ISO 27001 FAQ

Estimated reading: 3 minutes 1159 views

ISO 27001 is an international standard for implementing an Information Security Management System (ISMS).

An ISMS consists of a set of policies, processes and controls to implement an information security program. ISO 27001 provides best practices for information protection according to three aspects:

  • Confidentiality: only the authorized persons have the right to access information.
  • Integrity: only the authorized persons can change the information.
  • Availability: the information must be accessible to authorized persons whenever it is needed.

In order to demonstrate compliance with the ISO 27001 standard, an external audit is required. 

An ISO 27001 audit requires an independent, competent and objective external auditor to review your ISMS program to confirm that it meets the requirements of the standard.  It is important that the external audit is carried out by a ‘Certification Body’.

A Certification Body is an accredited organization with the competence to audit against ISO 27001.

The road to the certification looks like this:

  • Internal Audit
  • External Audit – Stage 1
  • External Audit – Stage 2
  • Certification
  • Surveillance Audit – every year
  • Recertification – every 3 years

The standard requires an Internal Audit to be carried out before an external audit can be performed.

The Internal Audit must be carried out by a competent and objective auditor.

The auditor can be in-house (from the organization’s own staff) or an external consultant. If in house, it is important that the auditor is independent and has no prior or current involvement in the development and implementation of the ISMS.

The Internal Audit review include:

  • A documentation review of policies and procedures to confirm they adhere to the standards requirements
  • An evidence review through sampling and analysis to determine that the policies are being adhered to

Any findings from the Internal Audit must be tracked to resolution.

The Internal Audit is meant to be continuous throughout the certification period (3 years).

An external audit is essentially the same as for the internal audit, expect that the outcome is the obtention of a certification! 

The external audit starts with a stage 1 and a stage 2.

Stage 1: Consists of an extensive documentation review of your ISMS program. This typically can lasts couple hours to a day.

The outcome of the stage 1 is a list of findings (non-conformities) that would need to be remediated before moving to the Stage 2.

Stage 2: Consists of an extensive review of evidence that supports the documentation provided during the Stage 1 to confirm that the controls operate according to the ISO 27001 requirements. This takes a bit more time than the Stage 1 and can last couple days to a week.

The outcome of the stage 2 is a list of findings (non-conformities) that would need to be remediated before being recommended for a certification.

An ISO 27001 certification is valid for three years.

Doesn’t mean you do nothing for 3 years, no!

ISO requires surveillance audits to be performed each year to ensure the ISMS program and  controls continue to operate effectively.


ISO 27001 defines the requirements for ISMS and can be certified against.

ISO 27002 provides guidance on how to implement the ISO 27001 requirements. It cannot be certified against.

Join the conversation