What are the steps to ISO 27001 certification? Our assessors have completed assessments against several International Organization for Standardization (ISO) standards, and can provide your organization on insights on the process for achieving ISO certification.

Choosing the appropriate assessor

A certification audit can be performed by any company that understands the ISO standard relevant to your company. When selecting a certification body (CB), it is important to understand the difference between an accredited and unaccredited certification to ensure that it meets your organization’s needs.

Accredited certification body

Accredited CBs must undergo a rigorous evaluation process to ensure that the certification audit is performed in accordance with the ISO audit requirements. The evaluation process assesses the competence of the audit team, audit methodology used by the CB, and the quality control procedures in place to ensure that the audit and report are completed properly.

As an accredited certification body, each certificate that A-LIGN issues contains the ANAB or UKAS seal, which will be accepted globally by your customer and potential clients to demonstrate conformity with the appropriate standard.

Unaccredited certification body

Organizations can also receive certification through an unaccredited assessor, however, these CBs are never audited for their compliance with ISO certification audit requirements. When ISO certification is something your organization is undergoing to meet a client requirement, it is important to determine if the client requires an accredited certificate or if they will accept a certificate from an unaccredited CB.

5 Steps to ISO Certification

Step 1: Pre-assessment

The ISO pre-assessment process is designed for companies that will undergo the certification process for the first time and is only performed as an as-needed basis. A-LIGN simulates the actual certification audit by performing a review of your company’s scope, policies, procedures, and processes to review any gaps that may need remediation before your company goes through the certification process.

The pre-assessment can give your organization a head-start on the certification process by revealing any oversights or potential weaknesses that your organization may have ahead of the actual audit so that you can act on areas that require remediation or attention.

Step 2: Stage 1 audit

During the stage 1 audit, A-LIGN reviews your company’s documentation to confirm that it follows the relevant ISO standard, as well as check to see if the required activities have been completed or are scheduled prior to beginning stage 2.

The conclusion of the stage 1 audit will determine if your company is ready to move forward to stage 2, or if modifications are required to its policies, procedures, and supporting documentation before proceeding. Once stage 1 is complete, your organization will have a better understanding of your organization’s ability to meet the requirements and areas of improvement.

Step 3: Stage 2 audit

The stage 2 audit is performed to test the conformance of your system with the relevant ISO standard. During A-LIGN’s on-site audit, we will perform testing procedures including interviews, inspection of documented evidence, and observation of your processes. Upon completion of stage 2, A-LIGN will determine if your organization is ready to be certified.

If there are any major nonconformities, they will need to be remediated before a certificate can be issued.

Stage 4: Surveillance audit

Once your organization has achieved certification, A-LIGN is dedicated to your continued success. Over the two years following certification, A-LIGN will conduct annual surveillance audits to ensure your ongoing conformity with the appropriate ISO standard to give you the assurance that your systems and processes continue to be compliant.

Stage 5: Recertification

Your certificate is valid for three years after the issue date. Your organization will need to recertify before the issue date, which will then begin the certification process again. The recertification process differs from initial certification, as organizations do not typically need to go through the stage 1 audit again. Instead, organizations begin with stage 2 in order to achieve recertification and continue to receive surveillance audits following certification.

Getting started with ISO

For organizations seeking an internationally recognized framework, the ISO standards can provide your organization with a certification that is scalable to your needs. With our experience in assessing an organization’s cybersecurity, compliance, and privacy, A-LIGN can provide your organization with the experience and guidance needed to achieve certification.