Step 12 marks the final phase of the ISO 27001 implementation journey, where the Information Security Management System (ISMS) undergoes a certification audit to validate compliance with the standard. Building on the foundation of previous steps—management support, risk treatment, performance evaluation, and continual improvement—this step involves engaging a certification body to assess the ISMS’s structure and effectiveness. The audit process, conducted in two stages, confirms whether the ISMS meets ISO 27001 requirements, culminating in the issuance of a certificate. This milestone signifies the successful completion of the implementation project and the organization’s commitment to information security.

Required Activities and Tasks

This step involves a streamlined set of activities to prepare for and successfully complete the certification audit, ensuring the ISMS is ready for external validation:

1. Select and Engage a Certification Body: Research and request proposals from accredited certification bodies, review their approaches, timelines, and costs, and sign an engagement letter to initiate the process.

2. Prepare for the Stage 1 Audit: Organize and provide documentation to the certification body for a review of the ISMS’s structure, ensuring it aligns with ISO 27001 requirements.

3. Undergo the Stage 2 Audit: Facilitate a comprehensive assessment of the ISMS’s practical effectiveness through interviews, evidence reviews, and on-site inspections, addressing any auditor queries or findings.

4. Finalize Certification and Address Findings: Resolve any nonconformities identified during the audits, obtain the ISO 27001 certificate upon successful completion, and maintain records of the process.

The milestone for this step is the issuance of the ISO 27001 certificate, marking the successful validation of the ISMS.

Deliverables of This Step

The outputs of Step 12 provide evidence of a compliant ISMS and the certification process:

• Certification Body Engagement Letter: A signed agreement outlining the audit scope, timeline, and terms.

• Stage 1 Audit Report: A document detailing the findings of the documentation review and any areas needing improvement.

• Stage 2 Audit Report: A comprehensive report on the ISMS’s effectiveness, including any nonconformities and corrective actions taken.

• ISO 27001 Certificate: The official certificate issued by the certification body upon successful audit completion.

These deliverables confirm the ISMS’s compliance and readiness for ongoing maintenance.

Normative References

This step is supported by the following standards:

• ISO/IEC 27006-1: Specifies requirements and guidance for certification bodies conducting ISMS audits, ensuring competence and reliability in the certification process.

More information about the certification process can be found in the next section.