How to Get ISO 27001 Certified: A Practical 6-Step Guide
A practical guide to getting ISO 27001 certified — from choosing a certification body to passing your Stage 2 audit. Covers costs, timelines, and what auditors actually check.
How to Get ISO 27001 Certified: A Practical 6-Step Guide
ISO 27001 certification tells enterprise buyers that you have a formal, audited Information Security Management System. In 2026, it's effectively the baseline expectation for B2B companies selling to European enterprises, financial institutions, and regulated industries. If you don't have it, you're losing deals to competitors who do.
This guide explains the exact steps to get certified — not the theory, but the practical sequence of actions from deciding to pursue certification through receiving your certificate.
Key Takeaways
- Certification takes 6–12 months for most organisations; 3–6 months with strong existing security practices and automation tools
- Total first-year cost: €20,000–€80,000 depending on size, scope, and how much you automate
- Stage 1 and Stage 2 audits are mandatory: Stage 1 checks your documentation; Stage 2 verifies implementation
- Use an accredited certification body recognised through the Global Accreditation Cooperation MRA, with national accreditation bodies such as DAkkS, COFRAC, RvA, and UKAS
- ISO 27001 maps to NIS2 and DORA — certification satisfies a large portion of both regulations' risk management requirements
Step 1: Decide Your Scope
The ISMS scope defines which parts of your organisation, which systems, and which information assets fall under ISO 27001. Getting scope right is the most consequential early decision.
Too narrow: A scope that excludes key systems may satisfy an auditor but leave material risks unmanaged — and customers doing due diligence will notice.
Too broad: A scope covering everything the company touches makes implementation unmanageable and drives up audit costs unnecessarily.
Most B2B SaaS companies scope their certification around their core product infrastructure, development environment, and the organisational processes that support them. Customer support, HR, and finance systems may be in or out depending on whether they process the data types your customers care about.
Write your scope as a formal document. Your Stage 1 auditor will review it immediately — it signals whether you understand the standard.
Step 2: Conduct a Gap Analysis
A gap analysis compares your current security controls and documentation against ISO 27001 requirements. It answers the question: how far are we from being audit-ready?
Run the gap analysis against two levels:
- ISO 27001 clauses (4–10): The mandatory requirements — context, leadership, planning, support, operations, performance evaluation, and improvement. These cover your management system structure.
- Annex A controls (93 controls across 4 categories): The reference controls you select and implement based on your risk assessment. Not all 93 are mandatory — your Statement of Applicability justifies which are applicable.
The gap analysis output is a prioritised remediation plan. Most first-time implementers find significant documentation gaps and a few substantive control gaps. Substantial infrastructure gaps are less common in SaaS companies with modern cloud architectures — most already have technical controls like MFA, encryption, and access logging in place, just not documented.
Step 3: Build Your ISMS and Complete Mandatory Documentation
ISO 27001 requires a specific set of documents. Your auditor uses these as their primary evidence source. Missing or incomplete documentation is the most common reason organisations fail Stage 1.
Mandatory documentation includes:
| Document | What it covers |
|---|---|
| ISMS scope | Which systems, processes, and organisational units are covered |
| Information security policy | Top-level policy statement signed by management |
| Risk assessment methodology | How you identify, assess, and treat information security risks |
| Risk register | Live inventory of identified risks with likelihood, impact, and treatment decisions |
| Risk treatment plan | How identified risks will be addressed and by when |
| Statement of Applicability (SoA) | All 93 Annex A controls — applicable/excluded status and justification for each |
| Information security objectives | Measurable targets for the ISMS |
| Internal audit programme | Schedule and methodology for internal audits |
| Management review records | Evidence that leadership reviews ISMS performance |
| Nonconformity and corrective action records | How you handle deviations from policy |
The Statement of Applicability deserves special attention. It is the first document most auditors request — it maps your risk treatment decisions to specific controls, and every control marked applicable must have evidence of implementation.
Step 4: Choose an Accredited Certification Body
Not all certification bodies carry the same recognition. Your certificate should come from a body accredited by a national accreditation body whose recognition is covered by the Global Accreditation Cooperation MRA, which succeeded the former IAF/ILAC arrangements in 2026.
National accreditation bodies by country:
| Country | Accreditation body |
|---|---|
| Germany | DAkkS (Deutsche Akkreditierungsstelle) |
| France | COFRAC (Comité français d'accréditation) |
| Netherlands | RvA (Raad voor Accreditatie) |
| United Kingdom | UKAS (United Kingdom Accreditation Service) |
| Norway | Norsk Akkreditering (NA) |
Well-known certification bodies operating across Europe include BSI Group, Bureau Veritas, TÜV SÜD, TÜV Rheinland, DNV, and LRQA. Get quotes from at least two or three — audit fees for mid-market companies typically range from €8,000 to €25,000 for the initial certification [1].
Ask potential certification bodies two practical questions: Do they have experience with your industry? And what is the current scheduling lead time? Some accredited bodies have 3–6 month waits for Stage 2 audits.
Step 5: Complete Your Internal Audit and Management Review
Before scheduling your Stage 1 audit, ISO 27001 requires you to complete at least one full cycle of:
Internal audit: An independent review of whether your ISMS conforms to ISO 27001 requirements and is implemented effectively. The internal auditor must be competent and independent from the areas being audited — this typically means either a qualified internal auditor from a different team or an external consultant.
Management review: A formal review by senior leadership of ISMS performance, including internal audit results, incidents, objective progress, and opportunities for improvement. The output must be documented — auditors routinely request management review records as evidence of top-management commitment.
Both must be completed before Stage 1. Auditors check the records directly, and a management review that happened two days before Stage 1 raises questions.
Step 6: Pass Stage 1 and Stage 2 Audits
Stage 1: Documentation Review
Stage 1 typically lasts 1–2 days and focuses on whether your ISMS is designed correctly. The auditor reviews:
- ISMS scope document
- Information security policy
- Risk assessment and risk treatment documentation
- Statement of Applicability
- Internal audit and management review records
The output is a Stage 1 report identifying any major nonconformities (must be resolved before Stage 2) and minor nonconformities or observations (must be addressed but don't block certification). A clean Stage 1 is achievable if you've completed your documentation thoroughly.
Stage 2: Implementation Verification
Stage 2 is the main certification audit — typically 2–5 days on-site depending on organisation size. The auditor verifies that your ISMS operates as documented:
- Interviews: Auditors interview staff across departments — not just the CISO, but developers, operations, HR, and management. They want to confirm that people understand policies and follow procedures.
- Evidence review: Auditors request specific control evidence: access logs, vulnerability scan results, training records, incident reports, supplier assessments, and backup test results.
- Process observation: For operational controls, auditors may observe processes directly or review screenshots of running systems.
Passing Stage 2 means the auditor finds no major nonconformities. Minor nonconformities and observations are documented, and you commit to corrective actions. The certification body then issues your ISO 27001 certificate, valid for three years.
After Certification: Maintaining Your ISMS
Certification is not a one-time event. To maintain it:
Annual surveillance audits: In years 1 and 2, your certification body conducts shorter surveillance audits (typically 1–2 days) to verify continued compliance. These are less intensive than the initial audit but require up-to-date documentation and evidence.
Year 3 recertification: A full audit repeating the Stage 1 and Stage 2 process is required before your certificate expires.
Continuous evidence collection: The gap between annual audits is where most ISMS programmes struggle. Policies go unreviewed. Risk registers go stale. Training records lapse. Compliance automation tools that continuously collect evidence and alert on control gaps prevent the frantic catch-up before each audit.
ISO 27001 and EU Regulations
ISO 27001 is not a substitute for NIS2, DORA, or GDPR compliance, but it creates a strong foundation:
- NIS2 Article 21 risk management measures — access control, incident handling, supply chain security, cryptography — map closely to ISO 27001 Annex A controls
- DORA Article 6 ICT risk management framework requirements align with ISMS structure and documentation obligations
- GDPR Article 32 technical and organisational security measures are satisfied in part by ISO 27001 controls
For B2B companies operating across the EU, ISO 27001 certification alongside NIS2/DORA compliance is the standard baseline. Orbiq's ISMS software maps ISO 27001 controls to NIS2, DORA, and GDPR obligations so you maintain one evidence base for all three frameworks.
Getting Started
Orbiq helps B2B companies achieve ISO 27001 certification in less time by automating evidence collection, control monitoring, and documentation maintenance. The platform maps to NIS2, DORA, and GDPR so your ISMS programme covers all major EU obligations.
See how Orbiq accelerates ISO 27001 certification →
Related Reading
- ISO 27001 Certification: The Complete Guide for 2026
- ISO 27001 Checklist: 14-Step Implementation Roadmap
- ISO 27001 Certification Cost: Full Breakdown
- What Is an ISMS?
- NIS2 Compliance Guide
Sources & References
- High Table — How Much Does ISO 27001 Certification Cost? (2026 Price Guide)
- Secureframe — ISO 27001 Certification Timeline
- Glocert International — ISO 27001 Certification Process: Stage 1 vs Stage 2 Guide
- ISMS.online — ISO 27001:2022 Audit Cycle: Phases and Timelines Explained
- Tempo Audits — How to Get ISO 27001 Certified: A Step-by-Step Guide for 2026
- Global Accreditation Cooperation — Global ACI launch and MRA continuity
- ISO — ISO/IEC 27001 information security management systems
- Hyperproof — Steps to Achieve ISO 27001 Certification