You obtain an ISO 27001 certification by building an Information Security Management System (ISMS), demonstrably operating it, and then having it assessed by an independent, accredited certification body. The path is clearly structured: create the prerequisites, implement the ISMS, review it internally, and pass the external certification audit. Below you will find the common route, the prerequisites, and the role Kertos plays in it.
The prerequisites
Before the external audit can take place, a few fundamentals must be in place:
- A defined scope: clearly setting out which areas, systems, and information the ISMS covers.
- Leadership support: responsibilities, resources, and an information security policy are established.
- Risk assessment and SoA: risks are assessed, controls selected, and documented in the Statement of Applicability.
- Implemented controls: the relevant Annex A controls are introduced into day-to-day operations.
- Internal audit and management review: both must demonstrably have been carried out before the external audit.
The common route to certification
| Phase |
What it involves |
| 1. Scope and preparation |
Define the scope, carry out a gap analysis, set up the project. |
| 2. Risk assessment and planning |
Assess risks, select controls, create the SoA and policies. |
| 3. Implementation |
Implement controls, train employees, collect evidence. |
| 4. Internal review |
Carry out the internal audit and management review, resolve nonconformities. |
| 5. Certification audit Stage 1 |
Documentation review by the certification body, identification of open points. |
| 6. Certification audit Stage 2 |
Assessment of effective implementation, followed by issuance of the certificate. |
Important: the certificate is valid for three years. After that come annual surveillance audits, and a recertification audit before expiry. The ISMS must demonstrably have been operating effectively for several weeks to months before the Stage 2 audit.
Who carries out the external audit
The certificate itself is issued solely by an independent, accredited certification body. For reasons of independence, that body is not allowed to also act as your consultant. Consulting, implementation, and preparation, however, may be carried out by your team or by a partner like Kertos.
How Kertos makes the path faster, more efficient, and cheaper
Kertos guides you through the entire path to certification and automates the most demanding steps. Kertos combines an agentic compliance platform (KAIA) with accredited in-house experts who work alongside your team:
- Faster: automated gap analysis, risk assessment, and evidence collection significantly shorten preparation.
- More efficient: policy templates and an automatically generated SoA avoid duplicated work.
- Cheaper: up to 60% cost savings compared to traditional consulting, with predictable costs.
- Continuous: after certification, compliance stays live, including preparation for surveillance and recertification audits.
- With expert responsibility: on request, Kertos takes on external CISO mandates and supports the external audit.
This is reflected in Kertos's track record: a 100% audit pass rate, roughly 80% less manual compliance effort, a customer satisfaction of 98%, and customers like AskUI reaching ISO 27001 certification in just 8 to 10 weeks. What is often a year-long project becomes a predictable, continuous process.
