A complete guide to our audit process, certification decisions, and ongoing compliance monitoring from initial application through recertification.

How certification works.
Our certifcation process conforms to ISO/IEC 27006. Every step is designed to be rigorous, transparent, and fair.
PHASE ONE: Application & Scope Definition
Certification begins with a formal application. Your organization provides details about its structure, ISMS scope, and readiness. We review the application to confirm we have the competence and capacity to audit your industry and context. We provide a full proposal covering Stage 1, Stage 2, surveillance, and recertification timelines — before any work begins.
PHASE TWO: Stage 1 Audit - Readiness Review
Our auditors assess your ISMS documentation, policies, procedures, risk assessments, and control frameworks to evaluate readiness for the full certification audit. This review identifies critical gaps before Stage 2. We deliver written findings and guidance. If significant deficiencies are present, we work with you to understand what must be addressed before proceeding.
PHASE THREE: Stage 2 Audit – Certification Audit
This is the where certification is determined. Our team conducts an in-depth, on-site evaluation of ISMS implementation and effectiveness by interviewing personnel, observing operations, and testing that controls work as intended across departments and locations within scope. Non-conformities are discussed with your team, and organizations have the opportunity to address major findings before a certification decision is made.
PHASE FOUR: Certification Decision & Issuance
A dedicated Certification Committee — separate from the audit team — reviews the evidence and makes the certification decision. When requirements are met findings resolved, your certificate is issued and your organization is added to our public registry. Certificates are valid for three years.
Ongoing Surveillance Audits
Certification is a continuous commitment. Annual surveillance audits at 12 and 24 months verify that your ISMS remains effective and conforms to ISO 27001 requirements. Each surveillance audit samples controls, reviews internal audits, management reviews, and security objectives. A Surveillance Audit Report is issued following each visit with conclusions on continued certification validity.
Recertification Audit
Before your three-year certificate expires, we conduct a full recertification audit — a comprehensive review of your entire ISMS. Successful recertification results in a new certificate issued without interruption.
Certification decisions are made, communicated, and managed tranparently — at every stage.
Initial & Recertification
After a successful audit, the Certification Committee grants certification. A certificate is issued and the organization is added to the public registry.
Temporary Hold
Certification may be suspended if a serious compliance issue arises — such as a major non-conformity or failure to address critical audit findings within the agreed timeframe. The certificate is not valid during suspension.
Permanent Revocation
Certification is permanently withdrawn if serious issues cannot be resolved. Registry is updated accordingly.
Initial & Recertification
After a successful audit confirms that all ISO/IEC 27001 requirements are met and findings addressed, the Certification Committee grants certification. A certificate is issued and the organization is added to the public registry.
Initial & Recertification
After a successful audit confirms that all ISO/IEC 27001 requirements are met and findings addressed, the Certification Committee grants certification. A certificate is issued and the organization is added to the public registry.
Initial & Recertification
After a successful audit confirms that all ISO/IEC 27001 requirements are met and findings addressed, the Certification Committee grants certification. A certificate is issued and the organization is added to the public registry.
Independent certification decisions
Certification decisions are made exclusively by our Certification Committee senior personnel who had no involvement in conducting the audit. Auditors assess. They do not decide.
No consulting to clients we certify
VikingCloud Audit & Certification does not provide ISMS consulting, implementation, or readiness services to organizations it certifies.
Conflicts of interest controls
All personnel must disclose potential conflicts before any engagement. Auditors who have previously consulted for or advised an organization on its ISMS may not audit that organization.
External impartiality committee
An independent committee of external stakeholders meets regularly to review our practices and identify threats objectively.
Our impartiality policy.
Governs how we identify, evaluate, and mitigate threats to impartiality — including financial, self-interest, familiarity, intimidation, and advocacy risks as defined under ISO/IEC 17021-1.
Submit an inquiry and our team will reach out to discuss your scope and readiness.