Skip to Main Content

ISO 27001 Certification Services

A complete guide to our audit process, certification decisions, and ongoing compliance monitoring from initial application through recertification.

OUR PROCESS

How certification works.

Our certifcation process conforms to ISO/IEC 27006. Every step is designed to be rigorous, transparent, and fair.

PHASE ONE: Application & Scope Definition

Certification begins with a formal application. Your organization provides details about its structure, ISMS scope, and readiness. We review the application to confirm we have the competence and capacity to audit your industry and context. We provide a full proposal covering Stage 1, Stage 2, surveillance, and recertification timelines — before any work begins.

PHASE TWO: Stage 1 Audit - Readiness Review

Our auditors assess your ISMS documentation, policies, procedures, risk assessments, and control frameworks to evaluate readiness for the full certification audit. This review identifies critical gaps before Stage 2. We deliver written findings and guidance. If significant deficiencies are present, we work with you to understand what must be addressed before proceeding.

PHASE THREE: Stage 2 Audit – Certification Audit

This is the where certification is determined. Our team conducts an in-depth, on-site evaluation of ISMS implementation and effectiveness by interviewing personnel, observing operations, and testing that controls work as intended across departments and locations within scope. Non-conformities are discussed with your team, and organizations have the opportunity to address major findings before a certification decision is made.

PHASE FOUR: Certification Decision & Issuance

A dedicated Certification Committee — separate from the audit team — reviews the evidence and makes the certification decision. When requirements are met findings resolved, your certificate is issued and your organization is added to our public registry. Certificates are valid for three years.

Ongoing Surveillance Audits

Certification is a continuous commitment. Annual surveillance audits at 12 and 24 months verify that your ISMS remains effective and conforms to ISO 27001 requirements. Each surveillance audit samples controls, reviews internal audits, management reviews, and security objectives. A Surveillance Audit Report is issued following each visit with conclusions on continued certification validity.

Recertification Audit

Before your three-year certificate expires, we conduct a full recertification audit — a comprehensive review of your entire ISMS. Successful recertification results in a new certificate issued without interruption.

CERTIFICATION OUTCOMES

Possible outcomes explained.

Certification decisions are made, communicated, and managed tranparently — at every stage.

Initial & Recertification

After a successful audit, the Certification Committee grants certification. A certificate is issued and the organization is added to the public registry.

  • Certificate valid for 3 years
  • Listing in public registry
  • License to use VikingCloud certification mark
  • Annual surveillance schedule established

Temporary Hold

Certification may be suspended if a serious compliance issue arises — such as a major non-conformity or failure to address critical audit findings within the agreed timeframe. The certificate is not valid during suspension.

  • Defined resolution timeframe provided
  • Registry updated to reflect suspension
  • Certification restored upon verified correction
  • Certificate mark use suspended during this period

Permanent Revocation

Certification is permanently withdrawn if serious issues cannot be resolved. Registry is updated accordingly.

  • Certificate permanently cancelled
  • Registry updated immediately
  • All use of certification mark must cease
  • Organization may pursue recertification from Stage 1

Initial & Recertification

After a successful audit confirms that all ISO/IEC 27001 requirements are met and findings addressed, the Certification Committee grants certification. A certificate is issued and the organization is added to the public registry.

  • Certificate valid for 3 years
  • Listing in public registry
  • License to use VikingCloud certification mark
  • Annual surveillance
  • schedule established

Initial & Recertification

After a successful audit confirms that all ISO/IEC 27001 requirements are met and findings addressed, the Certification Committee grants certification. A certificate is issued and the organization is added to the public registry.

  • Certificate valid for 3 years
  • Listing in public registry
  • License to use VikingCloud certification mark
  • Annual surveillance
  • schedule established

Initial & Recertification

After a successful audit confirms that all ISO/IEC 27001 requirements are met and findings addressed, the Certification Committee grants certification. A certificate is issued and the organization is added to the public registry.

  • Certificate valid for 3 years
  • Listing in public registry
  • License to use VikingCloud certification mark
  • Annual surveillance
  • schedule established
Our committment

Impartiality is not optional.

Independent certification decisions

Certification decisions are made exclusively by our Certification Committee senior personnel who had no involvement in conducting the audit. Auditors assess. They do not decide.

No consulting to clients we certify

VikingCloud Audit & Certification does not provide ISMS consulting, implementation, or readiness services to organizations it certifies.

Conflicts of interest controls

All personnel must disclose potential conflicts before any engagement. Auditors who have previously consulted for or advised an organization on its ISMS may not audit that organization.

External impartiality committee

An independent committee of external stakeholders meets regularly to review our practices and identify threats objectively.

OUR COMMITMENT

Our impartiality policy.

Governs how we identify, evaluate, and mitigate threats to impartiality — including financial, self-interest, familiarity, intimidation, and advocacy risks as defined under ISO/IEC 17021-1.

Start your certification journey.

Submit an inquiry and our team will reach out to discuss your scope and readiness.