ISO 27001 Registrar Resource Center
Free Registrar Quotations
- Click the red ‘Get Started’ Button
- Complete Form
- Choose acceptable travel distance, or Virtual
- The certification form is automatically sent to our team, and we get to work finding the best three options for you.
- You will receive a copy of your submittal, and we retain one for our records.
- You will receive your quotation options within 72 hours so you may select the registrar that will best fit your unique requirements.
ISO 27001 Registrar Basics
Generally, when you sign a contract with a Registrar, it will include the Registration Audit and Surveillance Audits. The Registration Audit is the initial audit that will be done to see if you will achieve ISO 27001 certification. Once you are approved, your certificate will be valid for three years (See typical Registration Process below).
After you have your certification, the registrar will come back every 6 months or year for a Surveillance Audit to see if you are maintaining your system and continuing to meet the requirements of the standard. ISO 27001 registrars vary in their approach, so you will want to find out details from each registrar you are interested in.
Your certificate will be valid for 3 years. After that period your registrar will be required to do another Registration Audit to renew your certification.
Most registrars are now offering virtual audits, provided you meet certain criteria. A remote audit can save time and reduce travel costs of the registrar, so be sure to ask if your organization meets the criteria for a virtual audit.
When to Select a Registrar
Organizations often wait until they feel their ISMS is running smoothly before they select an ISO 27001 registrar. However, we recommend choosing them earlier in the process. Why?
- This assures that you can find one who is able to meet your timeframe.
- The advantage of interviewing them early is that they will ultimately be the ones who will evaluate your ISMS. A registrar CANNOT consult for a company who they audit, but they can explain (based on their experience) how they intend to audit your organization. So, if you choose them earlier in the process you can ask them questions along the way. It’s like asking the teacher what you’re going to be tested on. This can be important because much is up to the individual’s discretion (like a referee in a sporting event) and you’d be wise to consider it.
ISO Registration or Certification Process
ISO 27001 requires each organization to complete internal audits for its ISO 27001 ISMS to confirm the processes are being managed correctly, in other words, to confirm the organization is fully in control of its activities and all requirements of ISO/IEC 27001:2022 along with customer and statutory and regulatory requirements.
To achieve certification, an organization must hire an independent certification body, known as a registrar, to obtain an ISO 27001 certificate of conformity.
Click each part for more details on the Registration process!
Each Registrar, or certification body (CB), may have questions about your application. You may also have questions for the Registrars.
We’ve provided a free Registrar Questionnaire Checklist to help you interview your registrars.
Review the Registrar’s proposal to ensure it meets your requirements. Remember, YOU are the customer in this situation and have a choice in which Registrar you choose – this is not like a government inspector where you only have one choice. You should ensure that it meets all of your requirements:
- Technical Requirements – Do they understand your business?
- Commercial Requirements – Can the ISO 27001 registrar meet your timing?
Confirm Application and Schedule
You will enter into a three (3) year contract with the ISO 27001 registrar which outlines the obligations, liability, confidentiality and access rights. The schedule is as follows:
- Year 1 – Complete Registration Audit
- Year 2 & 3 – Surveillance Audits – usually does not include documentation review
You will start over with a complete Audit in year 4 with this, or another, Registrar.
1st Stage Assessment
After your quality system has been implemented, the registrar conducts a stage 1 audit to assess your documentation and verify key practices are in place, This includes internal audits, management reviews, and tracking performance. If you successfully pass this audit without any major issues, the ISO 27001 registrar will confirm your readiness for the full audit. (Learn more about the 2-Stage Registration Audit.)
The Initial Certification Audit
The assessment process for achieving certification consists of a two stage Initial Certification Audit:
Stage 1 – The purpose of this visit is to confirm the readiness of the organization for a full assessment. The auditor will:
- Check that the documented Information conforms to the requirements of ISO 27001:2022
- Confirm its implementation status
- Confirm the scope of certification
- Review legislative compliance
- Generate a report that identifies any non-compliance or possibilities for non-compliance and agree to a corrective action plan if required.
- Generate an assessment plan and confirm a date for stage 2 audit in your company
During the Stage 1 audit, only a few employees will be interviewed. If there are no significant problems, the stage two audit will normally proceed in one or two months.
Certification Assessment (Stage 2 Audit)
One or two months after an effective stage 1 audit, the certification body (CB) will return to audit the entire system. They will look for conformity to customer, legal, and executive requirements, as well as, to the requirements of the ISO 27001:2022 standard.
The audit duration will depend on the size of the organization, the number of sites, and the complexity of the processes included in the system. The number of days for the audit is based on ISO 17021. (See how to calculate number of audit days for your organization). For example, a small company with 10 or fewer employees might get an audit of only two days. For a company of 20 employees, the duration would rise to three days.
If the organization receives no major nonconformities during the stage two audit, the audit team will recommend certification based on your compliance with an acceptable corrective action plan for any stated minor nonconformities.
If one or more major nonconformities are found, the certification body (CB) either conducts a special visit in a month or two to confirm the major issues have been resolved by use of the PDCA method, or they conduct another full certification audit when the organization says the major nonconformities have been corrected.
Stage 2 – The purpose of this visit is to confirm that the quality management system fully conforms to the requirements of ISO 27001:2013 in practice. The auditor will:
- Complete sample audits of the processes and activities defined in the scope of assessment
- Record how the system complies with the standard
- Record how the system complies with the organizations’ documented information
- Report any non-conformances or potential for non-conformance
- Produce a surveillance plan and confirm a date for the first surveillance visit
During the Stage 2 audit, several employees will be interviewed. If the auditor identifies any major non-conformance, the organization cannot be certified until corrective action is taken and verified. This means the auditor has to come back out for an on-site verification visit.
If there are no major non-conformances, then the certificate is typically sent out within 30-45 days after the Stage 2 audit.
After the Certification assessment is complete, it will reveal whether or not there are any non-conformances with the standard.
Corrective Action if Necessary
Continually analyze, document, and correct non-conformances for as long as you have an ISMS.
Depending on the size of the organization, the certification body will establish an annual or semi-annual surveillance program. The total surveillance days each year will be about one-third the duration of the stage 2 certification audit. Each visit will always assess certain key elements of the system, for example, internal audit, management review, customer satisfaction, and corrective action. A sample of the other areas of the system will be examined during the visits, with all the areas being assessed over the three-year life of the certificate.
Every three years, the entire system will be assessed again. The recertification audit duration will be about two-thirds as long as the stage 2 audit. Assuming the assessment doesn’t find any major non-conformances, the audit team can recommend the organization for continued certification. And, after receipt of an acceptable corrective plan for any minor non-conformances, the certification body will reissue the ISO 27001 certificate.
The costs for the audits and registration will be dependant on the size of your company, the number of locations, the certifications that you need, and the distance between you and the auditor assigned by your Registrar.
The costs are typically dependant on the number of audit days required for the registration audit and the surveillance audits, the travel costs for the auditors, and the administration fees and accreditation fees for the registration.
Choosing a Registrar
When choosing a certification body for ISO 27001 certification, these are the aspects the organization needs to take into account.
- An independent ISMS audit to confirm ISO 27001 certification is a business decision:
- Does a customer or agency require it?
- Does it help with risk mitigation?
- Would it improve public relations?
- Cost is not the only consideration. Criteria to consider include:
- Evaluate several certification bodies using our Registrar Checklist.
- Has the certification body been accredited? Accreditation, in simple terms, means that a certification body has been approved to certify organizations.
- Is their accreditation internationally recognized/accepted? There are some organizations who are not internationally recognized.
- Does the Certification Body follow ISO/IEC 17021:2006? Conformity assessment – Requirements for bodies providing audit and certification of management systems?
- Do the auditors have experience in your industry?
- Is the CB approved for certifications you may consider in the future?
The most important factor in choosing a Registrar is how well they can work with you. This includes how well they know your industry, how much experience they have with similar companies, and how well they communicate with you and your employees. There are many rules that a registrar must follow, issued by organizations like the ANAB. See ANAB Rules…
Interview 3 or more Registrars to get a good idea of the options available and differences between Registrars. Look locally if you have good choices, it will save on costs, but if you do not find a good fit look farther. The benefits of your relationship with your Registrar will pay off. Remember that these are experienced professionals that spend day after day evaluating how companies do business. The feedback you get from them is one of the best ISO 27001 certification benchmarking tools available.