ISO 27001 Certification Process

What is ISO 27001?

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS), published jointly by ISO and the International Electrotechnical Commission (IEC). It was first published in 2005 and revised in 2013 and again in 2022; the current edition is ISO/IEC 27001:2022. It sets requirements for establishing, implementing, monitoring, reviewing, maintaining, and improving information security – a systematic way to reduce the risk of unauthorized access to or loss of information and to ensure security controls are applied effectively.

The ISO 27001 Certification Process: A Step by Step Guide

Step 1: Get familiar with ISO/IEC 27001:2022

Reading the standard gives you a clear understanding of its requirements. Then:

• Choose a knowledgeable lead: find someone (internal or external) with real expertise in setting up an ISMS and familiarity with the certification requirements.
• Get senior management buy-in: no project succeeds without leadership support. A gap analysis – a thorough comparison of your existing information security measures against the requirements of ISO/IEC 27001:2022 – is a good starting point, ideally producing a prioritized list of tasks and recommendations on scope. The results help build a solid business case for adoption.

Step 2: Define the context, scope, and goals

Define the goals of the project and the ISMS, along with the budget and timeline, and decide whether to use a consultant or in-house skills. Define the ISMS scope – this could cover the whole organization or just a department or location – taking into account the organizational context and the needs of interested parties (shareholders, employees, government, regulators, and others), as well as internal and external factors such as culture, risk acceptance criteria, and existing systems and processes.

Step 3: Establish a management framework

The management framework sets out the procedures needed to meet your implementation goals. To support continual improvement, this includes establishing ISMS responsibilities, creating an activity schedule, and conducting regular audits.

Step 4: Carry out a risk assessment

ISO 27001 does not prescribe a specific risk assessment methodology, but it does require the assessment to be carried out formally – which means planning the process and documenting the data, analysis, and results. Before completing a risk assessment, define your baseline security criteria, reflecting your business, legal, regulatory, and contractual information security needs.

Step 5: Implement risk-treatment controls

After identifying the risks, decide how to address each one – treat, tolerate, terminate, or transfer it – and keep records of every decision, as the auditor will want to see them at the certification audit. Two mandatory documents are produced as evidence: the Statement of Applicability (SoA) and the risk treatment plan (RTP).

Step 6: Provide training and awareness

ISO 27001 requires staff awareness initiatives to build information security awareness across the organization. This may mean most employees adjusting their habits – for example, following a clean-desk policy and locking their computers when they leave their desks.

Step 7: Review and update your documentation

Your ISMS processes, policies, and procedures must be supported by documentation. The standard requires:

• The scope/purpose of the ISMS
• Information security policy
• The information security risk assessment process
• The risk assessment and treatment process
• Statement of Applicability (SoA)
• Information security objectives
• Evidence of competence
• Documented information the organization deems necessary for the ISMS
• Operational planning and control
• Results of the risk assessment and treatment
• Evidence of monitoring and measurement
• A documented internal audit process, programmes, and findings
• Results of management reviews
• Evidence of non-conformities and corrective actions taken

Step 8: Measure, monitor, and review

ISO 27001 encourages a culture of continual improvement – ongoing analysis and monitoring of the ISMS’s effectiveness and compliance, and identifying improvements to existing processes and controls.

Step 9: Conduct an internal audit

ISO/IEC 27001 requires internal audits of the ISMS at planned intervals. The person responsible for establishing and maintaining compliance should have a practical understanding of the audit process.

Step 10: External certification audit

The audit by a third-party certification body (such as IAS) takes place in two stages:

• Stage 1 (preliminary audit): the auditor checks whether your documentation complies with the standard and identifies any non-conformities or areas for improvement. You make any required changes before Stage 2.
• Stage 2 (implementation audit): the auditor conducts a thorough review to confirm you are in compliance with the standard in practice.

How long is ISO 27001 certification valid?

Certification is issued for three years. Surveillance audits are conducted roughly every 12 months within that period (two across the cycle) to confirm your organization remains compliant with the standard.

ISO 27001 and information security in Canada

In Canada, organizations have obligations to protect personal information under the federal PIPEDA and provincial laws such as Quebec’s Law 25. ISO 27001 gives Canadian organizations a structured, internationally recognized way to manage information security risk – supporting these obligations and building trust with customers and partners.

Contact IAS today to learn more about the ISO 27001 certification process, or visit our frequently asked questions page.

Explore more

• ISO 27001 Certification in Canada – information security certification
• ISO 27001 Requirements – the documents and controls you need
• ISO 27001 Certification Cost – what drives the price