The first step in obtaining ISO 27001 certification is an audit of your existing information security management system (ISMS), resulting in an audit report.

The audit process documents how compliant your business already is with ISO 27001, or if not, what corrective steps should be taken to remediate any nonconformities that the audit found. Essentially, the audit is the first step to assure that your company has a cybersecurity program that is strong, effective, and appropriate for your organization’s risks.

The first step of the audit is an ISO 27001 internal audit. Internal auditors identify any weaknesses in the organization and suggest new controls or other remediation steps to rectify the problem. Management can then implement those reforms to bring its ISMS into compliance with ISO 27001.

Next comes the external audit. As the name implies, this step involves hiring an external auditor firm — one certified to perform ISO 27001 audits — to confirm whether an organization’s ISMS complies with the standards and requirements of ISO 27001 (specifically the most recent version, adopted in 2013). 

There are several types of external audits, but the most common is the certification audit, otherwise known as the stage 2 audit. The certification audit is primarily a management review. It ensures that the organization’s risk management and risk assessment don’t just look good on paper, but actually work in daily practice. This type of audit only happens once, and if it is successful, certification is given.