Cherry Bekaert provides information assurance services that include readiness reviews, gap and benchmarking assessments, end-to-end implementation advisory, and formal third-party audits with scheme-specific attestations across a wide range of frameworks, including ISO, SOC reporting, HITRUST and CMMC. Our services are designed to guide clients from foundational stages to advanced maturity, meeting organizations at their starting point and methodically advancing their programs while strengthening customer trust in their roles as critical vendors and service providers.
The below frequently asked questions (FAQs) have been collected by our consultants in response to client feedback to address some of the nuances of these standards published by the International Organization for Standardization (ISO) and common pitfalls encountered when first establishing these management systems.
What Steps Must a Company Take Before an ISO Audit?
To become eligible for ISO certification, an organization must implement a management system (i.e., governance program) that meets the requirements of the specific International Standard.
For example, ISO 27001 certification requires an organization to establish, implement, maintain and continuously improve an Information Security Management System (ISMS). These activities include documenting scope, roles and responsibilities, risk management procedures, risk analysis and treatment, internal audit, management review, and, of course, the implementation of up to 93 applicable controls outlined in Annex A of this International Standard. If these steps feel overwhelming or come off as too "ISO speak" heavy, reach out to our services team, and we will simplify them into manageable steps.
Unlike SOC reporting, where an examination might cover either a point-in-time (Type 1) or a period of time (Type 2), such as a three-month, six-month, nine-month or 12-month period, accredited certifications issued against ISO standards are always referenced by an as-of date, which is more akin to a Type 1 report.
In short, an organization can complete the implementation and internal testing of its ISMS yesterday and be ready for a certification audit today — the ISMS does not have to be operating for a minimum period prior to the certification audit.
What Is the ISO Certification Process?
When your organization has completed its first management review cycle, which includes an initial risk assessment, risk treatment utilizing the embedded controls, a second-party internal audit, and a review of these outputs by leadership, it is ready to begin a third-party audit conducted by an accredited certification body.
To initiate the certification audit, the organization must apply for certification and execute a certificate agreement with the certification body prior to the initial audit. The initial audit will be divided into two phases: the Stage 1 Certification Audit and the Stage 2 Certification Audit.
Stage 1 Certification Audit
The Stage 1 Certification Audit tests the design of the management system with the objective of determining the organization's preparedness to progress to the Stage 2 Certification Audit. During this stage, the auditor seeks to understand the risk landscape of the proposed scope to develop relevant audit trails for inquiry and inspection during the Stage 2 Certification Audit procedures.
This first stage is typically completed over one to two business days, including live walkthrough meetings between the auditor and the Governance, Risk, and Compliance (GRC) function within the organization. Since the Stage 1 Certification Audit focuses on design checks, it does not produce negative findings. Instead, it generates feedback in the form of Areas of Concern (AOC), which are documented in an audit report and followed up on by the audit team during the next stage.
Stage 2 Certification Audit
The Stage 2 Certification Audit is the formal conformity audit where the audit team tests both the design and operating effectiveness of the processes and controls implemented according to the requirements of the in-scope International Standard.
During this stage, the audit team will expand its participants beyond the GRC function to include peer functions such as engineering, product development, IT, human resources, facilities and selected leadership personnel to ensure awareness of the management system activities throughout the organization and across alternate departments. Depending on the proposed scope of certification, the organization may need to facilitate onsite assessments with the audit team. In the case of multi-site scopes, a sampling of certificate locations may also need to undergo onsite reviews.
Negative findings identified during the Stage 2 Certification Audit are documented as nonconformities, classified as either major or minor based on the organization-specific root cause analysis and the impact of the nonconformity on achieving its intended objectives. Minor nonconformities require the implementation of a short-term correction prior to a certification decision. In contrast, major nonconformities necessitate both a short-term correction for the specific issue and the implementation of a safeguard or corrective action to prevent recurrence in the long term.
At the conclusion of the Stage 2 Certification Audit, once all required corrections and applicable corrective actions are implemented and evidenced to the audit team, the audit report can be submitted to an internal committee at the certification body for a final decision on the scope. If confirmed by this internal committee, the organization is awarded certification.
How Long Does It Take To Become ISO Certified Once the Audit Is Initiated?
The initial audit consists of a Stage 1 Certification Audit (one to two business days) and a Stage 2 Certification Audit. The duration of the Stage 2 Certification Audit varies based on the proposed scope of certification. Organizations may also choose to extend the typical two- to three-week break between the two phases to as long as 60 days.
Generally, the evidence review and live walkthroughs associated with the Stage 2 Certification Audit are completed within one calendar week. However, this timeframe may be extended due to factors such as multiple in-scope products, participants residing in different global time zones, a large number of affected staff, or the audit scope being multi-site, which requires planning for several onsite visits to evaluate a representative sample of certificate locations.
For most scopes, we advise clients to budget 60 calendar days from the target certificate issuance date for the start of the Stage 1 Certification Audit. This planning also accounts for any additional time needed to address issues identified as nonconformities during the Stage 2 Certification Audit.
All timeframe estimates are contingent on the availability of the certification body to schedule the required audits. We recommend engaging with a certification body while finalizing your implementation procedures to facilitate early discussions about anticipated timelines. Some certification bodies may have limited availability, which can delay new clients by six weeks to as long as six months after contracting.
How Long Does ISO Certification Remain Valid?
In short, ISO certificates are valid for a period of three years.
Once certified, the certificate will detail several key dates, including:
- (1) The original registration date (i.e., date of initial issuance)
- (2) The date of the most recent decision (which in year one aligns with the registration date and is updated after each subsequent surveillance or recertification audit, as required)
- (3) An expiration date, set to three years minus one day from either the initial issuance or re-issuance date for scopes older than three years
For any certified scope, the agreement between the certified organization and the certification body requires annual monitoring assessments, known as surveillance audits, followed by a recertification audit before the expiration date. The first surveillance audit is due before the one-year anniversary of the initial audit.
Each surveillance and recertification audit is conducted within a single stage and results in a continuance or re-issuance decision, as communicated by the certification body. During these monitoring audits, the organization may also choose to amend or update the original scope statement to include new products, additional sites, or new certifications gained through mergers or acquisitions.
What Are the Benefits of ISO 27001 Certification?
While SOC 2 reports are widely recognized in the United States and Canada, ISO 27001 certification is regarded internationally as the leading assurance standard for assessing information security risks in suppliers. A common recommendation in security compliance is that if your organization frequently transacts with businesses outside North America, ISO 27001 should be considered as part of your governance program.
Although ISO 27001 requirements are adaptable to the specific risk level of the scope, their appeal lies in the flexibility and broad applicability of their controls, which extend across nearly every department — human resources, IT, engineering, legal and even facilities.
ISO 27001 is commonly viewed as an ideal starting point for organizations drafting their first policies. Yet it also offers a depth that makes it applicable for businesses of any size, from small local shops to the largest multinational enterprises.
We also value the fact that ISO 27001 certification results in a tangible certificate that showcases compliance in a way that supports security due diligence without revealing vulnerabilities. As a result, ISO certificates are often made public to customers and displayed through online trust centers.
What Is the Cost of ISO Certification?
Implementation advisory fees for initially establishing a management system based on one or more of these ISO-authored International Standards vary depending on the specific requested services. At Cherry Bekaert, we can support your organization at any starting point, accommodating your progress to date, budget and timeline. Our experience spans building complete management systems from the ground up, conducting risk assessments and internal audits, and providing external audit support to guide your team through the impartial certification body audit.
For the official certification audit, fees depend on the chosen ISO standards, management system headcount, the number of in-scope products or services, and the total number of certificate locations.
How Frequently Are ISO Standards Revised?
ISO standards are reviewed at least once every five years, though these reviews do not always result in a new major revision. If a review concludes that a revision is necessary, a working group is appointed, and a draft of the normative text undergoes a thorough, multi-stage review process with several levels of approval before publication.
The most recent revision of ISO 27001 was released in 2022, replacing the previous 2013 version. Between major revisions, ISO may also issue amendments or corrigenda to an International Standard, which could include additional requirements, expanded descriptions or changes to requirements (e.g., replacing “should” with “shall” to indicate a mandatory action).
When a new revision is published, a transition timeline is communicated. For the current ISO 27001 update, the International Accreditation Forum, Inc. established a 36-month transition period, with key milestones for migrating from the 2013 version beginning on April 30, 2024, and the final date for certification under the previous revision set for October 31, 2025.
How Cherry Bekaert Can Help
For more information on ISO certification, SOC reporting, or questions regarding having a gap analysis conducted, please contact Cherry Bekaert’s Information Assurance & Cybersecurity practice. Learn how we can enhance your organization’s credibility and trust with customers, strategic partners and stakeholders by demonstrating compliance with industry standards and best practices. Our experienced team helps identify areas for improvement, mitigates risks, establishes regulatory compliance, and ultimately strengthens your company's reputation and competitive position in the market.
Cherry Bekaert has partnered with Mastermind, a certification body that employs only full-time Lead Auditors residing within the United States and holds notable distinctions, including issuing the world’s first ISO 42001 certification for AI systems. Mastermind maintains an accreditation scope for each of these ISO standards, as registered with the International Accreditation Service.
Do you have more questions about ISO certification or where to get started?
Related Insights
- Article: The Impact of a SOC 2 Report on Your Organization Value and Customer Relations
- Article: A Guide To Understanding Service Organization Control (SOC) Reports
- Article: Third-Party Risk Management (TPRM): Top Strategies for Managing Vendor Risks
- Article: Supply Chain Cybersecurity: How to Mitigate Third-Party Threats and Reduce Organizational Risk
