ISO 27001 process until certification

Let us show you the process leading up to certification in several steps. Are you seeking business certification for the first time? It is understandable to still be a little unsure about what awaits you with the ISO27001 certification. We have therefore put together several diagrams and individual videos for you, which you should definitely watch until the end.

What are the individual steps to ISO27001 certification?​

This simple diagram depicts the 10 steps to receiving an ISO 27001 certificate

For us everything starts with the preliminary discussion. This advice is a mandatory step that the standard requires of us. Here we get to know each other briefly and answer various questions about the procedure.

As soon as we start the project, you will receive a questionnaire from us, which you will fill out for us promptly and supplement with the required documents. We create the individual template and then have a follow-up discussion. We clarify any outstanding points so that we can compile as complete documents as possible for certification.

The following video explains the process leading up to certification in an even clearer way.

Now that you have watched the short explanatory video, we would now like to look at the individual phases in a little more detail. However, it is important that you have watched the previous video so that you can better understand the complex ISO27001 certification processIf you still have questions about the costs of certification, be sure to check out our cost-related information page for detailed explanations. There you will also find a simple overview of the individual cost blocks of the ISO27001 certification.

Step 1 - Preliminary interview for certification

We will hold a preliminary discussion with you to better understand your business model, goals and challenges. We will clarify your open questions about the process and the individual industry-specific requirements for your company in this conversation. The appointment takes place either in a video conference (e.g. via Zoom) or in a phone call or in a personal appointment (e.g. in your office or hotel).

Step 2 - Questionnaire to provide company data

If we decide to tackle this project together, we will need a lot of information. After we ask a number of important questions during the preliminary discussion, you will receive a questionnaire and a document checklist from us. You then send us the required documents electronically. You can fill out the questionnaire quickly and easily as a Word document or online questionnaire. If we’re still missing something, we’ll follow up with you.

Step 3 - Design the individual management system

We then draft the many documents required to comply with the ISO/IEC 27001 standard. The information you provide is incorporated into the industry-specific templates. In a short online appointment we will go through one or two documents with you in order to complete any missing information.

Step 4 - Follow-up conversation to complete missing data

When the management system (ISMS) appears to us to be ready, we will have a follow-up discussion with you. In this way we prepare you for the next step. The company should also have carried out and documented an internal audit. We will help you implement this important step using our “ISO 27001 Internal Audits Checklist (download PDF)”. Alternatively, we can carry out the entire internal audit for you, saving you a lot of valuable working time. Before the ISMS documents can be submitted to the ISO 27001 certification bodies, a complete internal company audit report must be available.

Step 5 - Completion of the ISMS concept with handover

Here we hand over the finished ISMS document concept to you so that you can make it available for inspection at the relevant points in the company. At the same time, you will receive the application for certification and a required list of documents from Auditor.

Step 6 - Submission of the management concept to the auditor

Now it gets exciting, because you now submit the management concept with all accompanying documents (e.g. company house extract, organizational chart, etc.) to the ISO27001 auditor. You also enclose the auditor’s respective form so that he can process everything together. The auditor will now examine the documents to ensure they are structurally complete.

Step 7 - Make an appointment with the auditor

As soon as the auditor classifies the documents as auditable, he will suggest a date for you. On this audit day, he will go through the documents with you and ask your company-specific questions. Based on this, he creates an audit report for the certification body.

Step 8 - Possible subsequent submission of missing documents

If the auditor needs a few documents (e.g. top management statement) for the upcoming audit date, he will request these from you in good time.

Step 9 - Conducting the Audit

On this audit day, he will go through the documents with you and ask your company-specific questions. Based on this, he creates an audit report for the certification body.

Step 10 - Issue the certificate

Just a few days later you could receive the certificate from the auditor or certification body. ISO 17021-1:2015 (Chapter 9.5.3.2) allows the certification body to take up to 6 months to issue the certificate. However, if the main deviations are not satisfactorily resolved within 6 months, the Stage 2 audit must be carried out again. That’s why it’s important to have well-prepared documents.