InfoSec

The Ultimate Roadmap to the ISO 27001 Certification: 10 Steps to Your Certificate

How to plan your ISMS, pass both audit stages, and keep the certification alive year after year.

Author
Catherine Higginson
Date
8.7.2026
Updated on
8.7.2026
The Ultimate Roadmap to the ISO 27001 Certification: 10 Steps to Your Certificate

A clear, ultimate roadmap to the ISO 27001 certification is the difference between a project that lands in 3 months and one that drags on for two years. Most teams don't fail because of the standard itself. They fail on sequence: they write policies before the scope is fixed, or they book the auditor before the internal audit has run. This guide puts the steps in the right order, names the documents an auditor actually wants to see, and shows where the time really disappears. Pair it with a purpose-built platform for ISO 27001 certification and several of these steps get considerably shorter.

How long does the ISO 27001 certification take?

Expect 3 to 10 months to reach the certificate, depending on maturity, company size, and resources. The certificate is then valid for 3 years and confirmed by annual surveillance audits. The current version of the standard is ISO/IEC 27001:2022, and that is exactly the version your auditor checks against.

The total duration splits across three phases with very different workloads. Smaller SaaS companies with clean cloud infrastructure hit the lower end of the range, while heavily regulated or legacy-heavy organizations land nearer the top. Teams that structure the build-out as a proper ISMS certification lose the least time in Phase 1.

<table><thead><tr><th>Phase</th><th>Core activities</th><th>Typical duration</th></tr></thead><tbody><tr><td>Phase 1: Planning &amp; ISMS build-out</td><td>Management commitment, scope, risk assessment, policies and controls</td><td>1 to 4+ months</td></tr><tr><td>Phase 2: Audit process</td><td>Auditor selection, internal audit, Stage 1 and Stage 2 audits</td><td>2 to 6 months</td></tr><tr><td>Phase 3: Maintenance</td><td>Continuous monitoring, surveillance audits, recertification</td><td>ongoing (3-year cycle)</td></tr></tbody></table>

The ultimate roadmap to the ISO 27001 certification in 10 steps

The following ten steps form the complete roadmap to the ISO 27001 certification, from first planning to long-term maintenance. Keep the order, because each step provides the foundation for the next. For the technical side of the work, it helps to understand the ISO 27001 controls defined in Annex A of the standard.

Phase 1: Planning and building the ISMS

Step 1: Project plan and management commitment. Before you write a single policy, you need a project plan with owners, milestones, and dates. Without visible backing from leadership, every ISMS project stalls. Germany's BSI sets out in its guidance why the leadership level must formally take responsibility.

Step 2: Define the scope. Decide which information assets, locations, systems, and teams the ISMS covers. Too broad a scope drives up the effort, too narrow a scope loses credibility with customers. Frame the scope so it captures exactly the systems your customers care about.

Step 3: Risk assessment and gap analysis. Now you inventory your assets, identify threats, score risks against a defined methodology, and derive treatment measures. The gap analysis shows in parallel which controls are still missing. These two analyses form the foundation for your Statement of Applicability.

Step 4: Implement policies and controls. Based on the gap analysis, you close the gaps through policies, technical measures, and access controls. This is where it's decided whether the ISMS is lived or merely documented. Modern ISO 27001 compliance tools automate evidence collection for many of these controls.

Step 5: Run employee training. Security awareness, safe everyday habits, and a clear reporting path for incidents belong in every conformant ISMS. The auditor checks whether training took place and is documented. Refresh the content whenever roles or systems change.

Phase 2: The audit process

Step 6: Prepare the certification audit and choose an auditor. Select an accredited certification body. In Germany, the national accreditation body DAkkS shows which bodies are approved for ISO 27001. Watch the independence between consulting and certification.

Step 7: Internal audit and readiness check. An internal audit surfaces remaining gaps before the external auditor finds them. Organize all evidence so it is quick to locate. This step often decides whether Stage 1 runs smoothly.

Step 8: Stage 1 audit (documentation review). The auditor checks your documentation for completeness and conformance. If something is missing, you receive a nonconformity that you must fix before Stage 2. Treat Stage 1 as a dress rehearsal, not a formality.

Step 9: Stage 2 audit (implementation review). Now the auditor examines, on-site or remote, whether the controls are actually effective. They assess risk management, asset management, incident response, and the adequacy of the measures. Pass this audit and the certificate is issued.

Phase 3: Maintenance and recertification

Step 10: Establish continuous compliance. After certification, the ongoing task begins: surveillance audits in years 1 and 2, recertification before the 3 years expire. Teams that automate the move from certification to continuous compliance save significant effort at every follow-up audit. That turns the standard into an operating state rather than an annual fire drill.

Which documents does the ISO 27001 auditor require?

The auditor expects a defined set of evidence that reflects the entire ISMS cycle. If one of these documents is missing in Stage 1, the whole roadmap slips. Prepare the following items early and in full.

Document Purpose
ISMS scope statement Defines the boundaries of the management system
Statement of Applicability (SoA) Justifies which Annex A controls apply
Information security policy Sets objectives and responsibilities
Risk assessment and risk treatment plan Shows methodology, results, and measures
Internal audit and management review Evidences the effectiveness check by the organization

These documents are not an end in themselves. They prove that your ISMS is planned, implemented, and reviewed, meaning it runs through the full cycle the standard requires.

Common obstacles on the way to certification

Most delays come not from the standard but from avoidable organizational mistakes. Knowing them lets you plan the roadmap to the ISO 27001 certification more realistically. Four patterns show up in almost every project.

First, the supplier area: third-party risks get assessed once and then never updated. The EU Agency for Cybersecurity points out in its analyses how central supply chain risk has become. Build a recurring reassessment into the plan.

Second, evidence upkeep: evidence gets scrambled together right before the audit instead of collected continuously. That produces gaps and contradictions an auditor spots immediately. Continuous capture beats every last-minute effort.

Third, the resource conflict: compliance work competes with day-to-day operations, and the project loses momentum. A realistic plan with clear owners and, where possible, a structured start through an ISO 27001 boot camp keeps the momentum going. Fourth, scaling: what works at 30 employees breaks at 250 if processes don't grow with the company.

Frequently asked questions about the ISO 27001 certification

How much does the ISO 27001 certification cost? The cost combines internal effort, any consulting, tooling, and the audit fees of the certification body. For small and mid-sized companies, the total investment often sits in the mid five figures, and automation noticeably lowers the internal effort.

Can I get certified without external consulting? Yes, technically it's possible, especially with a platform that automates evidence. Many teams combine software with targeted expertise to avoid expensive mistakes in the scope and the Statement of Applicability.

What's the difference between the Stage 1 and Stage 2 audit? Stage 1 checks your documentation for completeness, Stage 2 checks the actual effectiveness of the controls in practice. Both are part of the same certification audit and build on each other.

How often do I have to recertify? The certificate is valid for 3 years. Surveillance audits take place in years 1 and 2, and recertification is due before it expires. Continuous compliance makes those follow-up audits much easier.

A good roadmap doesn't end with the certificate. It ends with a system that keeps itself current. That is exactly where Kertos comes in: the platform combines automated evidence collection with European compliance expertise, so you don't just reach ISO 27001, you hold it. If you'd like to walk through your specific roadmap, book a demo and we'll go through it together.

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

The Ultimate Roadmap to the ISO 27001 Certification: 10 Steps to Your Certificate
Ready, your compliance to put on autopilot?
Dr. Kilian Schmidt

Dr. Kilian Schmidt

CEO & Co-Founder, Kertos GmbH

Dr. Kilian Schmidt developed a strong interest in legal processes early on. After studying law, he began his career as Senior Legal Counsel and Data Protection Officer at the Home24 Group. After working at Freshfields Bruckhaus Deringer, he moved to TIER Mobility, where, as General Counsel, he was significantly involved in expanding the legal and public policy department - and grew the company from one to 65 cities and from 50 to 800 employees. Motivated by limited technological advances in the legal sector and inspired by his consulting work at Gorillas Technologies, he co-founded Kertos to develop the next generation of European data protection technology.

About Kertos

Kertos is the modern backbone of the data protection and compliance activities of scaling companies. We enable our customers to implement integrated data protection and information security processes in accordance with GDPR, ISO 27001, TISAX®, SOC2 and many other standards quickly and cheaply through automation.

Ready to simplify GDPR compliance?

CTA Image

📅 Schedule Your 5min Compliance Check

Please enter your business email to continue. We require a company email address to ensure we can best serve your organization.

📞 5min Compliance Check