ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 42001 Certification Process

Consilium Labs conducts independent, standards-based certification audits for information security, privacy information, and artificial intelligence management systems.

The certification process follows defined management-system certification requirements. It includes application review, audit planning, Stage 1 and Stage 2 audits, an independent certification decision, surveillance audits, and recertification.

Each organization is evaluated against the requirements of the applicable standard and the certification scope stated in its application. Audit duration, audit methods, required competence, site coverage, and sampling are determined from the specific characteristics of the engagement.

Which Certification Standards Does This Process Cover?

This process applies to certification engagements involving the following management-system standards:

ISO/IEC 27001

ISO/IEC 27001 specifies requirements for an Information Security Management System, commonly referred to as an ISMS.

An ISO/IEC 27001 certification audit evaluates whether the organization’s ISMS conforms to the standard within a defined certification scope. The audit may examine governance, information security risk assessment and treatment, the Statement of Applicability, operational controls, internal audits, management review, corrective action, and other applicable requirements.

ISO/IEC 27701

ISO/IEC 27701:2025 specifies requirements for a Privacy Information Management System, commonly referred to as a PIMS.

The 2025 edition is an independent management-system standard. An organization may pursue ISO/IEC 27701 certification separately or coordinate it with another certification engagement when the applicable requirements, scopes, and certification arrangements permit.

The audit evaluates the organization’s PIMS within its defined scope, including applicable responsibilities as a personally identifiable information controller or processor.

ISO/IEC 42001

ISO/IEC 42001 specifies requirements for an Artificial Intelligence Management System, commonly referred to as an AIMS.

An ISO/IEC 42001 certification audit evaluates the governance and management processes applied to the organization’s development, provision, or use of artificial intelligence systems within the defined scope.

Each standard remains a distinct certification program. The scope, audit criteria, findings, certification decision, and certificate remain specific to the applicable standard.

What Happens After an Organization Submits an Application?

The certification process begins with a formal application.

Consilium Labs reviews the information provided to determine the proposed certification scope and the requirements of the engagement. Additional information may be requested when necessary to complete the application review.

Application information may include:

  • The management-system standard being requested
  • The proposed certification scope
  • Products, services, processes, and technologies within scope
  • The number of employees and relevant contractors
  • Physical and virtual locations
  • Organizational structure
  • Outsourced processes
  • Cloud services and other external providers
  • Regulatory and contractual considerations
  • Existing certifications
  • Integrated management-system arrangements
  • Significant shifts, languages, or operational conditions

The application review also determines whether Consilium Labs has the competence, resources, and authority required to conduct the certification engagement.

When the application is accepted, Consilium Labs establishes the audit program and issues the applicable certification agreement.

How Is the Audit Program Established?

The audit program defines the activities expected throughout the certification cycle.

It considers the applicable standard, certification scope, management-system complexity, number of sites, workforce size, technologies, operational processes, outsourced activities, regulatory context, and other relevant factors.

The audit program ordinarily includes:

  1. Stage 1 audit
  2. Stage 2 audit
  3. Initial certification decision
  4. Surveillance audits during the certification cycle
  5. Recertification before the current certificate expires

The audit program may be revised when significant changes affect the organization, certification scope, locations, management system, or applicable requirements.

How Is the ISO Audit Timeline Determined?

There is no universal ISO certification duration.

Audit time is determined through the application review and applicable audit-duration requirements. Calendar time may also be affected by scheduling, site access, availability of personnel and evidence, the interval between Stage 1 and Stage 2, and the handling of any nonconformities.

Factors that may affect the ISO audit timeline include:

  • Number of employees
  • Number and type of locations
  • Certification scope
  • Complexity of products and services
  • Management-system maturity
  • Use of cloud and outsourced services
  • Regulatory requirements
  • Level of integration with other management systems
  • Remote, hybrid, or on-site audit methods
  • Number and classification of findings
  • Time required for the organization to submit correction and corrective-action evidence

Audit time and total calendar time are not the same. The formal proposal identifies the audit time allocated to the engagement after the application has been reviewed.

What Happens During the Stage 1 Audit?

Stage 1 establishes the basis for Stage 2.

The audit team reviews the organization’s documented management system and develops a clearer understanding of the certification scope, operating environment, processes, locations, applicable requirements, and level of implementation.

Stage 1 activities may include evaluation of:

  • The defined management-system scope
  • Organizational context
  • Interested-party requirements
  • Management-system policies and objectives
  • Risk assessment and treatment processes
  • Applicable statements, registers, plans, and documented procedures
  • Internal audit activities
  • Management review activities
  • Statutory, regulatory, and contractual requirements
  • Site-specific conditions
  • Operational processes and technologies
  • Allocation of audit time and competence for Stage 2

For ISO/IEC 27001, the review may include the information security risk assessment, risk treatment plan, Statement of Applicability, ISMS scope, internal audit records, and management review records.

For ISO/IEC 27701, the review may include the PIMS scope, PII controller and processor roles, privacy risk processes, records of processing activities, applicable privacy obligations, and relevant management-system documentation.

For ISO/IEC 42001, the review may include the AIMS scope, AI policy, AI risk processes, AI system inventories, impact assessment arrangements, roles and responsibilities, and applicable AI governance documentation.

Stage 1 conclusions are documented and communicated to the organization. Matters identified during Stage 1 may affect the Stage 2 plan and may become nonconformities if they remain present during Stage 2.

Completion of Stage 1 does not result in certification.

What Happens Between Stage 1 and Stage 2?

Consilium Labs evaluates the Stage 1 conclusions and determines whether the engagement can proceed to Stage 2 as scheduled.

The interval between the two stages considers the nature of the Stage 1 conclusions and any actions undertaken by the organization. The organization remains responsible for determining and implementing its own controls, processes, corrections, and corrective actions.

Consilium Labs does not design the management system, select controls for the organization, implement processes, or direct the organization’s corrective actions.

When changes made after Stage 1 materially affect the certification scope or audit plan, Consilium Labs may revise the Stage 2 arrangements.

What Happens During the Stage 2 Audit?

Stage 2 evaluates the implementation and effectiveness of the management system against the applicable certification criteria.

The audit begins with an opening meeting. The audit team then performs evidence-based audit activities within the approved scope.

Stage 2 may include:

  • Interviews with personnel
  • Review of documented information and records
  • Evaluation of processes and operational activities
  • Sampling of management-system evidence
  • Examination of internal audit and management review records
  • Evaluation of risk assessment and treatment activities
  • Examination of applicable controls
  • Review of corrective-action processes
  • Evaluation of monitoring and measurement activities
  • Review of regulatory and contractual considerations
  • Evaluation of processes across applicable sites and functions

Audit evidence is evaluated against the applicable standard and the organization’s documented management system.

The audit concludes with a closing meeting. The audit team presents the audit conclusions and identifies documented conformities and nonconformities.

A formal audit report is issued following the audit.

What Happens When Nonconformities Are Identified?

A nonconformity means that an applicable requirement has not been fulfilled.

Nonconformities are documented against the relevant audit criteria and classified according to applicable certification procedures. The classification reflects the nature, extent, and effect of the issue identified.

The organization is responsible for determining:

  • The immediate correction
  • The cause of the nonconformity
  • The corrective action
  • The evidence demonstrating implementation

Consilium Labs evaluates the submitted evidence. Depending on the classification and circumstances, verification may involve document review, additional interviews, further sampling, or a follow-up audit.

Consilium Labs determines whether the submitted correction and corrective-action evidence is acceptable. This evaluation does not include designing the organization’s controls or prescribing how the organization must address the finding.

The certification process does not proceed to a positive decision until applicable nonconformity requirements have been satisfied.

Does Completing Stage 2 Automatically Result in Certification?

No. Completion of Stage 2 does not automatically result in certification.

After the audit and applicable nonconformity activities are complete, the audit file proceeds to the certification decision process.

The certification decision is performed by competent personnel who were not members of the audit team. The decision function reviews the audit information, conclusions, scope, findings, and applicable evidence before determining whether certification may be granted.

When the decision is positive, Consilium Labs issues a certificate identifying the applicable:

  • Certified organization
  • Management-system standard
  • Certification scope
  • Certified locations, where relevant
  • Issue and expiry dates
  • Certificate identification information

When the decision is not positive, the organization is informed of the decision in accordance with applicable certification procedures.

When Are Surveillance Audits Conducted?

Surveillance audits are conducted during the certification cycle to evaluate continuing conformity with the applicable standard and approved certification scope.

The first surveillance audit is ordinarily conducted within 12 months of the initial certification decision. Further surveillance audits are conducted at least once during each calendar year, except during the recertification year, subject to applicable certification requirements.

A surveillance audit does not necessarily examine every management-system requirement during each individual audit. The surveillance program is structured so that relevant elements of the management system are evaluated across the certification cycle.

Surveillance activities may examine:

  • Internal audits and management review
  • Actions relating to previous nonconformities
  • Changes affecting the management system
  • Continued operational control
  • Monitoring and measurement
  • Complaints relevant to certification
  • Use of certification marks and claims
  • Continued conformity within the certified scope

The audit team issues documented conclusions following each surveillance audit.

Certification remains subject to continued conformity, completion of required surveillance activities, and compliance with the certification agreement.

What Is the Recertification Process?

Recertification occurs before the existing certificate expires.

The purpose of recertification is to evaluate the continued conformity and effectiveness of the management system as a whole. It also considers the continued relevance of the certification scope and the organization’s performance throughout the certification cycle.

The recertification audit may consider:

  • Previous certification and surveillance audit results
  • Changes to the organization and management system
  • Continued fulfillment of the applicable standard
  • Management-system effectiveness
  • Internal audit and management review results
  • Corrective actions
  • Continued relevance of the certification scope
  • Significant operational, technological, regulatory, or organizational changes

Nonconformities requiring closure before renewal must be addressed and verified within the applicable timeframe.

After the recertification audit and any required verification activities are complete, the audit file proceeds to an independent recertification decision.

A new certificate is issued when the decision is positive and all applicable requirements have been fulfilled.

Can an Organization Expand Its Certification Scope?

Yes. An organization may submit a formal request to expand its certification scope.

A scope expansion may involve:

  • New products or services
  • Additional business processes
  • New physical or virtual locations
  • Additional legal entities
  • New technologies
  • Expanded geographical coverage
  • Additional organizational functions

Consilium Labs reviews the requested change and determines the required audit activities. The evaluation may be conducted through a separate audit or in coordination with a scheduled surveillance or recertification audit.

The expanded scope is added to the certificate only after the required evaluation has been completed and a positive certification decision has been made.

Scope reductions, suspensions, restorations, and withdrawals are handled according to applicable certification procedures and the certification agreement.

Illustrative Certification Process Scenarios

The following scenarios are hypothetical. They demonstrate how organizational characteristics can affect certification planning and audit activities. They are not client case studies, guaranteed schedules, or representations of predetermined certification outcomes.

Technology Company With 50 Employees Pursuing Initial ISO/IEC 27001 Certification

Organization Profile

A B2B SaaS company has 50 employees working across software development, cloud operations, customer operations, sales, and corporate functions. Most personnel work remotely, and the platform operates through third-party cloud infrastructure.

Certification Scope

The proposed scope includes the development, operation, and management of the company’s SaaS platform and associated customer information.

Audit Considerations

The application review considers the distributed workforce, cloud architecture, outsourced providers, software-development processes, access management, incident management, supplier oversight, and the boundaries of the ISMS.

Stage 1 evaluates whether the scope and documented ISMS are sufficiently established for Stage 2. Stage 2 examines implementation through interviews, records, process sampling, and technical and organizational evidence.

Potential Process Outcome

When the audit activities are complete and applicable nonconformities have been satisfactorily addressed, the audit file proceeds to an independent certification decision.

Financial Services Company Expanding Its Scope to Cloud Services

Organization Profile

A financial services company already holds ISO/IEC 27001 certification for selected corporate systems. It introduces a new cloud-based customer platform that was not included in the original certification scope.

Certification Request

The company submits a formal application to add the cloud platform, related personnel, suppliers, processes, and technology components to the certified scope.

Audit Considerations

Consilium Labs reviews the scope change and determines the additional audit activities. The audit may examine cloud governance, access controls, development practices, data flows, external providers, incident processes, and connections to the existing ISMS.

Potential Process Outcome

The certificate is amended only when the additional audit activities are complete and the independent certification decision confirms conformity for the expanded scope.

Manufacturing Company Entering Recertification After Significant System Changes

Organization Profile

A manufacturing organization replaces its enterprise resource planning platform, modifies its plant network, and centralizes several information-security functions during the certification cycle.

Recertification Considerations

The recertification audit evaluates the management system as a whole and considers how the organization incorporated the changes into its certified ISMS.

The audit may examine revised risk assessments, system boundaries, access controls, supplier relationships, operational technology interfaces, internal audit results, and management review records.

Potential Process Outcome

Renewal depends on completion of the recertification audit, verification of applicable nonconformity evidence, and a positive independent certification decision before the existing certification expires.

Healthcare Organization With Stage 2 Privacy Nonconformities

Organization Profile

A healthcare technology organization pursues ISO/IEC 27701 certification for a PIMS covering the processing of patient and provider information.

Illustrative Findings

During Stage 2, an auditor could identify that a required privacy review was not performed at the frequency stated in the organization’s documented process. The auditor could also find that records demonstrating completion of a required privacy activity were incomplete.

Nonconformity Process

The findings are documented against the applicable criteria. The organization determines the corrections, causes, corrective actions, and evidence of implementation.

Consilium Labs evaluates the evidence and determines whether further verification is required.

Potential Process Outcome

The audit file proceeds to the certification decision only after applicable nonconformity requirements have been fulfilled.

Multi-Site Organization Pursuing ISO/IEC 42001 Certification

Organization Profile

An AI-enabled platform company operates through a corporate headquarters, a development center, and multiple operational locations. AI systems are developed by one team and deployed across several business functions.

Certification Scope

The proposed AIMS scope includes AI development, model evaluation, deployment governance, monitoring, third-party AI services, and selected operational uses.

Audit Considerations

The audit program considers centralized and site-specific processes, allocation of responsibilities, AI system inventories, risk and impact assessment activities, data governance, human oversight, monitoring, and external providers.

Site coverage and audit methods are determined according to the applicable certification requirements and the organization’s operating model.

Potential Process Outcome

Each location and process included on the certificate must fall within the evaluated certification scope. Certification is granted only after completion of the required audits and a positive independent decision.

Frequently Asked Questions About the ISO Certification Process

How long does the entire ISO certification process take?

There is no fixed duration that applies to every organization. The ISO audit timeline depends on the certification scope, workforce, sites, management-system complexity, audit time, scheduling, Stage 1 conclusions, and any nonconformities identified during Stage 2.

Consilium Labs determines audit time after reviewing the formal application. The resulting proposal states the audit time allocated to the engagement.

How are certification audit fees determined?

Certification audit fees are based on the defined engagement requirements and audit time. They are not determined solely by the standard being audited.

Relevant factors can include organization size, scope, number of sites, technical complexity, audit methods, required auditor competence, travel requirements, and certification-cycle activities.

What documentation is typically reviewed during Stage 1?

Stage 1 ordinarily includes review of the defined scope, management-system policies, risk processes, objectives, internal audit records, management review records, and other documented information required by the applicable standard.

The exact documentation varies among ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 42001 and depends on the approved certification scope.

What happens when a nonconformity is identified during Stage 2?

The nonconformity is documented against the applicable audit criteria. The organization then determines and submits its correction, cause analysis, corrective action, and evidence of implementation.

Consilium Labs evaluates the submitted evidence and determines whether additional verification is required. Certification cannot be granted until the applicable requirements for the nonconformity have been fulfilled.

How often are surveillance audits required?

Surveillance audits are conducted at least once during each calendar year of the certification cycle, except during the recertification year. The first surveillance audit is ordinarily completed within 12 months of the initial certification decision.

The exact surveillance schedule is established in the audit program.

How long is an ISO management-system certificate valid?

A management-system certificate ordinarily operates within a three-year certification cycle. Its continued validity is subject to surveillance audits, continued conformity, and compliance with the certification agreement.

Recertification must be completed within the applicable timeframe before a new certificate can be issued.

Can certification audits be conducted remotely?

Audit activities may be conducted on-site, remotely, or through a combination of methods when permitted by the applicable requirements.

The selected audit methods depend on the certification scope, processes, technologies, locations, risks, accessibility of evidence, and the objectives of the audit.

Can an organization add sites or services after certification?

Yes. The organization must submit a formal scope-expansion request.

Consilium Labs evaluates the requested additions and determines the audit activities required before the sites, services, processes, or entities can be added to the certificate.

Can ISO/IEC 27701 certification be pursued independently?

Yes. ISO/IEC 27701:2025 is an independent management-system standard for privacy information management systems.

An organization may pursue it separately or coordinate the audit schedule with another management-system certification where applicable. Each certification retains its own criteria, scope, findings, decision, and certificate.

Can ISO/IEC 27001 and ISO/IEC 42001 audits be coordinated?

Audit schedules may be coordinated when the organization’s management systems, scope, and applicable certification arrangements permit.

Coordination does not merge the standards into a single certification outcome. ISO/IEC 27001 and ISO/IEC 42001 remain separate certification programs with distinct audit criteria, findings, decisions, and certificates.

What happens if the organization changes significantly after certification?

The organization must inform Consilium Labs of changes that may affect the certified management system or certification scope.

Consilium Labs evaluates the information and determines whether changes to the audit program or additional audit activities are required.

Is certification guaranteed after the audit?

No. Certification is never predetermined.

Certification depends on completion of the required audit activities, resolution and verification of applicable nonconformities, and a positive decision by competent personnel independent of the audit team.

Begin an Independent Certification Engagement

Consilium Labs conducts objective, evidence-based certification audits for ISO/IEC 27001, ISO/IEC 27701, and ISO/IEC 42001.

Schedule an introductory certification discussion with Consilium Labs.

GET YOUR QUOTE NOW