ISO 27001 Certification Journey: What Nobody Tells You About the Audit

ISO 27001 certification is sold as a 6-month project. Three actual certifications in, the honest timeline is 9-14 months for the first attempt, and the auditor will spend their day looking at things that are not in the consultancy slide deck.

This is the practitioner write-up from three completed ISO 27001 certification projects — one Maltese FinTech, one EU corporate services firm, one regulated software vendor. What the project plan said, what actually happened, what we got blindsided by, and what we now do differently for the fourth.

The lie the consulting deck tells you

"You can certify in six months." Strictly true if you start from a mature security posture, have full-time dedicated effort, and pick a friendly accredited certification body. For a 200-seat company starting from "we have some MFA and an Acceptable Use Policy", the realistic timeline:

Phase	Months	What actually happens
Gap analysis + scope definition	1-2	Honest enough surface scan against 114 Annex A controls + 11 clause requirements
ISMS framework build	2-3	Statement of Applicability, risk assessment methodology, policy library
Control implementation	3-6	The actual technical + organisational work — slowest phase
Internal audit + management review	1	Required by Clause 9 before Stage 1
Stage 1 audit	0.5	Document review by the certification body
Remediation gap	1-3	The findings the consultant did not anticipate
Stage 2 audit	0.5-1	The on-site / detailed audit
Certificate issuance	1-2	Including any non-conformity closure

Round numbers: 9-14 months for a competent first-time effort. The 6-month claim assumes everything goes right and the team can drop every other priority. We have not seen this scenario in production.

The scope decision that determines everything

The first non-trivial decision: what is in scope. ISO 27001 is certified for a defined scope, not "the whole company". The scope statement appears on your certificate and gets read by every prospective customer.

The three scope patterns

1. Whole organisation. Maximum credibility, maximum implementation burden. Default for product companies whose entire business is the product.
2. Specific business line / product. The "SaaS platform X" scope. Lower burden, common for diversified companies with one regulated product line.
3. Specific function / location. "IT operations supporting the Malta office." Narrow, audit-friendly, sometimes a stepping stone.

The narrow scope is tempting (faster to certify) but is read by sophisticated buyers as "they certified the easy part". For software vendors selling into regulated industries, a narrow scope is often worth less than no certification at all because of how it reads to procurement teams.

The boundary problem

Whatever scope you choose, you have to define the boundary. Where does the certified ISMS end and the rest of the company begin? In practice this means:

• Defined list of in-scope employees (by role, not by name)
• Defined list of in-scope assets (systems, applications, data, physical locations)
• Defined list of in-scope processes (and how they interact with out-of-scope processes)
• Defined interfaces where in-scope and out-of-scope meet (audit attention concentrates here)

The boundary is the auditor's primary tool for testing the certification's integrity. A scope statement that says "our SaaS platform" but where the SaaS platform shares infrastructure with non-certified products creates immediate audit friction.

The Annex A controls reality (the 2022 revision)

ISO 27001:2022 restructured Annex A from the previous 114 controls into 93 controls, grouped into four themes: Organisational (37), People (8), Physical (14), Technological (34). The new structure is cleaner; the implementation reality is not noticeably different.

The controls that consistently trip up first-time certifications

Across our three projects, the same Annex A controls produced findings or significant audit attention:

1. A.5.7 Threat intelligence. Most SMBs do not have a formal threat-intelligence programme. The control does not require a 24/7 threat hunter — it requires structured awareness of relevant threats, applied to risk assessment. We default to: monthly review of CISA / ENISA / NCSC advisories + sector-specific feeds, documented in a register, with named owner.
2. A.5.23 Information security for use of cloud services. The auditor will read your cloud-services policy against your actual cloud configuration. Discrepancies (policy says "regions allow-listed to EU" but your AWS account has resources in us-east-1) become findings.
3. A.5.30 ICT readiness for business continuity. The BIA + RPO/RTO + tested recovery requirements. We have not seen a first-time certification clear this without remediation effort.
4. A.6.3 Information security awareness, education and training. Annual training is not enough. The auditor expects role-specific training for high-risk roles, phishing simulation programmes, measurable improvement over time.
5. A.8.9 Configuration management. Baseline configurations documented, drift detected. CSPM tooling helps but does not satisfy the requirement on its own — the auditor wants to see process, not just tooling.
6. A.8.28 Secure coding. For software vendors. Static analysis, dependency scanning, security training for developers, code review with security checklist. Each item is small; collectively they catch first-time efforts.
7. A.5.19 Information security in supplier relationships. The supplier register, the contractual requirements, the ongoing monitoring. Familiar from NIS2 and DORA.

The 11 clause requirements (the "shall" requirements)

Beyond Annex A, the 11 clauses of the main standard contain ~150 "shall" requirements. These are the non-negotiable management-system pieces. The most audit-attention-intensive:

• Clause 4: Context of the organisation — written, dated, reviewed
• Clause 6.1.2: Information security risk assessment — methodology documented, applied, traceable to risk treatment decisions
• Clause 6.1.3: Information security risk treatment — Statement of Applicability completed, justifications recorded
• Clause 7.5: Documented information — version control, access control, retention
• Clause 9.1: Monitoring, measurement, analysis and evaluation — measurable indicators tracked
• Clause 9.2: Internal audit — performed by independent auditor, evidence retained
• Clause 9.3: Management review — board / executive review at planned intervals, documented
• Clause 10.1: Nonconformity and corrective action — process working, evidenced through corrective actions taken

What auditors actually do during the audits

Stage 1: Document review

Half-day to two days. The auditor reads your documentation and verifies the management system exists on paper. They will pull:

• Scope statement + Statement of Applicability
• Information security policy + supporting policies
• Risk assessment methodology + most recent risk assessment + risk treatment plan
• Internal audit report + management review minutes
• Awareness training records + simulated phishing results
• Supplier register + contractual evidence for top suppliers
• Incident register + 2-3 closed incident records
• Asset inventory + classification scheme application

The findings at Stage 1 are usually "your management review evidence is thin" or "the SoA justifications are weak". Both are fixable in weeks.

Stage 2: On-site (or remote) audit

2-5 days depending on scope. The auditor samples controls and tests them against the documented design. The pattern:

1. Interview employees. The auditor walks the floor (or the equivalent in a remote setting) and asks people their job-related security responsibilities. If an HR analyst cannot articulate the data classification scheme that applies to their data, this is a finding.
2. Test technical controls. They will ask to see access reviews, conditional access policies, encryption status, vulnerability scan results, change records. Be ready to demonstrate, not describe.
3. Trace incidents end-to-end. Pick a closed incident from the register. Show me the detection. Show me the triage. Show me the containment. Show me the post-mortem. Show me the corrective action. If any link in the chain is missing, that is a finding.
4. Trace a corrective action. Pick a nonconformity from your internal audit. Show me the root cause analysis. Show me the corrective action plan. Show me the evidence the action was effective. Show me the verification.

The audit is sampling-based. The auditor picks 3-5 employees, 3-5 incidents, 3-5 corrective actions. The sample size is small but the rigour per sample is high. If the random pick exposes a process gap, the finding generalises.

The findings we have actually received

From the three completed projects, anonymised:

1. Project 1 — Maltese FinTech, Stage 2: 2 minor non-conformities. (1) Internal audit was conducted but the auditor's independence from the audited area was not adequately documented. (2) Supplier risk assessment did not include cloud provider sub-processors.
2. Project 2 — EU corporate services, Stage 2: 1 major non-conformity, 3 minor. Major: change-management process did not include a security impact assessment step (Annex A.8.32). Minor: training records lacked role-specific evidence; phishing simulation results not analysed for trend; key management procedure was generic.
3. Project 3 — Software vendor, Stage 2: 4 minor non-conformities. (1) Configuration baseline not documented for development environments. (2) Secure-coding training had been delivered but evidence of effectiveness measurement was absent. (3) Cryptographic controls inventory was outdated. (4) Supplier monitoring was reactive (annual questionnaire) not proactive.

The pattern: findings concentrate in the "did you do the documentation rigorously" category, not the "did you implement the control" category. Most teams implement controls; fewer teams document them to the auditor's satisfaction.

The cost actually paid

Three projects, broken down:

Line	Maltese FinTech (200 seats)	EU corporate services (350 seats)	Software vendor (90 seats)
External consulting	€55,000	€85,000	€38,000
Internal effort (estimated)	€70,000	€120,000	€45,000
Tooling (SIEM, vulnerability mgmt, awareness)	€32,000	€48,000	€18,000
Certification body fees	€18,000	€28,000	€12,000
Year 1 total	€175,000	€281,000	€113,000
Annual recertification + surveillance	€22,000	€38,000	€14,000

The "internal effort" line is the one most business cases under-count. The CISO, IT lead, HR, Legal, and product engineering all contribute material time. Track it from day one or the project budget vs reality conversation gets awkward at month 9.

Choosing the certification body

Six factors that matter when picking the certification body:

1. Accreditation by your jurisdiction's accreditation body (UKAS in the UK, DAkkS in Germany, NA in Malta, etc.). A certificate from a non-accredited body is worth less than no certificate at all for sophisticated buyers.
2. Recognition by your prospective customers. Bureau Veritas, BSI, DNV, SGS, TÜV are universally recognised. Smaller bodies may produce equally valid certificates that are less recognisable on a customer questionnaire.
3. Sector experience. Auditors with experience in your sector ask better questions and produce findings that are useful, not just compliant.
4. Auditor availability + scheduling. Some bodies are 4-6 months out for Stage 2 scheduling. Plan accordingly.
5. Cost. Real range €12k-€30k for Stage 1 + Stage 2 of a 200-seat scope. Recertification + surveillance audits are smaller annually.
6. Audit style. Some auditors are findings-heavy (every imperfection becomes a non-conformity). Some are coaching-style (similar findings appear as "observations"). The latter produces fewer formal non-conformities and a more useful audit experience.

The post-certification operating reality

The certificate is valid for 3 years. Surveillance audits happen annually (smaller, focused). Recertification audit at year 3 (similar scope to initial). The expectation is continuous improvement, not steady state.

The operating discipline that maintains the certification:

• Quarterly ISMS review with documented outputs
• Annual internal audit by an independent auditor
• Annual management review by the executive team
• Ongoing risk-register maintenance
• Documented response to every reported incident
• Annual policy review + version control
• Quarterly supplier register refresh
• Continuous training programme with measurable outcomes

This is the cost of holding the certification, not just getting it. Most companies budget the certification project but underestimate the ongoing operate burden. Plan 0.3-0.5 FTE-equivalent dedicated to ISMS operations after certification.

When ISO 27001 is worth it (and when it is not)

Honest assessment:

Worth it if:

• Your customers are starting to ask for it in procurement (the most common driver)
• You sell into regulated industries (financial services, healthcare, public sector)
• You are positioning for enterprise contracts where it is table stakes
• Your competitors have it and you do not
• You operate in jurisdictions where it is becoming an implicit requirement (e.g., post-NIS2 regulated entities)

Not worth it if:

• Your customers are SMBs who do not ask for it
• You are a pre-revenue startup spending more on certification than on product
• You are not committed to the operating discipline (the certification will lapse and the failed renewal is worse than no certification)
• You think it is a one-time project rather than a 3-year programme

What we would do differently for the fourth project

Three concrete changes from lessons learned:

1. Start the supplier register on day one, not month four. The 30-90 day round-trip on supplier questionnaires is the most consistent timeline blocker.
2. Run a mock internal audit 2 months before Stage 2. Independent of the consultant. Catches the documentation gaps that always exist.
3. Allocate explicit time for the post-Stage-1 remediation gap. The 1-3 months between Stage 1 and Stage 2 are not "buffer" — they are dedicated remediation time that requires resourcing.

The one paragraph version

ISO 27001 certification is a 9-14 month effort for a first-time SMB, not the 6 months the consulting deck claims. The scope decision shapes everything: whole-company is most credible, narrow-scope is fastest. Annex A:2022 has 93 controls; the same 7 consistently trip up first-time certifications (threat intelligence, cloud-services policy, ICT BC, training, configuration management, secure coding, supplier security). Audits are sampling-based but rigorous per sample. Findings concentrate in documentation, not implementation. Year-1 cost runs €110k-€280k including internal effort; ongoing operate cost is 0.3-0.5 FTE. The certificate is worth it for B2B vendors selling into procurement-driven sales; it is not worth it for the operating discipline alone.

If you want a scoped diagnostic — gap analysis against Annex A:2022, scope-decision support, 12-month implementation roadmap — that is the engagement shape. We deliver it under our Microsoft 365 Defender + Azure Cloud Infrastructure services for the technical baseline, plus our FinOps & Cost Management service for the supplier register / cost discipline piece. The free Bloodbath Scan includes a partial ISO 27001 readiness snapshot — start there if you want a quick orientation.