Most ISO 27001 projects focus entirely on the technical controls, firewalls, access policies, encryption, and treat the audit itself as a formality to schedule once everything's built. That's backwards. The certification body you choose, and when you bring them in, shapes the entire project, and picking wrong is one of the most common reasons a first audit fails.
In short: ISO 27001 certifies an Information Security Management System (ISMS), not just technical controls, and a UKAS-accredited certification body audits it in two stages: a Stage 1 documentation review, then a Stage 2 audit of whether the ISMS actually operates as documented, with evidence. Choosing that certification body and involving them early is what most first-time projects get wrong.
Here's what ISO 27001 actually certifies, why the auditor relationship matters from day one, and how we partner with clients through it.
What does ISO 27001 actually certify?
ISO 27001 isn't a checklist of technical controls to tick off. It certifies an Information Security Management System, a management framework covering risk assessment methodology, a Statement of Applicability mapping every relevant Annex A control, documented policies, an internal audit programme and regular management review. That's a meaningfully different, and bigger, undertaking than Cyber Essentials, which is a self-assessed technical baseline rather than an independently certified management system.
The current version of the standard, ISO/IEC 27001:2022, reorganised Annex A into 93 controls across four themes: organisational (37 controls), people (8), physical (14) and technological (34). That replaced the 114 controls and 14 domains of the 2013 edition, and it introduced eleven genuinely new controls, threat intelligence, information security for cloud services, data leakage prevention and secure coding among them. The Statement of Applicability is where you record, control by control, which of those 93 apply to your scope and why any are excluded, and it's one of the first documents a Stage 1 auditor will scrutinise. If you certified under the 2013 version, the transition deadline to 2022 has now passed, so any certificate still referencing the old standard needs attention.
What are the two stages of the ISO 27001 audit?
Certification runs in two stages, and most of the businesses we see stumble at one or the other.
Stage 1 is a documentation review: does the ISMS exist on paper, is the scope properly defined, is every exclusion in the Statement of Applicability actually justified. Businesses that build technical controls first and documentation later often aren't ready for this stage, even though the underlying security is sound.
Stage 2 is the certification audit itself: does the ISMS actually operate as documented, with evidence, internal audits that have actually happened, management reviews that have actually taken place, corrective actions that have actually been tracked. This is where projects that treated the ISMS as a paperwork exercise get caught out, there's no evidence trail because the process was never really run.
It's also worth knowing that certification isn't a single pass-and-forget event. Once you're certified, the certificate runs on a three-year cycle: the Stage 2 audit in year one, then lighter annual surveillance audits in years two and three that check the ISMS is still operating, followed by a full recertification audit before the three years are up. An ISMS that's allowed to lapse quietly between surveillance visits is the single most common way businesses lose a certificate they worked hard to earn, which is why the process has to keep running long after the first audit is passed.

Why does the auditor relationship matter from day one?
"Businesses that bring their certification body in at the end are scoping their own audit blind. Businesses that bring them in at the start find out exactly what evidence Stage 2 will expect, while there's still time to build it."
- Choose a UKAS-accredited certification body early, not once the technical work is finished. Their expectations shape how you should have scoped the project from the outset.
- Get the ISMS boundary right with their input. Scope too broadly and you're managing controls you didn't need to; scope too narrowly and the certificate doesn't cover what your customers actually need it to.
- Run a readiness assessment before Stage 1, so gaps in documentation or evidence surface while there's time to fix them, not during the audit that determines whether you pass.
How we partner with clients through this process
Our Security Services team handles the technical and procedural side, access control, encryption, endpoint protection, backup, supplier security, all mapped against the Annex A controls that matter for your scope. We then coordinate directly with an accredited ISO 27001 certification partner to run a pre-assessment ahead of the formal Stage 1, so audit findings get fixed on our schedule, not the auditor's. And because certification isn't a one-off event, annual surveillance audits keep coming, we help keep the ISMS genuinely operating between them, not quietly lapsing back into a folder of unused documents until the next audit forces a scramble.
Where this leaves you
Passing ISO 27001 first time is almost always a preparation problem, not a security problem, most businesses that fail already had reasonable technical controls in place. The difference is whether the certification body's expectations were built into the project from day one or discovered during the audit. If you're planning ISO 27001, or already stuck partway through a first attempt, Systech's assessment will tell you exactly where the gaps are, technical and evidential, and we can bring in the right accredited partner to take it from there.



