How to Get ISO 27001 Certified: A Step-by-Step Guide for 2026
ISO 27001 certification demonstrates to customers, partners, and regulators that your organisation has a robust, independently audited information security management system. For SaaS and technology companies, achieving this certification is often a requirement for winning enterprise contracts and building trust.
Getting certified isn't complicated, but it does require planning, commitment, and attention to detail. This guide walks through the entire process step by step, from securing management support to maintaining your certificate after certification.
Understanding ISO 27001 and the Certification Process
ISO 27001 is an international standard for information security management. It provides a framework for identifying risks, implementing controls, and continuously improving how your organisation protects information assets.
Certification is the formal, third-party audit process that confirms your Information Security Management System (ISMS) meets the requirements of the standard. Once certified, you can demonstrate to customers and partners that your security practices have been independently verified.
The certification process consists of two main audit stages:
Stage 1 Audit (Documentation Review):
The auditor reviews your ISMS documentation - policies, procedures, risk assessments, and the Statement of Applicability - to confirm that your system is designed to meet ISO 27001 requirements. This typically happens remotely and takes one to two days depending on your organisation's size.
Stage 2 Audit (Implementation Audit): The auditor assesses whether your ISMS is operating effectively in practice. This involves interviewing staff, reviewing evidence, observing processes, and validating that the controls documented in Stage 1 are actually implemented and working. Stage 2 audits are more detailed and usually take place over several days.
Successfully passing both stages leads to certification, which is valid for three years with annual surveillance audits to ensure ongoing compliance.
How Long Does ISO 27001 Certification Take?
The timeline varies based on your current security posture, the size of your organisation, and the resources you dedicate to the project.
For most SaaS and tech companies, the process takes three to twelve months from initial planning to certification. Organisations with mature security programmes or those using automation platforms may complete the process in three to six months. Companies starting from scratch or with limited resources may take closer to a year. The fastest a Tempo client has done it is from start of implementation to certification in 4 months, but that required a large time commitment.
Key phases include:
Preparation (2–9 months): Developing your ISMS, conducting risk assessments, implementing controls, writing policies, and gathering evidence.
Internal readiness activities (2 - 4 weeks): Performing internal audits, management reviews, and pre-audit checks.
Certification audit (3 - 6 weeks): Scheduling and completing Stage 1, addressing any findings, then moving to Stage 2 and resolving any final nonconformities.
Organisations that already hold SOC 2 certification often move faster, as many controls overlap between the two frameworks.
Step 1: Secure Management Commitment and Define the Project Team
ISO 27001 certification begins with leadership. Without executive sponsorship, the project will struggle to secure the time, budget, and cross-functional cooperation it requires.
Management must formally commit to information security, allocate resources, and appoint someone to lead the ISMS implementation. This is typically a Head of Security, Information Security Manager, Operations Lead, or CTO, depending on the size of your organisation.
Your project team should include representatives from IT, engineering, operations, HR, legal, and any other departments that handle sensitive information. Defining roles early ensures accountability and prevents delays later in the process.
Step 2: Define the Scope of Your ISMS
The scope defines which parts of your organisation, which systems, and which information assets will be covered by your ISMS. A well-defined scope is essential - it determines what will be audited and what controls you need to implement.
For SaaS companies, the scope usually includes:
The production environment and infrastructure that support your customer-facing product
Internal systems that store, process, or transmit customer data
Key business processes such as product development, customer support, and incident response
Physical or cloud-based locations where sensitive information is stored or processed
You should document your scope clearly, including any exclusions and justifications. The auditor will review this during Stage 1 to confirm it's appropriate and complete.
Step 3: Conduct a Gap Analysis
A gap analysis compares your current information security practices against the requirements of ISO 27001. This helps you understand what's already in place and what needs to be built, documented, or improved.
You can conduct this analysis internally or work with an external consultant. Either way, the goal is to identify gaps in:
Documentation (policies, procedures, and records)
Technical and organisational controls
Risk management processes
Compliance with ISO 27001 clauses and Annex A controls
The output of the gap analysis becomes your implementation roadmap, prioritising the work needed to reach certification readiness.
Step 4: Perform a Risk Assessment and Risk Treatment Plan
Risk assessment is the foundation of ISO 27001. You must identify information security risks, evaluate their likelihood and impact, and decide how to treat them.
Your risk assessment should cover:
Assets: What information, systems, and processes need protection?
Threats: What could go wrong (e.g., cyberattacks, human error, system failures)?
Vulnerabilities: What weaknesses could threats exploit?
Risk evaluation: What is the likelihood and impact of each risk?
Once risks are identified, you create a Risk Treatment Plan (RTP) that specifies how each risk will be managed. Options include:
Mitigate: Implement controls to reduce the risk
Accept: Acknowledge the risk and accept the consequences
Transfer: Use insurance or third-party services to shift the risk
Avoid: Change processes to eliminate the risk entirely
Your RTP must be documented and approved by management. It directly informs which Annex A controls you will implement.
Step 5: Select and Implement ISO 27001 Controls
ISO 27001:2022 Annex A contains 93 security controls organised into four themes: organisational, people, physical, and technological. Your risk assessment determines which controls are applicable to your organisation.
You must document your control selection in a Statement of Applicability (SoA). The SoA lists every Annex A control, states whether it's applicable, provides justification, and describes how it's implemented.
Common controls for SaaS companies include:
Access control policies and user access reviews
Encryption for data in transit and at rest
Secure software development lifecycle practices
Incident response and business continuity planning
Logging, monitoring, and vulnerability management
Supplier security assessments
Implementing these controls is often the most time-consuming part of the certification process. You'll need to configure systems, deploy technologies, update processes, and train staff.
Step 6: Develop Policies, Procedures, and Documentation
ISO 27001 requires a defined set of documentation to demonstrate how your ISMS operates. This includes:
Information Security Policy: A high-level statement of your organisation's commitment to information security, approved by top management
Risk Assessment Methodology: How you identify and evaluate risks
Risk Treatment Plan: How you address identified risks
Statement of Applicability: Your control selection and implementation status
Operational procedures: Detailed instructions for implementing each control (e.g., access control procedures, incident response playbooks, change management workflows)
Records: Evidence that processes are followed (e.g., access reviews, audit logs, training records, incident reports)
Your documentation should be clear, practical, and aligned with how your organisation actually works. Auditors will check whether documented procedures match reality, so avoid creating policies that exist only on paper.
Step 7: Deliver Information Security Awareness Training
Your employees are a critical part of your ISMS. ISO 27001 requires that staff understand their information security responsibilities and receive appropriate training.
Training should cover:
The importance of information security and the ISMS
Roles and responsibilities
Key policies and procedures (e.g., acceptable use, password management, incident reporting)
How to recognise and respond to security threats (e.g., phishing, social engineering)
You must maintain records of who has completed training and when. Many organisations deliver training during onboarding and provide annual refresher sessions.
Step 8: Conduct an Internal Audit
Before engaging a certification body, you should perform an internal audit of your ISMS. This is a requirement of ISO 27001 and a valuable opportunity to identify and fix issues before the formal audit.
Your internal audit should:
Verify that documented processes are being followed
Check that evidence is complete and accessible
Confirm that controls are operating effectively
Identify any nonconformities or areas for improvement
Document your findings and corrective actions. The certification auditor will review your internal audit records during Stage 1.
Step 9: Perform a Management Review
Management review is a formal meeting where leadership evaluates the performance of the ISMS. This ensures accountability and continuous improvement.
The review should cover:
Internal audit results
Risk assessment updates
Security incidents and corrective actions
Changes to the scope or context of the ISMS
Performance metrics and objectives
The full list of inputs and outputs that are required in a Management Review are listed in the ISO 27001 standard.
Management must document their decisions and any actions required. This record will be reviewed during the certification audit.
Step 10: Select an Accredited Certification Body
Choosing the right auditor is critical. Not all certification bodies are the same, and the auditor you select will influence the quality and efficiency of your certification experience.
When evaluating certification bodies, consider:
Accreditation: Ensure they are accredited by a recognised body (e.g., UKAS in the UK, ANAB in the US)
Industry expertise: Do they understand SaaS, tech, and cloud environments?
Audit approach: Are they collaborative and practical, or overly bureaucratic?
Speed and availability: How quickly can they schedule your audit?
Remote vs on-site capability: Can they conduct audits remotely if needed?
Tempo Audits specialises in ISO 27001 certification for SaaS and technology companies. With a focus on cybersecurity, remote-first audits, and a collaborative approach, Tempo helps fast-growing teams achieve certification with less friction and clearer communication.
Step 11: Prepare for and Complete the Stage 1 Audit
Once you've selected a certification body, they will schedule your Stage 1 audit. This is a documentation review conducted remotely in most cases.
The auditor will review:
Your scope definition
Information security policy
Risk assessment and risk treatment plan
Statement of Applicability
Key policies and procedures
Evidence that your ISMS is operational (e.g., internal audit and management review records)
The auditor may identify minor gaps (raised as “Areas of Concern”) or request clarifications. These are typically easy to address. If significant issues are found, you may need to update your documentation before proceeding to Stage 2.
Stage 1 usually takes one to two days, depending on your organisation's size and complexity.
Step 12: Prepare for and Complete the Stage 2 Audit
The Stage 2 audit is the main certification audit. The auditor will verify that your ISMS is implemented and operating effectively.
During Stage 2, the auditor will:
Interview staff across your organisation to confirm they understand and follow security processes
Review evidence such as logs, access control records, change requests, and incident reports
Observe how controls operate in practice (e.g., how access is granted, how incidents are handled)
Test the effectiveness of technical and organisational controls
Assess conformity with ISO 27001 requirements
Stage 2 audits typically take several days and may be conducted on-site or remotely, depending on your preference and the certification body's approach.
If the auditor identifies nonconformities, you will need to address them before certification can be granted. Minor issues can usually be resolved quickly with corrective action plans; major nonconformities may require additional audit activity.
Step 13: Address Nonconformities and Achieve Certification
If the auditor raises any nonconformities during Stage 2, you must investigate the root cause, implement corrective actions, and provide evidence that the issue has been resolved (for Major Non-Conformities) or how it will be closed (for Minor Non-Conformities).
Once all findings are closed, the certification body issues your ISO 27001 certificate. This is typically valid for three years from the date of issue.
You will receive a formal certificate and may also be listed on your certification body's directory of certified organisations, which customers and partners can reference.
Step 14: Maintain Your ISMS and Prepare for Surveillance Audits
Certification is not the end - it's the beginning of ongoing compliance. ISO 27001 requires continuous operation and improvement of your ISMS.
You will undergo surveillance audits annually (typically at 12 and 24 months after certification). These are shorter audits that confirm your ISMS remains effective and you continue to meet ISO 27001 requirements.
To maintain certification, you must:
Keep policies and procedures up to date
Perform regular internal audits
Conduct annual management reviews
Update your risk assessment as your business evolves
Address security incidents and nonconformities promptly
Maintain records and evidence
At the end of the three-year period, you will undergo a recertification audit, which is similar in scope to the original Stage 2 audit.
Common Challenges and How to Overcome Them
Even well-prepared organisations encounter obstacles during the certification process. Here are the most common challenges and practical ways to address them:
Inadequate risk treatment: Many organisations struggle to document clear, actionable risk treatment plans. Ensure your RTP is specific, linked to controls, and approved by management.
Insufficient evidence: Auditors need proof that your ISMS is operating, not just documented. Collect evidence throughout the implementation phase - don't wait until the audit.
Competing priorities: Security projects often compete with product development and customer demands. Secure executive sponsorship early and dedicate focused time to ISMS work.
Lack of expertise: If your team lacks ISO 27001 experience, consider external support during the implementation phase or use automation platforms to guide the process.
Final Thoughts
Getting ISO 27001 certified requires structure, discipline, and collaboration - but it's entirely achievable for SaaS and technology companies of any size. By following a clear process, engaging the right expertise, and treating your ISMS as an ongoing commitment rather than a one-time project, you can achieve certification and build lasting trust with your customers.
Whether you're starting from scratch or already have mature security practices, ISO 27001 certification demonstrates to the market that your organisation takes information security seriously. With the right preparation and the right auditor, the process can be smooth, efficient, and genuinely valuable to your business.