ISO 27001 Certification: The Complete Guide for EU Organisations
End-to-end guide to ISO 27001 certification for EU organisations, covering the 2022 revision, ISMS implementation, Stage 1 and Stage 2 audits, certification body selection, surveillance audit cycles, and alignment with EU regulations including NIS2 and DORA.
- 1
ISO 27001:2022 is the current version of the standard. All new certifications are issued against the 2022 revision, which includes 93 Annex A controls in four categories and 11 new controls addressing contemporary security challenges.
- 2
The certification process involves Stage 1 (documentation review) and Stage 2 (implementation audit), followed by annual surveillance audits and recertification every three years.
- 3
Select an accredited certification body with sector experience and evaluate proposals from at least three bodies before committing.
- 4
NIS2, DORA, and GDPR all recognise ISO 27001 as a relevant standard, making certification a strategic investment for EU organisations subject to multiple regulatory frameworks.
- 5
Certification is an ongoing programme, not a one-time project. Management system atrophy between audits is the most common cause of surveillance audit failures.
1. What Is ISO 27001 and Why Does It Matter?
ISO/IEC 27001 is the international standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic framework for managing sensitive information so that it remains secure. The standard covers people, processes, and technology, and is designed to be applicable to organisations of any size, sector, or geography. Certification to ISO 27001 demonstrates to customers, regulators, and partners that your organisation has implemented a rigorous, independently audited information security programme.
For EU organisations, ISO 27001 has taken on particular regulatory significance. The NIS2 Directive (Directive (EU) 2022/2555) explicitly recognises ISO 27001 as a relevant standard for demonstrating compliance with Article 21 cybersecurity risk-management measures. DORA (Regulation (EU) 2022/2554) similarly references international standards for ICT risk management frameworks. While neither regulation treats ISO 27001 certification as a compliance safe harbour, both acknowledge that certified organisations have a strong foundation for meeting regulatory requirements. In practice, supervisory authorities across Europe treat ISO 27001 certification as meaningful evidence of cybersecurity maturity.
The standard follows a Plan-Do-Check-Act (PDCA) cycle. The management system clauses (Clauses 4 through 10) define the requirements for establishing, implementing, maintaining, and continually improving the ISMS. Annex A provides a reference set of information security controls — 93 controls in the 2022 revision, organised into four categories. Certification requires demonstrating conformity with both the management system clauses and the controls declared applicable in your Statement of Applicability (SoA). This dual structure means that ISO 27001 is not merely a technical checklist — it is a governance framework that embeds information security into organisational decision-making.
ISO 27001:2022 replaced the 2013 revision. Organisations certified to the 2013 version had until 31 October 2025 to transition. All new certifications are now issued against the 2022 revision.
2. Key Changes in the 2022 Revision
ISO/IEC 27001:2022 was published on 25 October 2022, replacing ISO/IEC 27001:2013. The management system clauses (Clauses 4-10) received relatively minor updates — the most notable additions are Clause 6.3 (planning of changes), which requires organisations to plan ISMS changes in a structured manner, and updates to Clause 4.2 requiring explicit identification of interested party requirements addressed through the ISMS. The core PDCA structure and risk-based approach remain unchanged.
The substantial changes are in Annex A, which was restructured to align with the updated ISO/IEC 27002:2022 control catalogue. The previous 114 controls in 14 categories have been reorganised into 93 controls across four themes: Organisational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). This restructuring is not merely cosmetic — 11 new controls were introduced reflecting the evolved threat landscape, including A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, and A.8.28 Secure coding.
For organisations that were certified to the 2013 revision, the transition required a gap analysis against the new control structure, an updated Statement of Applicability reflecting the 93-control framework, implementation of any newly applicable controls (particularly the 11 new controls), and a transition audit by the certification body. The transition deadline was 31 October 2025. Organisations pursuing first-time certification now work exclusively with the 2022 revision — there is no option to certify against the 2013 version. The updated control set better reflects contemporary security challenges, particularly around cloud security, threat intelligence, and data protection, making the 2022 revision a more practical foundation for organisations operating in EU regulatory environments where these topics are explicitly addressed by NIS2 and DORA.
The 11 new Annex A controls in the 2022 revision align closely with NIS2 Article 21 requirements. Organisations pursuing both ISO 27001 certification and NIS2 compliance should map these controls to their NIS2 gap analysis to avoid duplicating effort.
3. Building Your ISMS: From Scoping to Implementation
ISMS implementation begins with scoping (Clause 4.3). Define the boundaries and applicability of the ISMS by considering the external and internal issues identified under Clause 4.1, the interested party requirements under Clause 4.2, and the interfaces and dependencies between your activities and those of other organisations. Scoping is a strategic decision — an overly broad scope increases implementation cost and audit complexity, while an overly narrow scope risks excluding critical assets and processes from the management system. For most organisations, the scope should encompass all information assets, processes, people, and locations that support the delivery of core business services.
With the scope defined, conduct a risk assessment (Clause 6.1.2). ISO 27001 does not prescribe a specific risk assessment methodology — you may use ISO 27005, EBIOS RM (widely used in France), BSI IT-Grundschutz (Germany), or any other methodology that identifies risks to the confidentiality, integrity, and availability of information within the ISMS scope. The methodology must produce results that are comparable and reproducible. For each identified risk, determine the risk owner, assess the likelihood and impact, and decide on the risk treatment: treat (apply controls), accept, avoid, or transfer. The risk treatment plan must reference specific Annex A controls or other measures that mitigate each identified risk.
Implementation involves deploying the controls selected in your risk treatment plan, establishing the management system processes required by Clauses 4-10 (including management review, internal audit, competence management, and documented information control), and embedding information security into operational processes. This is not a paper exercise — the ISMS must be operational. Policies must be communicated and understood, procedures must be followed in practice, controls must be technically implemented and monitored, and evidence of all of this must be systematically collected. Plan for 6 to 12 months of implementation effort for a mid-sized organisation before the ISMS is ready for Stage 1 audit. Larger or more complex environments may require 12 to 18 months.
4. The Certification Audit Process: Stage 1 and Stage 2
ISO 27001 certification involves a two-stage audit conducted by an accredited certification body. Stage 1 is a documentation and readiness review. The auditor assesses whether your ISMS documentation meets the standard's requirements, reviews the scope definition, risk assessment and treatment methodology, Statement of Applicability, information security policy, internal audit programme, and management review records. Stage 1 may be conducted on-site or remotely (practices vary by certification body and accreditation body rules). The auditor will identify any major gaps that must be resolved before Stage 2 can proceed and will confirm that your organisation is ready for the Stage 2 audit.
Stage 2 is the substantive implementation audit. Conducted on-site (with limited remote components permitted under IAF MD 4:2018 guidelines), it evaluates whether your ISMS is effectively implemented and operating as documented. The auditor will interview personnel across the organisation, review evidence of control implementation and effectiveness, assess the risk assessment and treatment process in practice, verify that internal audits and management reviews have been conducted and that findings have been addressed, and test specific controls through sampling. Stage 2 typically takes 3 to 10 auditor-days depending on the scope, organisation size, and number of locations. The auditor classifies findings as major nonconformities, minor nonconformities, or opportunities for improvement.
Major nonconformities must be resolved before certification can be granted — typically within 90 days. Minor nonconformities must be addressed, usually verified at the next surveillance audit. If no major nonconformities are found (or once they are resolved), the certification body issues the ISO 27001 certificate, valid for three years. The certificate specifies the scope of the ISMS, the applicable standard version (ISO/IEC 27001:2022), and the certification body's accreditation. Publication on the certification body's registry provides independent verification for customers, partners, and regulators.
Ensure your certification body is accredited by a national accreditation body that is a signatory to the IAF MLA (e.g., DAkkS in Germany, COFRAC in France, RvA in the Netherlands, ENAC in Spain). Certificates from non-accredited bodies may not be recognised by EU regulators or procurement processes.
5. Selecting a Certification Body
Choosing the right certification body is a consequential decision that affects the credibility and utility of your certification. In the EU, certification bodies must be accredited by a national accreditation body that is a member of the European Accreditation (EA) cooperation and a signatory to the IAF Multilateral Recognition Arrangement (MLA). Major accredited certification bodies operating across the EU include TUV SUD, TUV Rheinland, BSI Group, Bureau Veritas, DNV, SGS, and DEKRA, among others. All accredited bodies audit against the same standard, but they differ in pricing, auditor expertise, sector experience, scheduling flexibility, and geographic coverage.
Request proposals from at least three certification bodies. Evaluate them on: auditor competence (do they have auditors with experience in your sector and technology environment?), scheduling (can they accommodate your timeline for Stage 1 and Stage 2?), pricing (compare total cost including Stage 1, Stage 2, and three years of surveillance audits), geographic coverage (if you have multiple EU locations, can they audit all sites efficiently?), and reputation (are they well-known and respected in your industry and regulatory environment?). Some certification bodies offer integrated audit programmes for multiple standards (e.g., ISO 27001 + ISO 9001 + ISO 22301), which can reduce audit fatigue and cost if you are pursuing multiple certifications.
Be aware of independence requirements. The certification body that audits your ISMS must be independent — it cannot also be your implementation consultant. If you engage a consultancy to help build your ISMS, that consultancy's parent company, affiliates, or partners cannot serve as your certification body. This separation is a fundamental principle of the accreditation system. Additionally, once you select a certification body, plan for a long-term relationship: the three-year certification cycle with annual surveillance audits means you will work with this body for at least three years. Switching certification bodies mid-cycle is possible but involves transfer audit costs and administrative overhead.
6. Surveillance Audits and Recertification
ISO 27001 certification is not a one-time achievement — it requires ongoing maintenance through surveillance audits and recertification. After the initial certification, the certification body conducts surveillance audits at least annually (typically at 12-month intervals). Surveillance audits are smaller in scope than the initial Stage 2 audit — they sample a subset of ISMS areas and controls to verify that the management system remains effective and that the organisation continues to meet the standard's requirements. The auditor will also review any nonconformities raised at previous audits and assess whether corrective actions have been implemented and sustained.
At the end of the three-year certification cycle, a recertification audit is conducted. This is a comprehensive reassessment similar in scope to the original Stage 2 audit, covering the entire ISMS. The recertification audit evaluates the overall effectiveness of the ISMS over the certification period, reviews the results of surveillance audits and internal audits, assesses the effectiveness of the continual improvement process, and verifies that the ISMS remains aligned with the organisation's context and risk profile. If the ISMS has evolved significantly — through scope changes, organisational restructuring, or technology transformation — the recertification audit provides the opportunity to validate these changes.
Between audits, maintain ISMS operational discipline. Conduct internal audits covering the entire ISMS scope at least annually (Clause 9.2), hold management reviews at planned intervals (Clause 9.3), update the risk assessment when significant changes occur, address nonconformities through corrective action (Clause 10.1), and maintain documented evidence of all activities. The most common reason for surveillance audit failures is not technical control deficiencies — it is management system atrophy. Organisations that treat certification as a project with an end date rather than an ongoing programme inevitably see their ISMS documentation become stale, internal audits become perfunctory, and management reviews become box-ticking exercises. Invest in sustained ISMS operation, not just initial certification.
7. ISO 27001 and EU Regulatory Alignment
ISO 27001 certification provides a strong foundation for meeting the cybersecurity and information security requirements of multiple EU regulations. NIS2 (Directive (EU) 2022/2555) Article 25 explicitly allows Member States to require or encourage the use of European or international standards and technical specifications, and Recital 79 specifically mentions ISO 27001 as a relevant standard. While certification alone does not constitute NIS2 compliance — NIS2 includes requirements around incident reporting (Article 23), supply chain security specifics, and management body accountability (Article 20) that go beyond ISO 27001 — it covers a substantial portion of the Article 21 cybersecurity risk-management measures.
DORA (Regulation (EU) 2022/2554) similarly references international standards for ICT risk management. Financial entities subject to DORA will find that ISO 27001's risk assessment methodology, control framework, and management system structure align closely with DORA's ICT risk management framework requirements (Chapter II). The 2022 revision's new controls on threat intelligence (A.5.7), ICT readiness for business continuity (A.5.30), and cloud security (A.5.23) are particularly relevant to DORA's requirements for digital operational resilience testing and third-party ICT risk management.
GDPR Article 32 requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. ISO 27001 certification provides documented evidence that such measures are in place, regularly audited, and subject to continual improvement. While ISO 27001 is not a GDPR certification under Article 42, Data Protection Authorities across Europe have consistently recognised it as a positive indicator of GDPR Article 32 compliance. For organisations subject to multiple EU regulations, ISO 27001 serves as a unifying security framework — implement it once, and use it to demonstrate compliance across NIS2, DORA, and GDPR simultaneously.
The European Union Agency for Cybersecurity (ENISA) has published mapping documents between NIS2 requirements and ISO 27001 controls. These mappings are valuable references for organisations pursuing both NIS2 compliance and ISO 27001 certification in parallel.
How long does it take to get ISO 27001 certified?
For a mid-sized organisation starting from scratch, expect 6 to 12 months of implementation work before the ISMS is ready for Stage 1 audit. Stage 1 typically takes 1-2 days, followed by a gap of 2-6 weeks to resolve any findings, then Stage 2 takes 3-10 auditor-days depending on scope and complexity. After Stage 2, certification is issued within 4-8 weeks (assuming no major nonconformities or once they are resolved). Total elapsed time from project start to certificate: 9 to 18 months for most organisations.
Is ISO 27001 certification mandatory under NIS2?
No, ISO 27001 certification is not mandatory under NIS2. The Directive does not require any specific certification. However, NIS2 Recital 79 and Article 25 explicitly recognise ISO 27001 as a relevant standard for demonstrating compliance with Article 21 cybersecurity risk-management measures. In practice, many supervisory authorities treat ISO 27001 certification as strong evidence of NIS2 compliance for the security measures it covers. Certification does not cover all NIS2 obligations — incident reporting, management body accountability, and certain supply chain requirements go beyond ISO 27001 scope.
What is the difference between ISO 27001 certification and ISO 27001 compliance?
ISO 27001 compliance means your organisation has implemented an ISMS that meets the standard's requirements, but this has not been independently verified. ISO 27001 certification means an accredited, independent certification body has audited your ISMS and confirmed conformity through a formal two-stage audit process. Certification provides external credibility — customers, partners, and regulators can verify your certificate through the certification body's registry. Compliance without certification is a self-declaration that carries less weight in regulatory and procurement contexts.
Can we certify only part of our organisation?
Yes, ISO 27001 allows you to define the ISMS scope to cover specific parts of your organisation — for example, a particular business unit, product, or set of services. However, the scope must be clearly defined and justifiable. Auditors will scrutinise scope boundaries to ensure they do not artificially exclude high-risk areas. Any interfaces between the scoped ISMS and out-of-scope parts of the organisation must be managed as external dependencies. Starting with a narrower scope is a valid strategy for reducing initial implementation effort, but plan to expand the scope over subsequent certification cycles if your customers and regulators expect organisation-wide coverage.
Do we need ISO 27002 certification as well?
No. ISO 27002 is a guidance document — it provides implementation guidance for the controls referenced in ISO 27001 Annex A, but it is not a certifiable standard. You certify to ISO 27001; you use ISO 27002 as a reference for implementing the Annex A controls. There is no such thing as ISO 27002 certification.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.