How do you get ISO/IEC 27001 certified?

Getting ISO 27001 certified covers two distinct processes: certifying an organisation (its ISMS receives a certificate from an accredited body) and certifying an individual (a person earns a PECB credential attesting to their competence).

To certify an organisation, the typical path has seven stages: define the ISMS scope; run a risk assessment (ISO 27005, EBIOS RM or another method); build the Statement of Applicability (SoA) listing the ISO 27002:2022 controls you retain; operate the ISMS for at least three to six months; commission an internal mock audit; undergo assessment by an accredited certification body (a documentation review followed by an on-site audit); then close major nonconformities and receive the certificate.

The organisational certificate is valid for three years, with annual surveillance audits and a full recertification audit at the end of the cycle. Total cost and duration depend on the size of the scope — expect roughly 6 to 18 months between project kick-off and the first certificate.

For an individual to become certified, the standard route is: attend official training (Foundation, Lead Implementer or Lead Auditor depending on the level); sit the PECB exam; assemble a professional-experience file; and pay the application and annual maintenance fees.

The two processes reinforce each other. Having a certified Lead Implementer in-house significantly accelerates organisational certification, while an organisational certificate makes it easier to put already-certified individual competencies to work.

Related Information

  • Organisational certification: 6 to 18 months depending on scope
  • Certification audit: accredited body, two stages (documentation review + on-site)
  • Organisational certificate validity: three years, with annual surveillance audits
  • Individual PECB certification: Foundation, Lead Implementer, Lead Auditor
  • Recognised risk-assessment methods: ISO 27005, EBIOS RM

Expert Insight

Organisations often ask 'how much' before 'what scope'. Reverse the order: a tightly defined, defensible scope is the single biggest lever on both cost and timeline. Certifying the whole company at once rarely pays off; certifying the ISMS that protects your most critical services usually does.

Explore related training

Browse all: Information Security

Browse all FAQs →

Full knowledge base

We use cookies to improve your experience

Necessary cookies are always active. You can accept, reject non-essential cookies, or customize your preferences.