About ISO/IEC 27001

ISO 27001 outlines the requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system (ISMS). It is an internationally accepted standard and is a valuable way to differentiate your organization as it demonstrates compliance with industry standards and your commitment to keeping information secure.

Below is what to expect when going through our step by step approach toward certification:

Pre-certification activities

New application requests for certification services can be sent through our contact us page. As part of pre-certification activities, we will conduct a client evaluation and engagement acceptance review. As part of this process, we will need information over the ISMS scope and boundaries of the system to determine fee arrangements and resourcing needs. This includes information about the approximate number of people, infrastructure, software components, key activities and data, and locations (physical and virtual) of the ISMS. A Statement of Applicability and other ISMS scoping documentation, if available, are helpful.

Pre-assessment (optional)

This is not a required step but a formal readiness assessment against the ISO/IEC 27001 Standard can be helpful in assisting organizations prepare for initial certification. The desired outcome is to identify deficiencies in the client ISMS seeking certification to the ISO/IEC 27001 Standard.

Initial certification audit

Initial certification audits include two stages. Stage 1  is an evaluation of the management system and documentation with primary focus on the design of they system. Stage 1 also helps in planning for stage 2. The Stage 2 audit evaluates the implementation and effectiveness of the management system. This stage is performed at the client location(s).  BARR Certifications will then determine if it will issue certification to the client.

Surveillance audit

The initial certificate issued is valid for three years from the issuance date. At least annually, surveillance audits are conducted to help ensure certified organization is able to maintain its compliance to the standard. These audits audits include limited testing and an onsite review to determine impact of any significant changes since the original certification. 


Before the certificate expires, arrangements for recertification is planned. Recertification activities include a full audit of the ISMS.

Notice of changes

If during the 3-year certification cycle there are changes in scope of the certification (i.e., reduction or expansion) or changes to requirements, this will be discussed with the BARR Certifications team.