What are the steps in the ISO 27001 certification process?

The path to ISO 27001 certification follows a clear sequence of steps that fall into two phases: building and operating the Information Security Management System (ISMS), and then the external certification audit. The standard prescribes the outcome, not every individual project step. In practice, however, a proven sequence has become established that reliably meets the requirements.

The steps at a glance

Step	What it involves
1. Define the scope	Determine which areas, locations, systems, and information the ISMS covers.
2. Secure leadership support	Establish responsibilities, resources, and an information security policy.
3. Gap analysis	Compare the current state against the standard's requirements and identify gaps.
4. Risk assessment and treatment	Identify and evaluate risks, then select appropriate controls.
5. Statement of Applicability (SoA)	Document which Annex A controls are applicable and why.
6. Implement policies and controls	Bring the selected controls into day-to-day operation.
7. Training and awareness	Prepare employees for their role in information security.
8. Internal audit	Check the effectiveness of the ISMS internally and record any nonconformities.
9. Management review	Leadership reviews the ISMS performance, objectives, and need for improvement.
10. Certification audit (Stage 1 and 2)	External assessment by an accredited certification body, followed by issuance of the certificate.

The two phases of the external audit

The certification audit itself takes place in two stages:

Stage 1 (documentation review): the certification body checks whether the ISMS is documented and fundamentally ready. It identifies areas that need to be addressed before Stage 2.
Stage 2 (implementation audit): over several days, on site or remotely, the auditors assess whether the ISMS is effectively lived and whether the controls actually work. On success, the certificate is issued and is valid for three years.

Important note: the ISMS must demonstrably have been operating for several weeks to months before the Stage 2 audit. The internal audit and management review are mandatory prerequisites and must be completed before the external audit.

How Kertos structures and accelerates the process

Kertos guides you step by step through the entire certification process and automates the most demanding parts. Kertos combines an agentic compliance platform (KAIA) with accredited in-house experts who work alongside your team:

Guided project plan: the platform translates the steps into concrete tasks with ownership and deadlines.
Automated gap analysis and risk assessment: gaps become visible early, and risks are linked directly to controls.
Templates and evidence collection: policies, the SoA, and evidence are prepared and continuously mapped.
Expert-led audit support: Kertos supports the internal audit, the management review, and both Stage 1 and Stage 2.

The outcome is reflected in Kertos's track record: a 100% audit pass rate, roughly 80% less manual compliance effort, and customers like AskUI reaching ISO 27001 certification in just 2.5 months. A complex process becomes a predictable, traceable path.

KNOW-HOW

Discover our Resources

Find useful whitepapers, videos, and practical tools to help you efficiently achieve your compliance goals.

Guide

InfoSec

ISO 27001: The Complete Guide to Certification in 2026

What the standard requires, how the audit actually works, and how to get certified without drowning in spreadsheets.

Jetz lesen

Article

Compliance

EU Data Sovereignty: Why Your Vendor Choice Is Now a Compliance Decision

European data residency is no longer enough. A new wave of EU sovereignty laws means the question is no longer where your data lives, but who controls the company that holds it.

Jetz lesen