't a one-and-done event. It's a three-year commitment:
- Year 1 (Certification): The initial Stage 1 and Stage 2 audits.
- Year 2 (Surveillance): A smaller "check-up" audit by the CB to ensure you haven't let things slide.
- Year 3 (Surveillance): Another check-up audit.
- Year 4 (Recertification): A full audit, similar to Stage 2, to renew the certificate for another 3 years.
How Much Does It Cost?
While costs vary by region and provider, you generally have to budget for three things:
- Consulting Fees: To help you build the ISMS (optional but recommended).
- Internal Effort: The staff time dedicated to the project.
- Certification Fees: Paid to the accredited Certification Body. For a small firm, certification fees often range from $5,000 to $15,000 for the initial 3-year cycle.
Internal vs. External Audits
- Internal Audit: You are required by the standard to hire someone (internal or external) to audit your own system before the CB shows up. This is a practice run to find mistakes early.
- External Audit: This is the official audit performed by a Certification Body like BSI, SGS, or Bureau Veritas.
FAQ: Frequently Asked Questions
Can we fail the audit?
Yes, but most auditors will give you a chance to fix "Minor Non-conformities" within a set timeframe. Only "Major Non-conformities" will stop you from getting certified immediately.
What is a Surveillance Audit?
Think of it as a maintenance check. It’s shorter than the initial audit and focuses on specific areas of the ISMS to ensure continuous improvement.
Do we have to be audited every year?
Yes. To maintain your certificate, you must undergo a surveillance audit every year until your 3-year recertification.
Conclusion: It’s a Marathon, Not a Sprint
The ISO 27001 certification process is rigorous because it’s meant to be meaningful. While the path might seem long, the clarity and trust it builds with your clients are worth every step.
Don't navigate the certification maze alone. Our consultants have a 100% success rate in guiding companies through Stage 1 and Stage 2.