ISO 27001

How to Get ISO/IEC 27001:2022 Certified: A Complete Step-by-Step Guide

A practitioner-led guide to the full ISO/IEC 27001:2022 certification process, from scope definition and risk assessment through to Stage 2 audit and ongoing surveillance. Covers the 93 Annex A controls, Statement of Applicability, realistic timeline.

Shenoy Sandeep

Shenoy Sandeep

17 min read
ISO/IEC 27001:2022 certification process — 12-step guide from gap analysis to Stage 2 audit
ISO/IEC 27001:2022 Certification Process — Step-by-Step Guide

Direct Answer

Getting ISO/IEC 27001:2022 certified requires twelve structured steps: from scope definition and gap analysis through to a two-stage external audit. The typical timeline for organisations starting from scratch is six to eighteen months, depending on size and existing controls. The certification body awards the certificate after Stage 2 audit. It remains valid for three years, subject to annual surveillance audits. ISO/IEC 27001:2022, published by the International Organization for Standardization, is the internationally recognised standard for Information Security Management Systems (ISMS). Certification is optional but commercially significant — procurement teams, regulated industries, and enterprise clients increasingly require it as a baseline supplier qualification.

Key Takeaways

Twelve-Step Process

Scope → gap analysis → risk assessment → controls → internal audit → Stage 1 → Stage 2 → certificate. Each step gates the next.

93 Annex A Controls

The 2022 revision restructured controls into four themes. Not all 93 are mandatory — but every exclusion must be justified in the Statement of Applicability.

Risk-Driven, Not Checklist-Driven

The standard requires a risk assessment methodology that produces results you can act on. Control selection follows risk — not the other way around.

Three-Year Certificate Cycle

Initial certificate is valid for three years. Annual surveillance audits in years one and two confirm ongoing conformity before full recertification in year three.

Scope Mistakes Are Expensive

Scoping too wide wastes implementation budget. Scoping too narrow creates credibility gaps with enterprise buyers. Get it right before anything else.

Internal Capability Reduces Cost

Training your own Lead Implementer and Lead Auditor reduces dependence on external consultants for every audit cycle — and builds institutional knowledge.

What ISO/IEC 27001:2022 Certification Actually Means

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems. Published jointly by the International Organization for Standardization and the International Electrotechnical Commission, it specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS — and it defines what an organisation must demonstrate to receive certification.

Certification means an independent, accredited body has audited your ISMS against the standard and found it conformant. The certificate is not issued by ISO itself — it is issued by an accredited certification body operating under national or international accreditation schemes. This distinction matters because it affects which bodies buyers and regulators will accept.

The 2022 revision introduced material changes to Annex A — restructuring 114 controls (from the 2013 version) into 93 controls across four themes, and adding 11 new controls that address cloud security, threat intelligence, data masking, and physical security monitoring. If your organisation certified against the 2013 version, you would have needed to transition to ISO/IEC 27001:2022 by October 2025 to maintain a valid certificate.

Standard Reference

ISO/IEC 27001:2022 replaced ISO/IEC 27001:2013. The transition deadline was October 31, 2025. All new certifications and recertifications after that date must be against the 2022 version. Certificates referencing the 2013 version are no longer valid.

The core structure follows the ISO High Level Structure used across management system standards — Clauses 4 through 10 define mandatory requirements, while Annex A provides a reference set of controls that organisations select based on their risk treatment decisions.

ISO 27001 Lead Implementer Training

Build Internal ISO 27001 Implementation Capability

The PECB ISO/IEC 27001 Lead Implementer course teaches you how to plan, implement, manage, and improve an ISMS. Delivered 100% online. Globally recognised certification.

Who Should Pursue Certification — and When

Certification is not mandatory under the standard itself — but commercial, contractual, and regulatory environments increasingly make it de facto mandatory for organisations in certain sectors. The question organisations ask is usually not whether to certify, but when.

The clearest triggers are contractual: a government procurement clause requiring supplier certification, a financial services client mandating it as a third-party risk condition, or a tender that scores down uncertified suppliers. In these situations, the timeline is driven by the contract deadline, not by ISMS maturity.

Organisations in regulated sectors — healthcare, financial services, critical national infrastructure, defence supply chains — also face regulatory incentives. While ISO 27001 certification rarely satisfies a legal requirement directly, it provides documented evidence of security controls that regulators use to assess compliance under frameworks like NIS2, DORA, or PDPA.

Practitioner Note

In my experience working with organisations across the Middle East, the most common trigger for certification isn't internal drive — it's a client RFP that scores certification as mandatory or scores it heavily. Starting the process when a tender is already in flight is too late. Build the ISMS when the pipeline pressure is manageable, not when a deal depends on it.

SMEs without immediate contractual pressure should pursue certification once they have identified three or more material information risks they cannot effectively manage without structure. At that point, the ISMS provides governance value independent of the certificate — and certification becomes the formal recognition of work already done.

The Twelve-Step Certification Process +

Each step below is part of a structured sequence — not a parallel checklist. Skipping or rushing early steps creates compounding problems at the audit stage. Here is what the process looks like from initiation to ongoing certification.

Step 1: Understand the Standard Requirements

Before scoping, your implementation lead needs to read ISO/IEC 27001:2022 — Clauses 4 through 10 for mandatory requirements, and ISO/IEC 27002:2022 for implementation guidance on Annex A controls. This is not optional reading. Lead Implementer training (PECB or equivalent) accelerates this step by providing structured curriculum, worked examples, and exam-backed comprehension.

Key areas to grasp before anything else: the Plan-Do-Check-Act cycle the standard is built on, what "documented information" means in normative terms, and the difference between clauses that are requirements versus guidance.

Step 2: Define the ISMS Scope

Scope definition is one of the highest-risk decisions in the process. The scope document must specify the organisational units, locations, functions, and assets included — and must consider the interfaces and dependencies that exist between the in-scope environment and anything outside it.

Auditor Lens

Auditors look for scope gaming — where an organisation has defined the boundary to exclude the highest-risk environments. A scope that covers "the Dubai head office only" for an organisation with significant processing in another jurisdiction will trigger questions. The scope must be defensible in terms of what your information security risks actually are.

Step 3: Conduct the Gap Analysis

The gap analysis compares your current state against each clause requirement and each applicable Annex A control. The output is a prioritised list of what you have, what you're missing, and what needs improvement before you can pass an audit.

Read our Ultimate Field Guide to ISO/IEC 27001:2022 Gap Analysis for the full methodology. A well-executed gap analysis takes one to three weeks depending on scope size, and typically reveals the implementation roadmap you'll work from for the next several months.

Step 4: Establish the Risk Assessment Methodology

Clause 6.1.2 requires a defined and repeatable risk assessment process. You need to document how you identify risks, who owns them, how you score likelihood and impact, and what your risk acceptance criteria are. The methodology must be applied consistently — auditors will look for evidence that the same approach was used across the risk register.

The risk assessment then identifies information security risks to assets within scope, analyses them, and produces a risk register with owner assignments and proposed treatments for each risk above your acceptance threshold.

Step 5: Produce the Risk Treatment Plan and Statement of Applicability

The Risk Treatment Plan documents how each risk above your threshold will be treated — mitigated, transferred, avoided, or accepted — and links each treatment decision to specific controls. The Statement of Applicability (SoA) then maps every Annex A control: whether it applies, whether it is implemented, and for any excluded control, the justification for exclusion.

The SoA is the document auditors spend the most time on. It is the bridge between your risk decisions and your control implementation. We cover this in depth in the Statement of Applicability section below.

Step 6: Implement ISMS Policies and Controls

This is where most of the project time is spent. You implement the policies, procedures, and technical controls identified in your Risk Treatment Plan. The standard requires documented information for specific elements — your information security policy, your ISMS scope, risk assessment results, the SoA, and records of management review, among others.

Mandatory documented information under ISO/IEC 27001:2022 includes: scope (Clause 4.3), information security policy (Clause 5.2), information security objectives (Clause 6.2), risk assessment results (Clause 8.2), risk treatment results (Clause 8.3), Statement of Applicability (Clause 6.1.3), evidence of monitoring and measurement (Clause 9.1), and internal audit results (Clause 9.2). See our mandatory documents guide for the complete list with template guidance.

Step 7: Build the Security Awareness Programme

Clause 7.3 requires that personnel are aware of the information security policy, their contribution to ISMS effectiveness, and the consequences of not conforming to ISMS requirements. This is not a one-time induction slide — auditors want to see evidence of an ongoing programme, with records of who was trained, when, and on what.

Effective awareness programmes tie training to actual incident patterns in your organisation. If your gap analysis identified phishing as a top threat, your awareness programme should include simulated phishing exercises and records of completion. Generic annual compliance training rarely satisfies this clause under scrutiny.

Step 8: Internal Audit

Clause 9.2 requires internal audits at planned intervals. The audit must check that the ISMS conforms to the organisation's own requirements and to ISO/IEC 27001, and that it is effectively implemented and maintained. Internal auditors must be objective and impartial — they cannot audit their own work.

Auditor Lens

In external audits, the internal audit records are among the first documents reviewed. Auditors look for evidence that findings were raised, tracked, and closed — not that everything was marked "conformant." An internal audit that finds no nonconformities in a first-year implementation is usually a red flag, not a good result.

Step 9: Management Review

Clause 9.3 requires top management to review the ISMS at planned intervals. The review must consider: changes in external and internal issues, feedback from interested parties, audit results, security performance metrics, nonconformity status, risk assessment results, and opportunities for improvement. The output is documented decisions and actions. Management reviews that are purely informational — with no decisions recorded — will be raised as a nonconformity.

Step 10: Stage 1 Audit — Documentation Review

The Stage 1 audit is conducted by the certification body's auditor. It is primarily a desktop review of your ISMS documentation — scope, policies, risk assessment methodology, SoA, internal audit records, and management review minutes. The auditor is confirming that the ISMS is sufficiently developed and documented to proceed to Stage 2.

The Stage 1 output is a report with findings and readiness confirmation for Stage 2. Minor issues raised at Stage 1 can typically be addressed before Stage 2 begins. Major issues will delay the process.

Step 11: Stage 2 Audit — Implementation Review

Stage 2 is the conformity assessment. Auditors verify that controls are not only documented but actually implemented and operating. This involves interviews with staff, observation of processes, review of records, and sampling of evidence across the in-scope environment.

If the audit produces no major nonconformities, the certification body recommends certification and issues the certificate. Major nonconformities require corrective action and verification before the certificate is issued. Minor nonconformities must be resolved within the surveillance cycle.

Step 12: Surveillance Audits and Recertification

The certificate is valid for three years. Surveillance audits in years one and two confirm ongoing conformity — they are typically shorter than the initial Stage 2 audit and focus on specific clauses, open nonconformities, and evidence of continual improvement. Year three brings full recertification, which revisits the entire ISMS. Organisations that treat the ISMS as a live system rather than a project will find surveillance audits straightforward. Organisations that implemented controls to pass Stage 2 and then stopped tend to accumulate findings at year-one surveillance.

Understanding the 93 Annex A Controls (2022 Structure) +

The 2022 revision restructured Annex A from 14 clauses and 114 controls to four themes and 93 controls. The reorganisation reflects how security risk actually presents in modern organisations — it removed artificial distinctions between operational and technical domains and brought related controls together.

Theme 1 — Organisational Controls (37 controls, A.5)

Covers governance, policy, roles, responsibilities, and management of information security at the organisational level. This includes information security policies, roles and responsibilities, segregation of duties, management of privileged access rights, threat intelligence, information security in project management, and supplier relationships.

The 11 new controls in ISO/IEC 27001:2022 are spread across the themes. Under Organisational Controls, the notable additions include A.5.7 (threat intelligence), A.5.23 (information security for cloud services), and A.5.30 (ICT readiness for business continuity).

Theme 2 — People Controls (8 controls, A.6)

Covers security screening, terms and conditions of employment, information security awareness, training and education, disciplinary processes, responsibilities after termination or change of role, confidentiality and non-disclosure agreements, and remote working. The addition of A.6.8 (information security event reporting) formalises the obligation for all personnel — not just security teams — to report potential security events through defined channels.

Theme 3 — Physical Controls (14 controls, A.7)

Covers physical security perimeters, entry controls, securing offices and facilities, physical security monitoring, protection against physical and environmental threats, working in secure areas, clear desk and clear screen policy, equipment siting, supporting utilities, cabling security, equipment maintenance, secure disposal, and unattended equipment. A.7.4 (physical security monitoring) is new in 2022, reflecting the growing importance of CCTV and access log systems as security controls.

Theme 4 — Technological Controls (34 controls, A.8)

The largest theme. Covers user endpoint devices, privileged access rights, information access restriction, authentication, protection of log information, monitoring activities, network security, web filtering, cryptography, secure development lifecycle, security testing, vulnerability management, configuration management, data leakage prevention, data masking, and web application security.

New additions in 2022 include A.8.9 (configuration management), A.8.10 (information deletion), A.8.11 (data masking), A.8.12 (data leakage prevention), A.8.16 (monitoring activities), A.8.23 (web filtering), and A.8.28 (secure coding). These additions address gaps that the 2013 version had become increasingly inadequate to cover.

ISO 27001 Lead Auditor Training

Audit Your Own ISMS Before the Certification Body Does

The PECB ISO/IEC 27001 Lead Auditor course gives your internal team the skills to plan, conduct, and report audits that mirror what external auditors will do. Reduce surprises at Stage 2.

The Statement of Applicability: What Auditors Actually Check

The Statement of Applicability (SoA) is not just an administrative document — it is the mechanism through which an organisation demonstrates that its control selection is grounded in its risk assessment, not in convenience or template-copying. Clause 6.1.3 of ISO/IEC 27001:2022 requires the SoA to include each Annex A control, whether it is applicable, whether it is implemented, and the justification for inclusion or exclusion.

A well-constructed SoA includes a link between each included control and the risk treatment decision that drove the selection. This creates a traceable chain: asset → identified risk → treatment decision → control. Auditors follow this chain. If the SoA says A.8.12 (data leakage prevention) applies, they will ask to see the risk that made it applicable and the evidence that it is implemented.

Critical Gap

The most common SoA failure I see is organisations that select all 93 controls as applicable to avoid having to justify exclusions — and then cannot demonstrate implementation of controls they've claimed to have. This is worse than a well-justified exclusion. Select controls that genuinely apply to your risk environment; exclude controls with documented rationale; and ensure everything marked "implemented" can be evidenced.

The SoA must also reference any additional controls beyond Annex A that the organisation has implemented. If your risk assessment identified threats not adequately covered by the 93 controls — for example, AI-related data integrity risks if you're an AI-dependent organisation — those additional controls belong in the SoA alongside the Annex A controls, with their own justification.

Choosing and Working with a Certification Body

Certification bodies must be accredited by a national accreditation body that is a member of the International Accreditation Forum (IAF). In practice, this means your certification body should carry accreditation from bodies such as UKAS (UK), DAkkS (Germany), ANAB or ANSI-ASQ (USA), JAS-ANZ (Australia/New Zealand), or ESMA (UAE). Accreditation from an IAF member body ensures the certificate is internationally recognised.

The selection decision beyond accreditation comes down to sector experience, geographic presence, and commercial terms. Well-known accredited bodies include BSI Group, Bureau Veritas, DNV, LRQA, SGS, and TÜV SÜD — but the right choice depends on where your customers and regulators are, and which bodies carry credibility in your specific market.

Practitioner Note

For organisations in the Middle East serving European or government clients, UKAS-accredited bodies carry significant weight. For organisations serving UAE government procurement, ESMA-accredited certification is typically required. Get clarity on what your target customers will accept before you engage a certification body — switching bodies partway through is costly and time-consuming.

Engage with two or three shortlisted bodies before committing. Ask about their experience in your sector, the composition of the audit team, how they handle Stage 1 to Stage 2 scheduling, and what their nonconformity correction process looks like. The audit relationship runs for three years minimum — it should be built on transparency, not just commercial terms.

Realistic Timeline and Cost Ranges

The six-to-eighteen-month range that gets cited most often reflects real variation driven by scope size, baseline maturity, internal resource availability, and leadership priority. Smaller organisations with limited complexity and dedicated internal resource commonly certify in six to nine months. Larger organisations with wide scope and distributed environments typically run twelve to eighteen months.

Phase Typical Duration Key Output
Scope & gap analysis 2–6 weeks Gap report + scope document
Risk assessment & SoA 3–8 weeks Risk register + SoA
Control implementation 8–24 weeks Documented policies, procedures, evidence
Internal audit + mgmt review 2–4 weeks Audit report + review minutes
Stage 1 audit 1–3 days Stage 1 findings report
Stage 2 audit + certificate 2–5 days audit ISO/IEC 27001:2022 certificate

Cost ranges vary significantly by geography, scope size, and the extent to which organisations use external consultants versus internal resource. For organisations in the UAE and wider Middle East, typical ranges run from AED 80,000 to AED 300,000+ for a complete first-certification project, including consultancy, training, tooling, and certification body fees. Organisations that train internal staff as Lead Implementers and Lead Auditors consistently reduce this range by reducing external consultancy dependency across the initial project and subsequent surveillance cycles.

Certification body audit fees scale with scope — number of sites, employee headcount, and technology complexity. Get quotes from two to three bodies using the same scope description to enable like-for-like comparison.

How Lead Implementer and Lead Auditor Training Fits In

The PECB ISO/IEC 27001 Lead Implementer and Lead Auditor certifications are professional qualifications — they certify an individual's capability to implement or audit an ISMS to the standard's requirements. They are not the same as organisational certification, but they are closely related in practice.

An individual holding the Lead Implementer certification has demonstrated understanding of how to interpret ISO/IEC 27001:2022 requirements, how to plan and manage an ISMS implementation project, how to conduct gap analysis, how to structure the risk assessment methodology, and how to prepare documentation that will withstand audit scrutiny. That is precisely the skill set needed to lead an organisational certification project.

An individual holding the Lead Auditor certification has demonstrated understanding of audit principles, audit planning and execution, nonconformity identification, and audit reporting. That is the skill set needed to run meaningful internal audits — the kind that genuinely prepare an organisation for Stage 2, rather than confirming that everything looks fine.

Standard Reference

PECB offers both the ISO/IEC 27001 Lead Implementer and Lead Auditor courses in self-study and eLearning formats, and as live online training with an instructor. reconn delivers the live format as a PECB Authorized Training Partner. The self-study format costs $799; the eLearning format $899. Exam registration is included.

The bundle option — covering both Lead Implementer and Lead Auditor — is the most efficient path for organisations building complete internal capability. One person credentialed in both roles provides coverage across the full certification cycle: implementation, internal audit, and ongoing surveillance readiness. See the LI + LA bundle offer on reconn.io for current pricing and format options.

ISO 27001 Implementation Services

Need Support Getting Your Organisation Certified?

reconn provides end-to-end ISO/IEC 27001:2022 implementation services — from gap analysis and risk assessment through to Stage 2 audit readiness. Delivered fully remotely by practitioners with 20+ years of real-world information security leadership experience. We've supported organisations across the UAE, Saudi Arabia, and wider MEA region.

Conclusion

ISO/IEC 27001:2022 certification is a structured process with a defined sequence — and the organisations that get through it cleanly are the ones that invest in understanding each step before executing it. Scope problems compound. Risk assessments that skip the methodology step produce SoAs that don't hold up. Internal audits that aren't rigorous produce Stage 2 surprises.

The practical accelerant is internal capability. Building Lead Implementer and Lead Auditor competence inside your organisation reduces consultancy dependency, improves audit readiness, and means your ISMS stays live between audits rather than going dormant between surveillance visits.

If you're scoping your implementation project or preparing for your next surveillance audit, the resources linked throughout this guide will give you the methodology depth you need. For direct support, reach the reconn team at hello@reconn.io or via WhatsApp at +971-585-726-270.

Frequently Asked Questions

How long does ISO/IEC 27001:2022 certification take?+
For most organisations, the initial certification project runs six to eighteen months from project initiation to certificate award. The range reflects scope complexity, baseline maturity, and internal resource availability. Smaller organisations with focused scope and a dedicated Lead Implementer commonly certify within six to nine months. Larger organisations with distributed environments and significant control gaps typically run twelve to eighteen months.
Does ISO/IEC 27001:2022 certification expire?+
Yes. The certificate is valid for three years from the date of award. Annual surveillance audits in years one and two confirm ongoing conformity. A full recertification audit takes place in year three. If an organisation fails to maintain its ISMS or misses a surveillance audit without a valid reason, the certification body can suspend or withdraw the certificate before the three-year cycle completes.
Are all 93 Annex A controls mandatory for certification?+
No. Clause requirements (Clauses 4–10) are all mandatory. Annex A controls are selected based on your risk treatment decisions. An organisation can exclude Annex A controls — but every exclusion must be documented in the Statement of Applicability with a justification. Auditors will examine every exclusion. The test is whether the exclusion is defensible given the organisation's identified risks.
What is the difference between Stage 1 and Stage 2 audits?+
Stage 1 is primarily a documentation review. The certification body auditor confirms that the ISMS is sufficiently documented and developed to proceed to the implementation audit. Stage 2 is the conformity assessment — auditors verify that controls are not just documented but actually implemented and operating. Stage 2 involves interviewing staff, observing processes, and sampling evidence. Both stages are conducted by the same accredited certification body.
Can a small business get ISO/IEC 27001:2022 certified?+
Yes. ISO/IEC 27001:2022 is scalable. The standard is proportional to the organisation's risk environment and complexity — a ten-person technology company and a five-thousand-person bank both certify against the same standard, but the scope, number of controls, and documented information required will differ substantially. Smaller organisations often certify faster and at lower cost than larger ones, because scope is naturally narrower and decision-making is faster.
What is the Statement of Applicability and why does it matter?+
The Statement of Applicability (SoA) is a required document under Clause 6.1.3 that lists all 93 Annex A controls, indicates whether each applies to the organisation, whether it is implemented, and provides justification for inclusions and exclusions. Auditors use the SoA as a map for the Stage 2 audit — every control marked as applicable and implemented becomes a potential audit sampling point. The SoA links your risk decisions to your control choices, making it the most scrutinised document in the certification process.
What changed in ISO/IEC 27001:2022 compared to the 2013 version?+
The clause requirements (Clauses 4–10) received relatively minor updates. The major change was in Annex A: controls were restructured from 14 clauses and 114 controls to 4 themes and 93 controls. Eleven new controls were introduced, addressing areas including threat intelligence (A.5.7), cloud service security (A.5.23), data masking (A.8.11), data leakage prevention (A.8.12), physical security monitoring (A.7.4), and secure coding (A.8.28). Organisations that certified against the 2013 version needed to transition by October 31, 2025.

About the Author

Shenoy Sandeep

Shenoy Sandeep is the Founder of reconn, an AI-first cybersecurity firm based in Dubai, UAE — assisting startups and enterprises scale across the Middle East and African region. With 20+ years across offensive security, threat intelligence, and enterprise risk, and over 10 years in Enterprise AI, AI governance, and Business Continuity, he brings a practical, execution-driven approach to AI governance and information security.

He is a PECB-certified trainer and one of the world's early PECB-certified AI professionals, specialising in ISO/IEC 27001, ISO/IEC 42001, ISO 22301, and ISO 9001.

20+

Years cybersecurity

10+

Years Enterprise AI

PECB

Certified Trainer

Read more