Ga naar inhoud

ISO 27001 certification

ISO 27001 certification is formal proof that your organisation runs and continually improves an information security management system (ISMS) using plan-do-check-act. The certificate does not mean you are immune to incidents; it shows you identify risks systematically, choose appropriate controls (often mapped to Annex A) and can demonstrate they work in operations. External auditors sample scope, risk assessment, Statement of Applicability, internal audit and management review. For SaaS vendors, SMEs and supply-chain suppliers, certification is often a commercial and legal accelerator alongside NIS2 and GDPR expectations — provided scope is honest and evidence stays traceable.

Book an informal conversation

ISO Ready helps you align policy, risk, and evidence — without endless document churn.

Run the ISO 27001 readiness scan

ISO 27001 certification is formal proof that your organisation runs an information security management system (ISMS) aligned with ISO/IEC 27001 and reviewed annually by an independent certification body. The certificate does not mean you are breach-proof — it shows you treat risks seriously, choose controls that fit your context, and improve on measurable signals.

For B2B SaaS vendors, SMEs chasing enterprise contracts, and suppliers in regulated chains, certification is often a commercial accelerator — provided scope is honest and evidence stays traceable from policy to configuration and tickets.

What does this mean?

Certification rests on evidence. The standard requires clear scope, context, risk assessment, Statement of Applicability (SoA), internal audit, and management review in a plan-do-check-act cycle. Stage 1 reviews documentation readiness; stage 2 samples whether controls operate in practice.

Annex A controls (2022 structure: organisational, people, physical, technological) are selected through risk — not every control applies, but exclusions need rationale. Surveillance audits follow, typically yearly, checking that the ISMS still works and improves.

Auditors sample risks and follow the trail from policy to logs and change records. Gaps between ‘what the PDF says’ and ‘what happens on a Friday deploy’ drive major non-conformities. Mature teams keep decision-making minimal but consistent: who approves, where the ticket lives, how exceptions are handled.

Multi-site and cloud-native scope adds complexity — identity providers, CI/CD, subprocessors, and support tooling must be in or explicitly out of scope with defensible arguments.

Certification bodies differ in sector experience and stage 1 depth — choose one accredited for your market and align scope early.

Who is this for?

Board and leadership funding the programme; CISOs and security leads building repeatable processes; product and engineering needing clear secure SDLC boundaries; compliance officers answering customer and regulator questions.

SMEs benefit from tight scope and strong cadence on top risks — not volume for its own sake. Scale-ups integrating acquisitions must revisit scope each time or auditors find shadow IT outside the ISMS.

Procurement-heavy sectors (finance, health, energy) often contractually require ISO 27001 or equivalent assurance — certification speeds due diligence.

HR matters for onboarding, offboarding, and privileged access — frequent audit themes even when technical baselines look solid.

What steps or requirements apply?

Typical milestones: scope and context; risk assessment; SoA; core policies and procedures; implement controls in IAM, logging, SDLC, vendors, IR, BCP; internal audit; management review; stage 1; corrective actions; stage 2.

Assign an ISMS owner with management mandate. Run at least one full PDCA cycle with closed improvement actions before stage 2 — ‘audit as a one-week project’ fails at first surveillance.

Evidence map per risk and SoA control — not a folder of PDFs without narrative. Link to scope and context and risk assessment.

Plan surveillance rhythm and budget for three-year TCO — not year-one certificate fee only.

Common mistakes

Documentation disconnected from risks — pretty policies without config or ticket proof. Scope too narrow while production customer data sits outside — auditors follow data and contracts.

Vendor chaos: no subprocessor register, no exit strategy, no monitoring of contractual security clauses. PDCA only alive audit week — surveillance exposes the gap.

Undervaluing HR processes — access reviews and leavers not reproducible. Inconsistent scope between certificate, privacy notice, and sales decks.

Promising customers a certificate date before management commits budget and timeline.

Practical action plan

Sequence: confirm scope with leadership; map data flows and vendors; risk register with treatment; Annex A selection and SoA; priority-1 controls with owners; internal audit with real ticket samples; management decisions; stage 1 alignment; stage 2 with buffer for corrections.

Use readiness assessment if sales-driven and time-boxed. Deep links: implementation roadmap, certification costs, audit preparation.

Make cadence visible in a simple roadmap — IAM, engineering, vendors, incidents — so auditors see normal rhythm, not a one-off cleanup.

After certification: feed incidents, CVEs, and vendor events back into risk and SoA within defined SLAs.

Relationship with ISO 27001, NIS2, GDPR or ISMS

ISO 27001 certifies the ISMS; read the ISMS hub for the broader model. NIS2 adds legal duties on board accountability and chain — many controls overlap; tag NIS2-specific items in one register.

GDPR and ISO 27001: Article 32 measures align with many Annex A themes; privacy remains its own discipline with DPIAs and data subject rights.

Vendor management and EU hosting choices glue chain, GDPR transfer, and Annex A — one supplier register beats three silos.

Align terminology with sales and legal before rolling policies wide — auditors hear different definitions of ‘scope’ or ‘incident’ in interviews when teams diverge.

Certification scope on the certificate must match customer contracts — legal review of scope wording before stage 2 prevents post-audit sales friction.

Stage 1 gaps are normal — treat them as a prioritised backlog with owners, not as failure. Rushing stage 2 with open documentation gaps increases major findings.

Surveillance auditors compare this year to last — show improvement actions closed and new risks from cloud or AI features reflected in registers.

Multi-framework alignment (SOC 2 + ISO) can reuse evidence — map controls once, tag framework, avoid duplicate collection per customer questionnaire.

Certificate marketing: use exact scope language approved by certification body — overstating scope in sales decks creates legal and audit reputation risk.

Certificate scope language should match your DPA and security appendix templates — legal alignment before stage 2 avoids customer-facing contradictions after audit.

Surveillance year two auditors revisit prior findings first — maintain a closure pack with ticket IDs and evidence paths ready before they arrive.

Certification communication plan aligns sales, support, and legal on exact certificate scope wording before announcement — overselling controls outside scope creates contractual and audit reputation risk simultaneously.

Surveillance preparation starts at month nine of cycle — evidence collected continuously beats month-eleven scramble that certification bodies recognise immediately in timestamp clusters.

Certificate scope statement reviewed by certification body before marketing use — prevents customer contract mismatch weeks after celebration.

Pre-stage 2 checklist signed by ISMS owner and executive sponsor — shared accountability reduces last-minute scope arguments.

Stage 1 auditors review documentation and scope; stage 2 samples operational controls — plan at least one full PDCA cycle between them so corrective actions from internal audit are closed, not open.

Certificate scope wording is negotiated with the certification body before stage 2 — align it with customer contracts and your ISMS scope statement to avoid post-certification surprises in enterprise due diligence.

Surveillance audits verify the ISMS still operates — budget annual audit days and internal prep time; letting PDCA stall after initial certification is a common surveillance finding.

Non-conformities require root cause and corrective action — certification bodies expect evidence of fix, not only a promise; track CAPA in the same system as risks.

Multi-site organisations define central versus local scope — auditors sample each site in scope; undocumented shadow IT at a branch fails stage 2 quickly.

Pre-stage 2 checklist signed by ISMS owner and executive sponsor — alignment before auditors arrive reduces scope debate under time pressure.

Keep certification body correspondence in one folder — scope and timing disputes trace back to emails.

Key takeaways

  • Link controls to risk treatment and your Statement of Applicability — avoid policy-only boxes.
  • Assign owners, review cadence, and measurable acceptance criteria for every material action.
  • Use sampling and KPIs to show controls work in operations — not only that they were planned.
  • Align incidents and vendor changes with privacy/legal where personal data or chain risk is involved.

Veelgestelde vragen

Where should I start this week?
Confirm scope and owners, capture current practice with light evidence, then schedule an internal audit sample on the highest-risk area.
How much documentation is enough?
Enough to demonstrate decisions, operation, and monitoring. Auditors look for consistency between records and reality.
Does this relate to NIS2?
Often, for governance, logging, incidents, and supply chain assurance — map overlaps to avoid duplicate registers.
How does ISO Ready help?
ISO Ready centralises actions, evidence, risks, and audit prep — use the on-page CTA with the correct campaign tag.
What is the difference between ISO 27001 and a one-off readiness scan?
A scan is a snapshot. Certification requires a full PDCA cycle with evidence that controls operate and improve over time — not only at audit week.

Run the ISO 27001 readiness scan

See where you stand before investing in documents or consultants.

Start the readiness scan