Getting ISO 27001 certified covers two distinct processes: certifying an organisation (its ISMS receives a certificate from an accredited body) and certifying an individual (a person earns a PECB credential attesting to their competence).
To certify an organisation, the typical path has seven stages: define the ISMS scope; run a risk assessment (ISO 27005, EBIOS RM or another method); build the Statement of Applicability (SoA) listing the ISO 27002:2022 controls you retain; operate the ISMS for at least three to six months; commission an internal mock audit; undergo assessment by an accredited certification body (a documentation review followed by an on-site audit); then close major nonconformities and receive the certificate.
The organisational certificate is valid for three years, with annual surveillance audits and a full recertification audit at the end of the cycle. Total cost and duration depend on the size of the scope — expect roughly 6 to 18 months between project kick-off and the first certificate.
For an individual to become certified, the standard route is: attend official training (Foundation, Lead Implementer or Lead Auditor depending on the level); sit the PECB exam; assemble a professional-experience file; and pay the application and annual maintenance fees.
The two processes reinforce each other. Having a certified Lead Implementer in-house significantly accelerates organisational certification, while an organisational certificate makes it easier to put already-certified individual competencies to work.
Organisations often ask 'how much' before 'what scope'. Reverse the order: a tightly defined, defensible scope is the single biggest lever on both cost and timeline. Certifying the whole company at once rarely pays off; certifying the ISMS that protects your most critical services usually does.
This ISO/IEC 27001 Lead Auditor training prepares experienced professionals to conduct and lead ISMS audits that stand up to regulatory, contractual, and certification scrutiny. The course focuses on audit execution, evidence evaluation, and decision-making under real-world constraints.
View courseThis ISO/IEC 27001 Foundation training provides a structured entry point into Information Security Management Systems for professionals who need to understand how ISO 27001 works in practice.
View courseThis ISO/IEC 27002 Lead Manager training is designed for professionals responsible for selecting, implementing, and managing information security controls within an ISO/IEC 27001 context.
View courseThe ISO/IEC 27001 Lead Implementer certification qualifies professionals to design, implement, operate, and improve an Information Security Management System (ISMS) based on ISO/IEC 27001:2022. It validates practical capability to lead ISMS projects and prepare organizations for certification audits.
Yes. In 2026, ISO/IEC 27001 Lead Implementer certification is valuable for professionals responsible for security, compliance, or risk, as ISO 27001 remains a baseline requirement for regulated and B2B organizations.
ISO 27001 Lead Implementer focuses on building and operating an ISMS, while ISO 27001 Lead Auditor focuses on assessing and auditing an ISMS. Implementers design and run the system; auditors independently evaluate conformity and effectiveness.
There are no formal prerequisites for ISO/IEC 27001 Lead Implementer certification, but prior experience with information security, risk management, or ISO management systems is strongly recommended.
ISO 27001 Lead Implementer vs Lead Auditor: what each qualifies you to do and how to choose the right certification in 2026.
ISO 27001 gives you a head start on ISO 42001, not a free pass. Here is what carries over, what is new, and how to extend your ISMS to an AIMS, step by step.
Browse all FAQs →
Full knowledge base
Necessary cookies are always active. You can accept, reject non-essential cookies, or customize your preferences.