- ISO 27001 certification typically takes 6 to 12 months for SMEs and costs between EUR 15,000 and 60,000, depending on company size and maturity level.
- The process consists of preparation, Stage 1 audit (document review), Stage 2 audit (implementation review), annual surveillance audits, and recertification after three years.
- Conformity without a certificate can make sense if you don't need an external seal but still want to operate an effective ISMS.
- The largest cost blocks are internal personnel effort (40-60%), consulting (20-35%), and the certification body's fees (15-25%).
- The most common audit findings involve missing management reviews, incomplete risk treatment plans, and a lack of effectiveness verification for measures.
Certification or Conformity: What Do You Actually Need?
Before diving into the certification process, a fundamental question is worth considering: Do you actually need the certificate on the wall, or is it sufficient to implement the ISO 27001 requirements internally?
The difference is not trivial. Certification means that an independent, accredited body has reviewed your ISMS and found it conforming. You receive a certificate that you can present to customers, partners, and clients. Conformity, on the other hand, means that you meet the standard's requirements, but no external party has confirmed this.
There are compelling reasons for certification. If your customers or clients explicitly require an ISO 27001 certificate — for example in tenders or as a supplier requirement — there's no way around it. This increasingly applies to mid-market companies as well, especially when you work for larger enterprises or the public sector. A certificate creates trust that you can't achieve with a self-assessment.
Conformity without certification can be sensible if you primarily want to improve your own security and don't need external proof. You save the costs of the certification body and the effort of formal auditing while retaining all the benefits of a structured ISMS. Many organizations start this way and pursue certification later when business pressure increases.
There's also a third option: organizations affected by NIS2 can demonstrate roughly 80% of NIS2 requirements with an ISO 27001 certification. If you're already subject to NIS2, certification kills two birds with one stone.
The Certification Process at a Glance
The path to ISO 27001 certification follows a clearly defined process that can be divided into five phases. Each phase has its own goals, requirements, and typical pitfalls.
Phase 1: Preparation and ISMS Setup (3-8 Months)
The longest and most labor-intensive phase begins well before the actual audit. Here you build your ISMS or bring an existing system up to the standard's requirements. What needs to happen in this phase:
Conduct a gap analysis. Compare the current state of your information security against ISO 27001 requirements. Which processes already exist? Where are the gaps? The gap analysis gives you a roadmap for the remaining preparation time. Plan one to two weeks for this, depending on the complexity of your IT landscape.
Define the scope. Determine which locations, departments, systems, and processes your ISMS covers. The scope is a strategic decision. A scope that's too broad drives up effort; one that's too narrow will be questioned by the auditor. For an SME with one location and manageable IT, a company-wide scope is often recommended because defining exclusions is harder to justify than complete coverage.
Risk assessment and risk treatment. The heart of the ISMS. Identify your information assets, assess the risks, and define treatment measures. The results feed into the Statement of Applicability (SoA), which specifies which of the 93 controls from Annex A you implement and which you exclude with justification.
Document policies and processes. ISO 27001 requires a number of documented pieces of information: information security policy, risk assessment methodology, risk treatment plan, SoA, internal audit reports, management review. In addition, there are operational policies such as password policy, access control, backup concept, and incident response procedures.
Implement measures. Documentation alone is not enough. The defined controls must actually be implemented. If your SoA specifies encryption for mobile devices, that encryption must be active before the audit — not just planned.
Conduct an internal audit. Before the external audit, you must have conducted at least one internal audit. Here you check whether your ISMS meets the standard's requirements. The internal audit uncovers weaknesses you can fix before the external audit. It's your dress rehearsal.
Management review. Senior management must have formally reviewed the ISMS at least once. This involves discussing the results of the internal audit, goal achievement, incidents, and improvement opportunities. The management review is not an optional meeting — it's a mandatory requirement of the standard that auditors always check.
Phase 2: Stage 1 Audit (Document Review)
The Stage 1 audit is the first encounter with the external auditor from the certification body. It typically takes place on-site but can also be partially conducted remotely. The scope is one to two days for an SME.
The auditor reviews essentially three things in Stage 1:
ISMS documentation. Are all required documented pieces of information present? Information security policy, risk methodology, risk treatment plan, SoA, internal audit, management review. The auditor reads these documents and checks whether they substantively cover the standard's requirements.
Readiness for Stage 2. Is the ISMS actually implemented and not just on paper? The auditor holds discussions with the ISMS lead and determines whether the organization is ready for the implementation audit.
Scope and context. Is the scope sensibly defined? Are the relevant interested parties identified? Does the organization's context match the documentation?
At the end of the Stage 1 audit, you receive a report with findings. These may be nonconformities that you must resolve before Stage 2 or observations and recommendations. Between Stage 1 and Stage 2, there are typically four to eight weeks to address open items.
A typical reason for delays after Stage 1: the documentation exists but isn't consistent. The risk assessment references different assets than the SoA, or the information security policy uses different terminology than the operational policies. Such inconsistencies are immediately noticed by the auditor.
Phase 3: Stage 2 Audit (Implementation Review)
The Stage 2 audit is the actual certification audit. Here the auditor checks whether your ISMS is not just documented but effectively implemented. The effort is two to five days for an SME, depending on scope and company size.
The auditor works systematically through the standard's requirements and the controls in your SoA. They conduct interviews with employees at various levels, review evidence (logs, records, training certificates), and observe processes. Some examples of what's typically checked:
Risk management. The auditor asks the ISMS lead: Show me your risk assessment. How did you identify the risks? How are risks tracked? When was the last update performed? They examine specific risk entries and check whether treatment measures have been implemented.
Access control. How are permissions granted and revoked? What happens when an employee leaves the company? The auditor wants to see evidence: permission requests, offboarding checklists, regular permission reviews.
Incident management. Have there been security incidents? If yes: how were they handled? If no: how would the process work in an actual event? The auditor tests whether employees know the reporting process.
Training. Were awareness training sessions conducted? Can the organization provide attendance records? Do employees know what the information security policy states?
At the end of the Stage 2 audit, the decision is made. The auditor can make three types of findings:
| Finding | Meaning | Impact |
|---|---|---|
| Major nonconformity | A standard requirement is not met or the ISMS is fundamentally ineffective in an area | Certificate is not issued until the nonconformity is resolved and verified |
| Minor nonconformity | Individual weakness that doesn't fundamentally impair the ISMS | Must be resolved within 90 days; certificate can still be issued |
| Opportunity for improvement | Auditor recommendation, not a formal nonconformity | Can but doesn't have to be implemented |
If there are no major nonconformities and the minor ones are manageable, the auditor recommends certification. However, the final decision is made not by the auditor themselves but by an independent committee of the certification body.
Phase 4: Surveillance Audits (Annual)
The ISO 27001 certificate is valid for three years. In the two years between initial certification and recertification, surveillance audits take place — typically one per year.
Surveillance audits are less extensive than the Stage 2 audit. For an SME, they usually last one to two days. The auditor doesn't re-examine the entire ISMS but focuses on selected areas. They pay particular attention to:
- Were nonconformities from previous audits resolved?
- Is the continuous improvement process working?
- Have there been changes in scope, organization, or IT landscape?
- Were internal audits and management reviews conducted?
- How were security incidents handled?
Surveillance audits are not automatic passes. If the auditor finds that the ISMS has stagnated or deteriorated since certification, they can issue major nonconformities and, in the worst case, recommend suspension of the certificate. This rarely happens in practice, but the possibility exists.
Preparing for surveillance audits shouldn't be a major effort if you maintain your ISMS throughout the year. If you're frantically updating documents and gathering evidence two weeks before the audit, that's a sign the ISMS isn't being lived in daily practice — exactly what the auditor will notice.
Phase 5: Recertification (After 3 Years)
Three years after initial certification, recertification is due. It resembles the Stage 2 audit but is typically somewhat leaner because the auditor already knows the company and can draw on surveillance audit results.
Recertification checks whether the ISMS still meets the standard's requirements and whether it has evolved. Three years is a long time in IT, and the auditor expects the ISMS to have adapted to changed conditions: new systems, new threats, organizational changes, technological developments.
If you've cleanly passed the surveillance audits and continuously developed your ISMS, recertification is a formality. If not, it can become uncomfortable.
Realistic Timeline: 6 to 12 Months
How long does the path to certification take? The honest answer: it depends. But for an SME with 50 to 250 employees, you can work with the following benchmarks:
| Phase | Duration | Prerequisite |
|---|---|---|
| Gap analysis | 1-2 weeks | Access to all relevant documents and systems |
| ISMS setup and documentation | 3-6 months | Dedicated resource (at least 50% position) |
| Measure implementation | 2-4 months (parallel) | Budget for technical measures |
| Internal audit + management review | 2-4 weeks | ISMS must be operational |
| Stage 1 audit | 1-2 days | Documentation complete |
| Stage 1 follow-up | 4-8 weeks | Close identified gaps |
| Stage 2 audit | 2-5 days | Measures implemented and evidenced |
| Certificate issuance | 4-6 weeks after Stage 2 | No open major nonconformities |
6 months is possible if you already have basic security processes in place (backup concept, access management, firewall rules), a dedicated person is driving the project, and senior management actively supports it. In this case, it's less about building security than systematizing and documenting what's essentially already in place.
12 months is more realistic if you're starting from zero or near zero — when policies need to be written, processes defined, and technical measures implemented from scratch. Organizations with multiple locations or complex IT infrastructure also tend to need more time.
Longer than 12 months it shouldn't take. If the process drags on for more than a year, either the resource or management support is missing. Both are problems you need to solve before continuing.
One factor many underestimate: the standard requires that the ISMS has been operational for a certain time before you certify. The auditor wants to see evidence of an operational period, not just freshly created documentation. Three to six months of operational activity before the Stage 2 audit is a good benchmark.
Costs Broken Down: What to Expect
The cost question is often decisive for SMEs. Here's a realistic breakdown for a company with 50 to 150 employees and one location:
Internal Personnel Effort (40-60% of Total Costs)
The largest cost block is simultaneously the most frequently underestimated. Someone must build the ISMS, write documents, define processes, train employees, and prepare for the audit. Plan for:
| Role | Effort | Estimated Costs (internal) |
|---|---|---|
| CISO / ISMS lead | 6-12 months, 50-100% | EUR 30,000-70,000 (salary share) |
| IT management (technical implementation) | 2-4 months, 20-30% | EUR 5,000-15,000 |
| Senior management (reviews, decisions) | 10-20 hours total | EUR 2,000-5,000 |
| Business units (interviews, training) | 5-10 hours per unit | EUR 3,000-8,000 |
The range is wide because it strongly depends on whether you assign an existing employee to the topic or create a new position. An experienced CISO works significantly faster than someone who must first learn the subject.
External Consulting (20-35% of Total Costs)
Consulting is not mandatory, but for most SMEs it's a worthwhile investment. An experienced ISO 27001 consultant significantly accelerates the process and helps avoid typical mistakes.
| Service | Typical Scope | Costs |
|---|---|---|
| Gap analysis and project planning | 2-5 days | EUR 2,000-6,000 |
| ISMS setup support | 10-30 days | EUR 10,000-35,000 |
| Internal audit (externally conducted) | 2-3 days | EUR 2,000-4,000 |
| Audit preparation and coaching | 2-5 days | EUR 2,000-6,000 |
Daily rates for ISO 27001 consultants typically range from EUR 1,000 to 1,500. Packages or longer engagements often allow for better rates. Make sure the consultant is accredited or certified — for example as an ISO 27001 Lead Auditor or Lead Implementer.
An important restriction: the consultant may not advise you and simultaneously certify you. The certification body must be independent. If your consultant is employed at a certification body, they may not accompany your ISMS project and subsequently provide the auditor from the same body for your audit.
Certification Body (15-25% of Total Costs)
The certification body's fees are based on company size (measured in employees in scope), number of locations, and IT environment complexity.
| Audit | Typical Costs (50-150 employees, 1 location) |
|---|---|
| Stage 1 audit | EUR 3,000-6,000 |
| Stage 2 audit | EUR 5,000-12,000 |
| Surveillance audit (per year) | EUR 3,000-6,000 |
| Recertification (after 3 years) | EUR 5,000-10,000 |
Over the entire three-year cycle (initial audit + two surveillance audits), you'll spend EUR 14,000 to 30,000 on the certification body. Per year, that's approximately EUR 5,000 to 10,000.
Technical Measures and Tools
Depending on your IT maturity, costs for technical measures may apply: MFA solution, endpoint detection, encryption, SIEM integration, or an ISMS tool for documentation and risk management. These costs vary enormously and depend on what's already in place.
| Area | Typical Costs |
|---|---|
| ISMS tool / software (e.g. ISMS Lite starting at EUR 500/year) | EUR 500-8,000/year |
| Technical measures (MFA, EDR, backup) | EUR 3,000-20,000 one-time + ongoing |
| Training platform / e-learning | EUR 1,000-5,000/year |
Total Costs: A Realistic Range
For an SME with 50 to 150 employees and one location, the total calculation for the first year looks roughly like this:
| Category | Minimum | Maximum |
|---|---|---|
| Internal effort | EUR 15,000 | EUR 50,000 |
| External consulting | EUR 5,000 | EUR 40,000 |
| Certification body | EUR 8,000 | EUR 18,000 |
| Tools and technology | EUR 3,000 | EUR 20,000 |
| Total (Year 1) | EUR 31,000 | EUR 128,000 |
Subsequent years are significantly cheaper because the initial setup effort falls away. Plan for EUR 10,000 to 30,000 per year for ongoing maintenance, surveillance audits, and continuous improvement.
Choosing the Right Certification Body
Not all certification bodies are equal. The selection affects costs, audit quality, and the external perception of your certificate. What to look for:
Check accreditation. The certification body must be accredited by a national accreditation body. In Germany, that's the Deutsche Akkreditierungsstelle (DAkkS). A certification without DAkkS accreditation is, strictly speaking, not a recognized ISO 27001 certificate. Well-known certifiers such as TÜV, DEKRA, DQS, BSI (British Standards Institution), or Bureau Veritas are all accredited.
Industry experience. An auditor who regularly audits companies of your industry and size understands your challenges and asks relevant questions. An auditor who usually examines large corporations may have unrealistic expectations of an 80-person company.
Compare quotes. Obtain at least three quotes. The price differences can be significant, and you'll get a feel for what's market-standard. Ensure the quotes are comparable: How many audit days are included? Are travel costs included? What does a follow-up audit cost for major nonconformities?
Clarify availability. Popular certification bodies have lead times of several months. Plan the audit date early — ideally three to six months in advance. If you have a fixed timeline (for example because a customer needs to see the certificate by a certain date), early scheduling is critical.
Note auditor rotation. After a certain number of audit cycles, the lead auditor must change to prevent complacency. Ask how the certification body handles this.
Common Audit Findings: What Auditors Actually Object To
Clear patterns emerge from practice regarding which points repeatedly lead to findings in ISO 27001 audits. If you have these topics under control, you're well positioned.
Management Review Is Missing or Superficial
The management review (Clause 9.3) is one of the items auditors check in every audit — and one of the most common findings. Either the management review wasn't conducted at all, or it's so thinly documented that the auditor can't determine what was actually discussed and decided.
The standard defines specific inputs for the management review: results of internal audits, status of corrective actions, changes in context, feedback from interested parties, results of risk assessment, and improvement opportunities. If your minutes contain only "Management review conducted, no objections," the auditor will dig deeper.
Risk Treatment Plan Not Traceable
You've identified and assessed risks, but the connection to treatment is missing or unclear. The auditor expects to be able to navigate from an identified risk through the treatment plan to the specific control and from there to evidence of implementation. This traceability is crucial. In ISMS Lite, the implementation status of each control can be documented with justification and linked measures, which significantly eases the auditor's work.
A typical problem: the risk "ransomware attack" was identified, but the risk treatment plan only says "implement technical measures." Which measures? Who is responsible? By when? How is effectiveness verified? The plan must answer these questions.
Statement of Applicability Not Consistent
The Statement of Applicability (SoA) is the central document that specifies which Annex A controls are applied and which are not. Inconsistencies between the SoA and actual implementation are a common finding. If the SoA states you implement Control A.8.24 (Cryptography) but no encryption policy exists in practice, that's a nonconformity.
Equally problematic: controls marked as "not applicable" without sufficient justification. The auditor will ask why a particular control isn't relevant, and the answer must be comprehensible.
Effectiveness Verification Is Missing
ISO 27001 requires not just the implementation of measures but also the verification of their effectiveness (Clause 9.1). Many organizations implement controls but never check whether they actually work. You've introduced MFA — but have you measured whether all accounts actually have MFA activated? You have a backup policy — but have you conducted a restore test?
Effectiveness verification doesn't have to be elaborate, but it must be documented and traceable.
Internal Audit Not Independent
The internal audit must be conducted by persons who are independent from the audited area. If the CISO audits their own ISMS, independence isn't given. For small companies, this is a real challenge because there may be only one CISO. The solution: either commission an external provider for the internal audit or deploy a trained employee from another department.
Change Management Is Incomplete
If significant changes have occurred since the last audit (new locations, new systems, organizational changes, new cloud provider), the ISMS must reflect these changes. Has the scope changed? Was the risk assessment updated? Were new controls defined? Auditors specifically look for changes and check whether the ISMS has kept pace.
Training Records Incomplete
Awareness training was conducted, but there are no attendance lists, no content overviews, no evidence of knowledge transfer. Training of senior management in particular is often forgotten, even though the standard explicitly requires the competence of top management. If the CEO can't explain what the information security policy states, that's a problem.
Tips for a Smooth Certification
Speak with the certification body early. Clarify the scope, audit days, and timeline. Some certifiers offer a preliminary discussion where you can clarify open questions without it being a formal audit.
See the auditor as a conversation partner, not an adversary. Auditors don't want to fail companies. They want to find an effective ISMS. Openness and transparency during the audit pay off. If you know you still have catching up to do in one area, address it proactively rather than hoping the auditor won't notice.
Prepare evidence. Before the audit, create an overview of which evidence you can present for which standard requirement. This saves time during the audit and shows the auditor you're prepared. Nothing delays an audit more than frantic searching for documents.
Prepare employees. The auditor won't only speak with the CISO but also with other employees: IT administrators, department heads, reception staff. These employees should know what an audit is, what questions might come up, and that they should answer honestly. Briefings before the audit aren't manipulation — they're preparation.
Deliver corrective evidence promptly. When the auditor identifies a minor nonconformity, you typically have 90 days for correction. Don't wait until day 89. The faster you demonstrate the correction, the better the impression your organization leaves.
The Path After Certification
Getting the certificate is a milestone, but not the finish line. The real challenge begins afterward: living the ISMS in daily operations, continuously improving it, and demonstrating in surveillance audits that it wasn't just a certification project.
Plan fixed times for ISMS maintenance: brief weekly reviews, monthly status reports to management, quarterly risk assessment updates, and an annual management review. Tools like ISMS Lite support you with automatic reminders for review cycles and an audit trail that documents continuous maintenance. When the ISMS becomes part of your daily operations, it loses its project character and becomes what it's meant to be: a living management system that sustainably improves your information security.
And one closing thought: certification is not proof that you're secure. It's proof that you're pursuing a systematic approach to information security. That sounds like a fine distinction, but it's essential. The certificate shows that you manage risks, have defined processes, and continuously work on improvement. Actual security depends on how consistently you implement these processes in daily practice.
Further Reading
- Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
- NIS2 vs. ISO 27001: Differences, Commonalities, and How Both Fit Together
- Creating a Statement of Applicability: Step-by-Step Guide
- Managing Audit Findings and Corrective Actions
- Training Records in the ISMS: What Needs to Be Documented