ISO 27001: from gap analysis to certification audit, the realistic journey

ISO 27001 has become the lingua franca of digital trust. Indeed, tenders require it, cyber insurers request it, due diligence scrutinizes it. But between the decision to certify and the certificate lies a journey many underestimate. Here is that ISO 27001 journey, without embellishment.

Step 1: the gap analysis

Everything starts with an honest snapshot. Where do you stand against the standard’s requirements, that is, the management system? And against the controls of its Annex A? The 2022 version lists 93 controls, grouped into four themes: organizational, people, physical, technological. Indeed, the useful deliverable is not a score. It is a prioritized, costed action plan that separates what actually protects from what merely documents.

Step 2: building the ISMS

The Information Security Management System (ISMS) is the certifiable core. It covers scope, risk analysis, statement of applicability and policies. Above all, it carries a living governance: management reviews, indicators, internal audits. This is where the difference plays out between a useful system and paper compliance. Indeed, an ISMS built for the auditor rather than for real risks shows at the audit, and above all at the first incident.

Step 3: deploying the controls

This is the longest phase. It implements the selected controls, raises team awareness and addresses supplier risks. It also covers logging and access management. Finally, a mock audit at the end of the phase gets you to certification without unnecessary suspense.

Step 4: the certification audit, then real life

The audit happens in two stages: a documentation review (stage 1), then an implementation audit (stage 2). Non-conformities raised call for a corrective action plan, tracked to closure. The certificate stays valid for three years, with a surveillance audit every year. Thus, certification is not a finish line, it is a cruising regime. In fact, that is often where organizations need the most help: managing corrective action plans between two audits.

How long, how much energy?

It takes from 6 to 18 months, depending on the starting maturity and the certified scope. The two classic pitfalls are symmetrical. On one side, the project that stalls for lack of management. On the other, the express paper certification that collapses at the first surveillance audit. In both cases, the remedy is the same: a milestone-driven journey, an owner, board-level reporting.

ISO 27001: the takeaway

ISO 27001 is won like a program: an honest baseline, a realistic trajectory, managed execution. Moreover, the same foundation then serves NIS2, DORA and your customers’ trust.

A certification project, or non-conformities to address? See the Cybersecurity GRC practice or let’s talk about your situation.
Share this article
Link copied