--- title: "ISO/IEC 27001 Certification Stage Workflow" canonical_url: "https://www.sorena.io/artifacts/global/iso-27001/certification-stage-workflow" source_url: "https://www.sorena.io/artifacts/global/iso-27001/certification-stage-workflow" author: "Sorena AI" description: "A practical ISO/IEC 27001 certification workflow for scope readiness, Stage 1 document review, Stage 2 evidence, nonconformities, corrective action, certification decision, surveillance, and recertification." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ISO/IEC 27001 certification workflow" - "ISO 27001 Stage 1 audit" - "ISO 27001 Stage 2 audit" - "ISMS certification evidence" - "surveillance audit" - "ISO/IEC 27001" - "ISMS certification" - "Stage 1 audit" - "Stage 2 audit" - "global compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ISO/IEC 27001 Certification Stage Workflow A practical ISO/IEC 27001 certification workflow for scope readiness, Stage 1 document review, Stage 2 evidence, nonconformities, corrective action, certification decision, surveillance, and recertification. *Certification workflow* *Global* *ISO/IEC 27001* ## ISO/IEC 27001 Certification Stage Workflow Move from certification intent to audit-ready evidence by separating scope readiness, Stage 1 document review, Stage 2 implementation testing, finding closure, certification decision, and surveillance. Use this as an ISMS certification operating checklist. It is not a substitute for your certification body's audit plan, contract, or accreditation rules. ISO/IEC 27001 certification is easier to manage when each stage has a clear gate. Before inviting auditors, confirm that the ISMS scope is documented, risks are assessed, treatment decisions and the Statement of Applicability are current, internal audits and management review have happened, and control evidence reflects the live environment. ## Readiness gate before engaging the certification body Start by deciding whether the ISMS is mature enough for an external certification audit. ISO/IEC 27001 expects the organization to define the ISMS scope, run information security risk assessment and treatment, maintain documented information, conduct internal audits, complete management review, and address nonconformities through corrective action. The readiness gate should also confirm that the certification body is appropriate for the scope. ISO/IEC 27006-1 is aimed at bodies that audit and certify ISMSs, and accreditation resources help buyers check whether a certificate or certifier can be trusted. - Freeze the draft certification scope: legal entity, sites, cloud environments, products, services, outsourced processes, and exclusions. - Check that risk criteria, risk register, risk treatment plan, Statement of Applicability, control owners, internal-audit results, management-review outputs, and corrective-action records are current. - Select an accredited certification body and record the accreditation body, scheme, scope, audit team competence questions, and certificate-verification method. - Do not book Stage 1 as a discovery workshop; treat it as an external review of a management system that already exists. Sources for this answer: - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Primary ISO listing for the ISMS requirements standard used as the certification target. - [ISO/IEC 27006-1:2024 standard page](https://www.iso.org/standard/82908.html?ref=sorena.io) - ISO page for requirements that apply to bodies auditing and certifying ISMSs. - [IAF CertSearch](https://iaf.nu/en/certsearch/?ref=sorena.io) - IAF resource for checking and monitoring accredited certifications. ## Stage 1: prove the ISMS is defined and ready for Stage 2 Stage 1 should answer whether the ISMS design, scope, and documented information are ready for a full implementation audit. The team should prepare a controlled evidence pack, not a folder of disconnected policies. The useful output is a Stage 1 action list: missing documents, unclear scope boundaries, incomplete risk treatment, weak Statement of Applicability justifications, absent internal audit coverage, or management-review gaps that must be closed before Stage 2. - Provide the ISMS scope statement, context and interested-party analysis, policy, objectives, risk methodology, risk assessment, treatment plan, and Statement of Applicability. - Show that internal audits covered the relevant ISMS processes and that management review considered audit results, risk changes, nonconformities, corrective actions, performance, and improvement needs. - Record every Stage 1 concern with owner, evidence needed, closure criterion, due date, and whether it blocks Stage 2. - Update the certification plan if the auditor finds that the scope, locations, outsourced processes, or control evidence do not match the system being certified. Sources for this answer: - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - This source supports the requirement themes behind scope, risk treatment, documented information, internal audit, management review, and corrective action. - [ISO/IEC 27005:2022 standard page](https://www.iso.org/standard/80585.html?ref=sorena.io) - This source supports risk-management planning used in certification readiness evidence. *Recommended next step* *Placement: after certification workflow* ## Operationalize the certification workflow Use this workflow to name accountable owners for readiness, Stage 1 actions, Stage 2 evidence, finding closure, certificate verification, surveillance, and recertification planning. - [Open Assessment Autopilot for ISO/IEC 27001](/solutions/assessment.md): Convert certification-stage work into scoped tasks, evidence requests, finding closure, and surveillance reminders. - [Talk through certification readiness](/contact.md): Review scope, Stage 1 document gaps, Stage 2 evidence, and corrective-action closure before the external audit. ## Stage 2: test implementation evidence, not document existence Stage 2 should demonstrate that the ISMS is implemented and effective inside the certified scope. Auditors will expect records that show risk treatment choices and Annex A controls operating over time, with samples tied to actual systems, people, suppliers, and processes. Prepare evidence by process and control owner. A visitor should be able to see what the control is, why it is applicable or excluded, what risk it treats, where the operating record lives, and what exception or corrective action is open. - Map each sampled Annex A control to its Statement of Applicability justification, owner, risk or requirement, procedure, system record, and operating sample. - Prepare implementation samples for access control, asset management, supplier services, incident management, logging, vulnerability handling, backup, continuity, secure development, and awareness where they are in scope. - Keep interview evidence consistent with the written ISMS: owners should know the process they operate and where current records are kept. - Separate a missing record from an ineffective control. The first may require evidence retrieval; the second usually requires root-cause analysis and corrective action. Sources for this answer: - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - Primary ISO page for information security control guidance used alongside ISO/IEC 27001 Annex A control selection. - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - This source supports the management-system evidence chain from risk treatment to performance evaluation and improvement. ## Findings, nonconformities, and corrective actions When a finding is raised, classify it in a way the business can act on: document gap, implementation gap, scope mismatch, evidence sampling gap, repeated failure, or management-system weakness. ISO/IEC 27001 requires organizations to react to nonconformities, evaluate causes, take action, review effectiveness, and retain evidence of the action and result. Do not close a nonconformity with a rewritten policy alone unless the root cause was only the policy. Most certification findings need operating evidence that the fix was implemented and that similar issues were considered elsewhere in the ISMS. - For each finding, capture requirement, audit evidence, affected scope, severity, owner, root cause, correction, corrective action, effectiveness check, and closure evidence. - Use management review or a delegated risk forum when a finding changes resources, risk acceptance, objectives, or certification scope. - Keep corrective-action records linked to the original audit report so surveillance auditors can verify closure and recurrence risk. - Do not relabel unresolved nonconformities as improvement items to protect the certification schedule. Sources for this answer: - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - This source supports nonconformity, corrective action, internal audit, management review, and continual improvement expectations. - [ISO/IEC 27006-1:2024 standard page](https://www.iso.org/standard/82908.html?ref=sorena.io) - Explains the standard used by bodies that audit and certify ISMSs. ## Certification decision, certificate checks, and surveillance After Stage 2 and finding closure, the certification decision should be treated as a governance record. Store the audit report, nonconformity closure evidence, certificate scope, certificate number, certification body, accreditation body, issue and expiry information, and public verification route. Certification is not the end of the workflow. Surveillance audits should verify that the ISMS still matches the certified scope, risks and controls remain maintained, corrective actions stay closed, and changes are reflected in risk treatment, the Statement of Applicability, internal audit planning, and management review. - Verify the published certificate through the certification body or an accreditation-backed tool, especially before using it in customer assurance or procurement responses. - Create a surveillance calendar covering internal audits, management review, risk reassessment, SoA review, supplier/control sampling, evidence refresh, and corrective-action follow-up. - Trigger an out-of-cycle review when products, hosting, legal entities, sites, suppliers, cloud architecture, or material risks change. - Before recertification, confirm that the full certification cycle has evidence for performance evaluation, improvement, unresolved findings, and scope changes. Sources for this answer: - [CertCheck UKAS](https://certcheck.ukas.com/?ref=sorena.io) - Public UKAS-backed tool for checking management-system certificates issued by UKAS-accredited bodies. - [IAF CertSearch](https://iaf.nu/en/certsearch/?ref=sorena.io) - IAF certification database used to improve transparency and monitoring of accredited certifications. - [ANAB ISO/IEC 27001 accreditation page](https://anab.ansi.org/accreditation/iso-iec-27001-information-security/?ref=sorena.io) - Accreditation-body source for ISO/IEC 27001 certification-body accreditation context. ## Transition and recertification considerations Transition and recertification work should not be handled as a last-minute certificate renewal. When the ISO/IEC 27001 edition, Annex A mapping, certification scope, or audit programme changes, run a gap analysis and update risk treatment, the Statement of Applicability, control evidence, internal audit coverage, and management-review inputs. IAF transition material for ISO/IEC 27001:2022 highlights transition arrangements for accreditation bodies and certification bodies. For certified organizations, the practical lesson is to keep edition, scope, control mapping, and audit-cycle evidence explicit rather than assuming an old certificate proves current conformity. - Maintain a transition register for standard edition changes, Annex A changes, certification-body instructions, customer deadlines, and open evidence gaps. - For recertification, review the whole cycle: Stage 1 and Stage 2 findings, surveillance results, internal audits, management reviews, changes in risk, and corrective-action effectiveness. - Do not reuse the old Statement of Applicability after a control-set transition without recording the comparison, retained controls, exclusions, new controls, and implementation status. - Flag any unsupported date, deadline, or transition claim for human review instead of inventing it from memory. Sources for this answer: - [IAF MD 26 transition requirements](https://iaf.nu/en/iaf-documents/?ref=sorena.io) - IAF document library includes mandatory transition requirements for ISO/IEC 27001:2022 used by accreditation bodies and accredited certification bodies. - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Primary ISO listing for the ISMS requirements standard that defines the certification target. ## Primary sources - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Primary ISO listing for the ISMS requirements standard used as the certification target. - Quote: "Information security management systems - Requirements" - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - Primary ISO listing for information security control guidance used with Annex A control evidence. - Quote: "Information security controls" - [ISO/IEC 27005:2022 standard page](https://www.iso.org/standard/80585.html?ref=sorena.io) - Primary ISO listing for information security risk-management guidance. - Quote: "Guidance on managing information security risks" - [ISO/IEC 27006-1:2024 standard page](https://www.iso.org/standard/82908.html?ref=sorena.io) - ISO page for requirements that apply to bodies auditing and certifying ISMSs. - Quote: "Requirements for bodies providing audit and certification" - [IAF CertSearch](https://iaf.nu/en/certsearch/?ref=sorena.io) - IAF resource for checking and monitoring accredited certifications. - Quote: "Certified Once, Accepted Everywhere" - [CertCheck UKAS](https://certcheck.ukas.com/?ref=sorena.io) - UKAS-backed public certificate-checking resource for certificates issued by UKAS-accredited certification bodies. - Quote: "CertCheck" ## Related Topic Guides - [ISO/IEC 27001 Annex A Control Evidence Guide](/artifacts/global/iso-27001/annex-a-2022-control-evidence.md): Build useful ISO/IEC 27001:2022 Annex A control evidence: selected controls, SoA rationale, owners, implementation proof, effectiveness checks, audit records, and improvement actions. - [ISO/IEC 27001 Annex A Control Ownership FAQ](/artifacts/global/iso-27001/faq/annex-a-control-ownership.md): How should teams assign Annex A Control Ownership under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27001 Audit Readiness Guide](/artifacts/global/iso-27001/audit-readiness.md): Prepare ISO/IEC 27001 audit evidence across ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, internal audit, management review, and corrective actions. - [ISO/IEC 27001 Certification Body Evidence FAQ](/artifacts/global/iso-27001/faq/certification-body-evidence.md): How should teams handle Certification Body Evidence under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27001 Compliance Guide: ISMS Evidence](/artifacts/global/iso-27001/compliance.md): Build ISO/IEC 27001 compliance around ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, audits, management review, and corrective action evidence. - [ISO/IEC 27001 FAQ: ISMS Scope, Risk and SoA](/artifacts/global/iso-27001/faq.md): Practical ISO/IEC 27001 FAQ covering ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, certification evidence, audits, management review, and surveillance readiness. - [ISO/IEC 27001 Implementation Roadmap Guide](/artifacts/global/iso-27001/implementation-roadmap.md): ISO/IEC 27001 Implementation Roadmap for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. - [ISO/IEC 27001 Internal Audit and Management Review Guide](/artifacts/global/iso-27001/internal-audit-and-management-review.md): ISO/IEC 27001 Internal Audit and Management Review for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. - [ISO/IEC 27001 Internal Audit FAQ](/artifacts/global/iso-27001/faq/internal-audit.md): How should teams run ISO/IEC 27001 internal audits: who should own each step, what evidence is expected, and how findings are resolved. - [ISO/IEC 27001 Management Review FAQ](/artifacts/global/iso-27001/faq/management-review.md): How should teams handle Management Review under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27001 Requirements Guide](/artifacts/global/iso-27001/requirements.md): ISO/IEC 27001 Requirements for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. - [ISO/IEC 27001 Risk Acceptance FAQ](/artifacts/global/iso-27001/faq/risk-acceptance.md): How should teams handle Risk Acceptance under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27001 Risk Treatment and Residual Risk Guide](/artifacts/global/iso-27001/risk-treatment-and-residual-risk.md): ISO/IEC 27001 Risk Treatment and Residual Risk for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. - [ISO/IEC 27001 Risk Treatment Register Workflow](/artifacts/global/iso-27001/risk-treatment-register-workflow.md): ISO/IEC 27001 Risk Treatment Register Workflow for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. - [ISO/IEC 27001 SoA Exclusions FAQ](/artifacts/global/iso-27001/faq/soa-exclusions.md): How should teams justify Statement of Applicability exclusions under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27001 SoA: workflow for gathering and documenting control evidence](/artifacts/global/iso-27001/statement-of-applicability-evidence-workflow.md): ISO/IEC 27001 Statement of Applicability Evidence Workflow for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. - [ISO/IEC 27001 Statement of Applicability template: Annex A control selection and justification](/artifacts/global/iso-27001/statement-of-applicability-template.md): ISO/IEC 27001 Statement of Applicability Template for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. - [ISO/IEC 27001 Surveillance Audits FAQ](/artifacts/global/iso-27001/faq/surveillance-audits.md): How should teams handle Surveillance Audits under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - [ISO/IEC 27001 vs NIS2 Comparison](/artifacts/global/iso-27001/iso-27001-vs-nis2.md): ISO/IEC 27001 vs NIS2 for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. - [ISO/IEC 27001 vs NIST CSF 2.0 Comparison](/artifacts/global/iso-27001/iso-27001-vs-nist-csf-2-0.md): ISO/IEC 27001 vs NIST CSF 2.0 for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. - [ISO/IEC 27001 vs SOC 2 Comparison](/artifacts/global/iso-27001/iso-27001-vs-soc-2.md): ISO/IEC 27001 vs SOC 2 for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/iso-27001/certification-stage-workflow