The Certification Journey: Stage 1, Stage 2, Surveillance, Recertification, and Every Nonconformity Type Explained

"Chance favors the prepared mind."

Louis Pasteur

Introduction: What Certification Actually Is

ISO 27001 certification is a formal, third-party assertion that an organization's Information Security Management System conforms to the requirements of the standard and is effectively implemented and maintained. It is issued by an accredited certification body (CB) following a structured audit process, maintained through annual surveillance audits, and renewed through a full recertification audit every three years.

Understanding what certification is - and is not - matters enormously for how organizations approach the process.

Certification is not a security guarantee. It does not mean the organization is immune to breaches, that its controls are technically superior, or that its risk posture is better than a non-certified organization. It means that a qualified, independent auditor has assessed the ISMS against defined criteria, found it to conform, and that the management system has the structural characteristics required to drive continuous security improvement.

Certification is not a one-time achievement. It is a three-year cycle of continuous assessment - initial certification, two annual surveillance audits, and a recertification audit - that maintains the assertion of conformance as long as the ISMS continues to meet requirements.

Certification is not binary. The audit process produces findings across a spectrum - major nonconformities that block certification, minor nonconformities that require corrective action within defined timelines, and observations that inform improvement.

Part 1 - Selecting a Certification Body

1.1 Accreditation: The Foundation of Certification Credibility

Certification bodies must themselves be accredited - assessed by a national accreditation body (NAB) as competent to conduct ISO 27001 audits.

The key accreditation bodies by jurisdiction:

UKAS (United Kingdom Accreditation Service) - UK
DAkkS (Deutsche Akkreditierungsstelle) - Germany
COFRAC (Comité français d'accréditation) - France
ANAB (ANSI National Accreditation Board) - United States
JAB (Japan Accreditation Board) - Japan
RvA (Dutch Accreditation Council) - Netherlands
NAB - varies by country; the International Accreditation Forum (IAF) maintains a multilateral recognition arrangement (MLA) under which accreditations from member bodies are mutually recognized

The IAF MLA means that a certificate issued by a CB accredited by any IAF MLA member body is recognized internationally. When selecting a CB, verify that it holds accreditation from an IAF MLA member body - unaccredited certifications are not internationally recognized.

1.2 Selecting the Right Certification Body

Not all accredited certification bodies are equal in the quality of their auditors, the depth of their audits, the relevance of their sector expertise, or the credibility of their certificates.

Key selection criteria:

Sector expertise: Ask specifically about the sector experience of the auditors who would be assigned.

Geographic coverage: For multi-site organizations, the CB must provide auditors in all relevant jurisdictions without compromising audit quality.

Market recognition: In some markets - particularly regulated financial services, government contracting, and enterprise technology procurement - specific CBs are more recognized or preferred than others.

Audit approach: Different CBs have different audit philosophies - some are more documentation-focused, others more technically oriented. Ensure the approach matches the organization's ISMS maturity.

Cost and timeline: Differences of 50–100% for equivalent scope are not unusual across CBs. Neither should be the primary criterion.

Transfer provisions: If considering changing CB, the new CB must conduct a full initial assessment - transfer does not carry forward previous certification.

1.3 The Certification Agreement

The certification agreement specifies:

The scope of the certification
The audit schedule and resource plan
The fees
The obligations of both parties
The process for handling findings
The conditions for certificate issue, suspension, and withdrawal

Review the suspension and withdrawal provisions carefully - the conditions under which the CB can suspend or withdraw the certificate are consequential and vary across CBs.

Part 2 - The Stage 1 Audit: Documentation Review and Readiness Assessment

2.1 What Stage 1 Is

The Stage 1 audit - sometimes called the documentation review or readiness assessment - is the first formal engagement with the certification body auditor. Its purpose is to assess whether the organization's ISMS documentation is sufficiently complete and developed to support a Stage 2 audit.

Stage 1 is not the certification audit. What it produces is an assessment of readiness and a Stage 1 report.

Stage 1 involves:

Reviewing the ISMS documentation set - policies, procedures, risk assessment, SoA, objectives
Confirming the scope statement and its appropriateness
Reviewing the risk assessment methodology and results for adequacy
Reviewing the SoA for completeness and justification quality
Assessing whether the ISMS has been operating for a sufficient period to produce evidence
Identifying any areas of significant concern that would prevent the Stage 2 audit from proceeding

2.2 Stage 1 Can Be Conducted Remotely or On-Site

Stage 1 is increasingly conducted remotely. For large or complex organizations, an on-site Stage 1 may provide more value.

2.3 What Stage 1 Commonly Finds

Incomplete mandatory documentation: The risk assessment doesn't cover the full scope. The SoA is missing justifications. The information security policy has not been formally approved. The management review has not been conducted.

ISMS not operational for sufficient duration: The standard requires a minimum operating period - typically a minimum of three months - to produce operational evidence.

Scope statement inconsistencies: The scope statement doesn't consistently describe what is in scope across different documents.

Risk assessment methodology gaps: The risk methodology doesn't produce results specific enough to drive control selection decisions.

SoA justification quality: Controls are excluded with "N/A" or without substantive justification.

2.4 Managing the Stage 1 to Stage 2 Gap

If Stage 2 is confirmed:

Address Stage 1 findings promptly - they will be reviewed at Stage 2 and unresolved Stage 1 findings become Stage 2 nonconformities
Use the gap period (typically 4–12 weeks) to ensure operational evidence is accumulating
Brief key personnel on what to expect

If additional preparation is required:

Agree a realistic timeline with the CB based on the specific gaps identified
Do not rush to reschedule Stage 2 before the gaps are genuinely addressed

Part 3 - The Stage 2 Audit: The Certification Decision

3.1 What Stage 2 Is

The Stage 2 audit is the certification audit - the formal assessment that determines whether the organization's ISMS conforms to the requirements of ISO 27001 and whether a certificate should be issued. It assesses both the documented ISMS and its operational implementation.

3.2 What Auditors Do During Stage 2

Stage 2 auditors use three primary evidence-gathering methods:

Document review: Reviewing ISMS documentation for completeness, consistency, and quality - including mandatory documents and operational records.

Interviews: Interviewing personnel at multiple levels. Interviews test whether the ISMS has been communicated and internalized, whether personnel understand their security responsibilities, and whether documented practices match described practices.

Observation and technical review: Observing security processes in operation, reviewing system configurations, examining physical security arrangements.

3.3 The Stage 2 Audit Process

Opening meeting: Confirm audit scope, plan, and logistics.

Evidence collection: Document reviews, interviews, technical reviews, and observations.

Auditor team meeting: The audit team meets to review findings, agree on classifications, and confirm audit conclusions.

Closing meeting: Preliminary findings presented to the ISMS owner and senior management. The organization has the opportunity to provide factual corrections - not to argue against findings.

Audit report: Within 2–4 weeks after the closing meeting, a formal audit report is issued with the CB's recommendation.

3.4 The Stage 2 Interview: What It Looks Like From the Inside

Auditors are not trying to catch personnel out. They are trying to understand whether the ISMS is real - whether the people who are supposed to implement it know what they are supposed to do and are actually doing it.

What auditors typically ask in senior management interviews:

How do you demonstrate your commitment to information security?
What is your understanding of the organization's most significant information security risks?
How does the board or executive team receive information about security performance?
What resources have been allocated to information security in the last budget cycle?

What auditors typically ask in ISMS manager interviews:

Walk me through how a new risk is identified and added to the risk register
How are risk treatment decisions made, and by whom?
What was the last significant incident, and what did the post-incident review conclude?
How do you verify that suppliers are meeting their security requirements?
When was the last internal audit conducted, and what were the main findings?

What auditors typically ask in IT operations interviews:

How do you know which security patches need to be applied to systems you manage?
What process do you follow when a security alert is generated by the SIEM?
What would you do if you discovered a security vulnerability in a system you manage?

What auditors typically ask in general staff interviews:

What training have you received on information security?
What is the classification scheme for organizational information?
How would you report a suspected security incident?

3.5 The Certification Decision

Following Stage 2, the certification body makes one of three decisions:

Recommend certification: The audit found conformance with all mandatory requirements. Any minor nonconformities have been resolved or a credible corrective action plan has been accepted.

Conditional recommendation: Minor nonconformities must be resolved before the certificate is issued. The organization has a defined period - typically 30–90 days - to submit evidence of corrective action.

Not recommend certification: Major nonconformities were found. A further audit is required before certification can be recommended. This is not a failed certification - it is a deferred certification.

Part 4 - The Surveillance Audit Cycle

4.1 The Three-Year Certification Cycle

ISO 27001 certificates are valid for three years, subject to satisfactory surveillance audits in years one and two:

Year 0: Initial certification (Stage 1 + Stage 2)
Year 1: First surveillance audit (SA1)
Year 2: Second surveillance audit (SA2)
Year 3: Recertification audit (Stage 1 + Stage 2 equivalent)

4.2 What Surveillance Audits Focus On

Nonconformity resolution: Any nonconformities from the previous audit must be closed.

Continual improvement evidence: Has the ISMS improved since the last audit? Are identified improvement opportunities being actioned?

Changes since the last audit: Any significant changes to the organization must be assessed for their impact on the ISMS.

Management review and internal audit evidence: Have management reviews been conducted? Are internal audits being executed?

Selected control areas: Each surveillance audit will cover a selection of Annex A control areas in depth.

4.3 The Surveillance Audit Failure Mode

The most common pattern of surveillance audit failure is the "certification hangover" - an organization that invested intensively in ISMS preparation for the initial certification and then returned to normal operations, treating ISMS activities as a project that ended at certification.

The certification hangover manifests as:

Stale documentation: Policies not reviewed since certification. Risk register not updated. SoA not revised.

Evidence gaps: Management reviews conducted but not documented. Internal audits planned but not executed. Training conducted but records not maintained.

Nonconformity non-closure: Corrective actions from initial certification that were accepted on the basis of a plan but have not been implemented.

ISMS drift from organizational reality: The organization has changed in ways not reflected in the ISMS.

The antidote is the operational ISMS calendar described in Chapter 6 - a rhythm of regular activities that generates evidence as a byproduct of genuine operation.

4.4 Certificate Suspension

A CB may suspend a certificate when:

A nonconformity is identified that would result in recertification failure if not corrected promptly
The organization fails to provide audit access when required
The organization has voluntarily requested suspension
Documented evidence indicates the ISMS is no longer effectively maintained

Certificate suspension has significant business consequences - it means the certificate cannot be claimed, customers must be notified, and the suspension appears on the CB's public registry.

4.5 Certificate Withdrawal

Certificate withdrawal - permanent revocation - occurs when:

The organization fails to resolve a suspension within the defined period
The organization voluntarily withdraws from certification
The organization ceases to operate within the certified scope

Unlike suspension, withdrawal requires a new initial certification process (Stage 1 + Stage 2) to regain certification.

Part 5 - Recertification: The Three-Year Review

5.1 What Recertification Involves

The recertification audit at the end of the three-year certification cycle is a comprehensive reassessment - equivalent in scope and depth to the initial certification, but with three years of operational history.

Recertification involves:

Documentation review (Stage 1 equivalent): Reviewing the ISMS documentation set for currency and completeness. The documentation should reflect the organization as it currently operates, not as it was when initially certified.

Operational assessment (Stage 2 equivalent): Assessing the full ISMS operation using document review, interviews, observation, and technical review. Particular attention will be paid to areas of weakness from surveillance audits.

Three-year trend assessment: An opportunity to assess the ISMS's development over the three-year cycle.

5.2 Preparing for Recertification

Recertification preparation should begin at least six months before the certification expiry date:

Full ISMS review: Review all ISMS documentation for currency. Update out-of-date documents.

Closure of open findings: Review the corrective action register for any open findings from surveillance audits.

Evidence compilation: Confirm that operational evidence records cover the full three-year certification cycle.

Scope review: Confirm that the scope statement accurately describes the current ISMS.

Internal pre-audit: Conduct a comprehensive internal pre-audit across the full ISMS scope approximately 3–4 months before the recertification date. This is the most effective single investment in recertification readiness.

Part 6 - Nonconformity Management: A Complete Taxonomy

6.1 Major Nonconformities

A major nonconformity represents a significant failure of the ISMS - either the absence of a required element, a systemic failure of a required process, or evidence of such a departure from requirements that achieving the ISMS's intended outcomes is in doubt.

Characteristics of a major nonconformity:

Absence of a required element (e.g., no documented risk assessment, no SoA, no management review ever conducted)
Systemic failure of a process across the full scope (e.g., no access reviews have ever been conducted for any system in scope)
Multiple minor nonconformities in the same area indicating a systematic failure
Evidence that the ISMS is fundamentally not operational

Consequences at initial certification: Certificate cannot be issued until the major nonconformity is resolved. A further audit is required to verify resolution.

Consequences at surveillance or recertification: The certificate may be suspended if not resolved within the defined period (typically 30–90 days).

The major nonconformity resolution process:

Acknowledge the finding formally
Analyze the root cause
Develop a corrective action plan addressing the root cause
Implement the corrective action
Collect evidence that the nonconformity has been resolved
Submit evidence to the CB within the defined timeframe
CB reviews evidence and conducts any required verification audit
CB confirms closure

6.2 Minor Nonconformities

A minor nonconformity represents a specific failure to meet a requirement that does not, in itself, undermine the ISMS's overall effectiveness.

Examples of minor nonconformities:

A single policy that has not been reviewed within its defined review cycle
Training records that are incomplete for a small number of in-scope personnel
A specific risk treatment action that is overdue without an approved extension
A supplier review not conducted within the defined period for a single supplier
A specific Annex A control included in the SoA with "to be implemented" status but no target date

At initial certification: The certificate may be issued with a condition requiring resolution within a defined period (typically 30–90 days).

Patterns to watch: The same minor nonconformity appearing in multiple consecutive audits will typically be elevated to a major nonconformity.

6.3 Observations and Opportunities for Improvement

An observation is an auditor's finding that a requirement is being met but there is a concern or opportunity for improvement that, if unaddressed, may result in a nonconformity in the future.

Observations are not nonconformities - they do not require formal corrective action within a defined timeframe. But they should not be dismissed - an observation in one cycle that goes unaddressed frequently becomes a minor nonconformity in the next.

Examples of observations:

A control is implemented but the evidence of its operation is thin
A process is performing adequately but lacks defined metrics
A supplier relationship has grown in scope and risk since the last tiering review
The incident reporting culture appears underdeveloped - the incident register shows fewer events than would be expected from an organization of this size and complexity

6.4 The Corrective Action Plan: What CBs Expect

For every nonconformity, the organization must submit a corrective action plan (CAP) within the timeframe specified by the CB.

A corrective action plan that satisfies a certification body has four components:

Correction: What immediate action has been taken to address the specific nonconformity? This addresses the symptom but not the root cause.

Root cause analysis: Why did the nonconformity occur? The quality of the root cause analysis is the primary indicator of whether the corrective action will prevent recurrence.

Corrective action: What systematic change has been made to prevent recurrence? This addresses the root cause.

Evidence: Specific evidence demonstrating that both the correction and the corrective action have been implemented.

CBs that receive CAPs without root cause analysis, CAPs where the proposed corrective action addresses only the symptom, or CAPs that lack specific evidence, will request resubmission.

6.5 Nonconformity Closure

A nonconformity is closed when the CB has reviewed the evidence submitted in the CAP and is satisfied that:

The specific nonconformity has been corrected
The root cause has been identified
The corrective action is adequate to prevent recurrence
The evidence demonstrates actual implementation, not just a plan

Part 7 - Common Certification Failure Patterns

7.1 The Documentation ISMS

The organization has produced comprehensive, well-structured documentation. And then the Stage 2 audit begins interviewing people. The IT operations team doesn't know what classification scheme applies to customer data. The HR manager doesn't know they have responsibilities in the ISMS. The developer doesn't know the process for reporting a security vulnerability they've discovered.

Prevention: Design the ISMS around actual operational practice, not ideal practice. Stage 2 interviews should never produce surprises - if internal pre-audit interviews produce surprises, that is the signal that additional preparation is needed.

7.2 The Pre-Audit Sprint

The organization discovers six weeks before Stage 2 that significant preparation is incomplete and executes an intensive sprint. Experienced auditors recognize sprint-assembled ISMSs quickly - evidence records have suspiciously similar dates, the management review minutes don't reflect genuine discussion, the risk assessment language is generic.

Prevention: Build the ISMS timeline backwards from the certification date with realistic durations. A minimum of six months of genuine ISMS operation before Stage 2 is a practical benchmark.

7.3 The Scope Mismatch

The Stage 2 audit identifies that a significant portion of the information assets that are supposed to be in scope are either managed by functions not included in ISMS governance, or subject to risks not addressed in the risk assessment.

Prevention: Subject the scope statement to challenge before Stage 2. Ask: "Would a customer, regulator, or auditor reading this scope statement believe that the things connected to these processes are covered?"

7.4 The Risk-Control Disconnect

The risk assessment identifies specific risks. The SoA lists specific controls. But when auditors trace the connection between them - asking "which risk does control 8.5 (Secure Authentication) address?" - the answer is a generic statement that doesn't trace to any specific risk in the risk register.

Prevention: Build the SoA directly from the risk assessment output, with explicit cross-references between risks and controls.

7.5 The Leadership Engagement Gap

Senior management approved the information security policy and signed the management review minutes. But when the auditor interviews the CEO or the board member responsible for audit oversight, their responses reveal minimal understanding of the ISMS and no meaningful engagement with security governance between formal management review meetings.

Prevention: Leadership engagement must be built into the ISMS program from the outset - not as a certification preparation activity but as a genuine organizational commitment.

Part 8 - The Pre-Audit Program: How to Prepare Without Performing

8.1 The Internal Pre-Audit

The most valuable single investment in certification readiness is a well-designed internal pre-audit conducted 3–4 months before Stage 2.

The pre-audit should:

Cover the full mandatory document set: Verify that every mandatory document exists, is current, properly approved and version-controlled, and contains all required elements.

Test the risk-control connection: Trace from each significant risk in the register to the controls that address it, and from each control in the SoA to the risks that justify its inclusion.

Sample operational evidence: Pull evidence samples for key ISMS activities from the last three months.

Conduct mock interviews: Interview key personnel using the question patterns described in Part 3.

Walk the physical environment: For on-site audits, physically walk the in-scope locations assessing physical security controls.

Review previous findings: If previously certified, review all previous nonconformities and observations to confirm they have been properly resolved.

8.2 Personnel Preparation

People who will be interviewed should understand:

What the ISMS is and what their role involves
What the key security policies require of them
How to describe their security-relevant activities accurately and specifically
How to respond when they don't know the answer: "I don't know, but here is how I would find out" - not guessing
What not to do during an audit (volunteer information outside the audit scope, argue with audit findings)

Personnel preparation should be factual briefing, not coaching of answers.

8.3 Evidence Organization

Before Stage 2, organize evidence into a structured evidence pack that allows rapid retrieval of any document or record the auditor requests. The evidence pack structure should mirror the ISO 27001 clause structure.

Summary: What Chapter 8 Has Established

The certification journey is a three-year cycle - initial certification, two surveillance audits, and recertification - that maintains a continuous assertion of ISMS conformance as long as the management system continues to operate effectively.

Certification body selection determines the quality and credibility of the certification. Accreditation is the non-negotiable minimum; sector expertise, market recognition, and audit approach quality differentiate CBs beyond that baseline.

Stage 1 assesses documentation readiness and operational preparation.

Stage 2 is the certification audit. Auditor interviews are the most revealing evidence-gathering mechanism.

Surveillance audits maintain the certification across the three-year cycle. The certification hangover - degradation when ISMS activities are treated as a project that ended at certification - is the dominant surveillance audit failure pattern.

Nonconformity management is a defined process with four CAP components: correction, root cause analysis, corrective action, and evidence.

Preparation without performance - building an ISMS that operates genuinely rather than one staged for audit - is the single most reliable predictor of certification success and, more importantly, of an ISMS that protects the organization.

Next: Chapter 9 - ISO 27001 in the Compliance Ecosystem: NIST CSF, SOC 2, GDPR, NIS2, DORA, and ISO 27002 Alignment Maps

Introduction: What Certification Actually Is​

Part 1 - Selecting a Certification Body​

1.1 Accreditation: The Foundation of Certification Credibility​

1.2 Selecting the Right Certification Body​

1.3 The Certification Agreement​

Part 2 - The Stage 1 Audit: Documentation Review and Readiness Assessment​

2.1 What Stage 1 Is​

2.2 Stage 1 Can Be Conducted Remotely or On-Site​

2.3 What Stage 1 Commonly Finds​

2.4 Managing the Stage 1 to Stage 2 Gap​

Part 3 - The Stage 2 Audit: The Certification Decision​

3.1 What Stage 2 Is​

3.2 What Auditors Do During Stage 2​

3.3 The Stage 2 Audit Process​

3.4 The Stage 2 Interview: What It Looks Like From the Inside​

3.5 The Certification Decision​

Part 4 - The Surveillance Audit Cycle​

4.1 The Three-Year Certification Cycle​

4.2 What Surveillance Audits Focus On​

4.3 The Surveillance Audit Failure Mode​

4.4 Certificate Suspension​

4.5 Certificate Withdrawal​

Part 5 - Recertification: The Three-Year Review​

5.1 What Recertification Involves​

5.2 Preparing for Recertification​

Part 6 - Nonconformity Management: A Complete Taxonomy​

6.1 Major Nonconformities​

6.2 Minor Nonconformities​

6.3 Observations and Opportunities for Improvement​

6.4 The Corrective Action Plan: What CBs Expect​

6.5 Nonconformity Closure​

Part 7 - Common Certification Failure Patterns​

7.1 The Documentation ISMS​

7.2 The Pre-Audit Sprint​

7.3 The Scope Mismatch​

7.4 The Risk-Control Disconnect​

7.5 The Leadership Engagement Gap​

Part 8 - The Pre-Audit Program: How to Prepare Without Performing​

8.1 The Internal Pre-Audit​

8.2 Personnel Preparation​

8.3 Evidence Organization​

Summary: What Chapter 8 Has Established​