ISMS in place - is required before ISO 27001 certification
A company cannot be certified “right from the beginning” without having an ISMS in place, documented, and operating. Certification auditors expect to see evidence of controls, responsibilities, monitoring, and continual improvement, typically demonstrated over a period of time (often 3–6 months of records) before granting certification.
Key Conditions for ISO 27001 Certification
Defined ISMS Scope
The organization must clearly define which parts of the business are covered by the ISMS (e.g., departments, systems, processes).Documented Policies & Procedures
Written information security policies aligned with ISO 27001 requirements must exist and be communicated internally.Risk Assessment & Treatment
Risks to information assets must be identified, evaluated, and treated using appropriate controls from Annex A.Implementation of Controls
Security controls (technical, organizational, and procedural) must be implemented and operating, not just documented.Roles & Responsibilities
Clear assignment of responsibilities for information security management is required, including top management involvement.Evidence of Operation
Internal audits, management reviews, and monitoring activities must be performed and documented. Auditors look for logs, reports, and records showing the ISMS is functioning.Continual Improvement
The organization must demonstrate mechanisms for ongoing improvement, not just a one-time setup.
Comparison: Starting Fresh vs. Established ISMS
| Scenario | Certification Feasibility | Requirements |
|---|---|---|
| Company with existing ISMS | Easier path | Already has controls, audits, and records to show effectiveness |
| Company starting from scratch | Possible, but not immediate | Must first design, implement, and operate ISMS for a period (usually months) before audit |
| Company with no prior system, seeking instant certification | Not feasible | Certification bodies require evidence of operation, not just documentation |
Practical Considerations
- Minimal Time Requirement: while ISO 27001 does not prescribe an exact duration, auditors expect evidence over time (commonly 3–6 months of ISMS operation).
- Gap Analysis First: companies without any system usually undergo a gap analysis to identify missing elements, then implement and run the ISMS before certification.
- Audit Stages: certification involves a Stage 1 audit (documentation review) and Stage 2 audit (evidence of implementation). Without operational evidence, Stage 2 will fail.
Conclusion: a company cannot be certified immediately if it has never had a management system. It must first implement and operate an ISMS with controls, responsibilities, and monitoring, and provide evidence of its effectiveness before certification is granted.