ISO 27001 looks intimidating from the outside. The path to certification is more structured and predictable than most companies expect.
What ISO 27001 Actually Certifies
ISO 27001 certifies that your organisation has implemented, operates, and continually improves an Information Security Management System (ISMS). It is a management system standard — like ISO 9001 for quality — not a technical security standard. The certification scope can be limited: you do not need to certify every system, every office, or every product. Most first-time certifications scope to a specific product, service, or department. Scoping narrowly reduces certification cost and timeline significantly while still satisfying most enterprise procurement requirements.
The Three-Stage Certification Process
Stage 1 audit (documentation review): the certification body (CB) reviews your ISMS documentation — your information security policy, risk assessment methodology, statement of applicability, and control documentation. This is a document review, not a technical assessment. Stage 2 audit (implementation review): the CB assesses whether your documented controls are actually operating in practice. This includes interviews with staff, observation of processes, and sampling of records. Stage 1 typically takes 1 day; Stage 2 takes 2-5 days depending on scope and organisation size.
The Controls That Most Companies Underestimate
Annex A has 93 controls across four domains. The controls that consistently create the most certification preparation work are: asset management (maintaining a complete and current asset inventory), supplier relationships (documented process for assessing and managing third-party security), cryptography (having a documented cryptographic policy covering key management), and physical security (which surprises fully remote companies who assumed it was irrelevant — it still covers office environments and remote working policies).
A Realistic Timeline
A focused, well-resourced ISO 27001 first-time certification typically takes 6-9 months for a 100-300 person company with a narrow scope. The timeline breaks down as: 2 months for ISMS documentation (policy, risk assessment, statement of applicability); 2-3 months for control implementation and evidence generation; 1-2 months for internal audit and management review; 1-2 months for CB scheduling and Stage 1/2 audit. Surveillance audits occur annually; re-certification every three years.
- ISO 27001 certifies your ISMS management system, not your technical security posture — scope it narrowly for first certification
- Stage 1 is a documentation review; Stage 2 assesses whether controls are actually operating as documented
- Asset management, supplier relationships, and cryptography policy are the controls that create the most preparation work
- A realistic first-certification timeline for a narrow-scope 100-300 person company is 6-9 months