Get Certified
Get Certified
Certification Lifecycle

Certification
Lifecycle

Our certification lifecycle shows how certification works from your first application through audits, independent decision, surveillance, recertification, status changes, and appeals.

Standard

ISO/IEC 27001

Certification Cycle

3 Years

Surveillance

Annual

Decision

Independent

Special Audits

As Needed
Download Process PDF
Contact Team

Certification Process Flow

Application & Information Exchange

Clients Submit Application
 for Initial Certification
Exchange of Information
between client and GCAI
Review of Application
 for Certification
Identification of areas of concern and request for additional information (if applicable)
Development of audit program
Proposal for certification and confirmation of audit program
Clients and GCAI Signed Contract for Initial Certification
Development of audit program

Initial Certification Planning & Audits

Select and appoint
 competent Stage-1 Team
Planning for Stage-01
Conduct Stage-01
Resolve Stage-1 areas of Concern (if applicable)
Confirm/appoint
 competent Stage-2 Team
Plan for Stage-2
Conduct Stage-2
Resolve Stage-2 areas of concern (if applicable)
Initial certification audit
 conclusions

Initial Certification Decision

Granting of initial certification and issuance of certification documents

Surveillance Audits (At least once per year)

Exchange of information between client and certification body; determine if change to audit program required
Confirm audit program and communication to client
Confirm appoint competent audit team
Plan for Surveillance Audit
Conduct Surveillance Audit
Resolve surveillance audit areas of concern (if applicable)
Surveillance Audit Conclusions
Independent review of certification (if required)

Re-Certification Audit

Recertification audit planning
Confirm audit program and communication to client
Confirm appoint competent audit team
Plan for recertification audit
Conduct Surveillance Audit
Conduct recertification audit
Resolve recertification audit areas of concern (if applicable)
Recertification Audit Conclusions
Recertification decision
Granting of recertification and issuance of certification documents

Confirm or adjust audit program and appropriate audit follow-up and surveillance activities including frequency and duration. Special audits must also be taken into consideration.

Apply & Contract

Submit application and agree terms.

  • What we do
  • Confirm eligibility, scope, sites, and audit team
  • Identify applicable standards and legal/contract requirements
  • Issue proposal and agreement
  • Tip for clients
  • Share organization changes, scope updates, and regulatory factors early for the best audit fit.

Stage 1 Audit – Readiness Assessment

  • Purpose
Check readiness for Stage 2 and confirm scope, maturity, and audit plan.
  • EMS documentation review
  • Risks and opportunities review status
  • Identification of risks and controls
  • What you receive:
Check readiness for Stage 2 and confirm scope, maturity, and audit plan.
  • Stage 1 report with readiness status
  • Plan and confirmed Stage 2 date

Stage 2 Audit – Certification Audit

  • Purpose
Verify full implementation and effectiveness of the EMS against ISO/IEC 27001.
  • On-site or hybrid audit examines scope areas
  • Interviews, observations, sampling
  • Your outcome
  • Major/Minor OFIs recorded and verified
  • Nonconformities issued, if any
  • Audit report and recommendation

Independent Certification Decision

  • Who decides
Independent review committee makes an impartial decision for ISO/IEC 27001.
  • If approved
  • Certificate with ISO/IEC 27001 certification
  • 3-year cycle (with annual surveillance)

Surveillance Audits (Years 1 & 2)

  • Frequency
At least once per calendar year.
  • Maintain EMS performance and improvement
  • Check on-site and/or remote
  • Continued staff competency review
  • What to expect
  • Plan in advance with client
  • May include 1–2 additional modules
  • Any NCRs require corrective actions

Recertification Audit (Year 3)

  • When
Typically within the 3-year certification cycle.
  • Scope
Comprehensive review of implementation and continual improvement.
  • Outcome
If successful, recertification renews the 3-year cycle. If not, corrective actions and Stage 2 may be required.

Special Audits (as needed)

  • Triggered by
  • Significant organizational or security changes
  • Customer or regulatory requests
  • Extended gaps in surveillance
  • Emerging risks or incidents
  • Purpose
Targeted review of specified areas to confirm conformity and acceptable risk.

Multi-Site Certification

  • Approach
  • We apply sampling per IAF guidance (e.g., ISO 27001)
  • Central function and site audits coordinated
  • Ensure consistent EMS across all locations

Transfers from Another CB

  • What we verify
  • Current certification validity and remaining cycle
  • Completeness of previous audit and decisions
  • Outcome
We confirm evidence vs. awarding cycle for seamless and informed certification transfer or continuation.

Certification Status Rules

Grant / Maintain / Renew

When the EMS conforms, NCRs have appropriate action, obligations met, EMS effective, and ongoing conditions are satisfied.

Refusal of Certification

When EMS nonconformities/risks are unacceptable, or required legal requirements/conditions are not met.

Suspension of Certification

When EMS under review, risks not effectively addressed, or surveillance/recertification overdue.

Restoring Certification

Once issues resolved and clauses re-verified and all obligations met.

Scope Expansion / Reduction

Changes require review and an amended certificate with refreshed scope and audit timing.

  • What We Expect from Certified Clients
  • Maintain documents and evidence of system performance.
  • Provide access to sites, records, and personnel for audits.
  • Use the GCAI Certification Mark correctly.
  • Address identified risks and implement corrective and special audits.
  • Cooperate during surveillance, recertification and special audits.
  • Governance, Impartiality & Records
  • Decisions are made by independent and qualified ISO/IEC 17021-1 personnel.
  • Impartiality rules are maintained and disclosed.
  • Risks and conflicts are identified, managed and controlled.
  • Records (audit, decisions, NCRs, complaints) are confidentially retained for at least two certification cycles.

Certified client responsibilities

Use the mark accurately

Follow the rules for correct and consistent use.

Keep claims within certified scope

Only communicate what is covered by certification.

Stop use if suspended or withdrawn

Remove marks and claims immediately if status changes.

Notify GCAI of material changes

Inform us of changes that may affect your certification.

Related pages

Certification Rules & Guidelines

How we make claims about certification.

Logo Usage Policy

Guidelines for using the GCAI Certification Mark.

Complaints & Appeals Policy

How we handle complaints and appeals fairly.

Verify Certificate

Check the validity and status of a certificate.

Scroll to Top