What To Expect When You Go For Certication

This section guides you through the entire certification journey, from applying for your ISO/IEC 27001 certificate to obtaining it, and includes tips on maintaining your certification.

1. Applying for Initial certification

Once ready for certification, the organisation fills and return a request for quotation (RFQ). This initiates the application for registration process. NSAI will reply to this request with a quotation. The quotation covers the period corresponding to the certification cycle, generally 3 years. The planned audit duration is based on certain factors such as the number of personnel, sites, sector of activities of the organisation, associated risk, etc. To complete the process, the organisation signs the quotation.



At this stage, the competent auditor assigned to the organisation, will schedule the assessment in two stages:

Stage 1 – preliminary assessment for initial certification

At this stage of the assessment, the auditor will review the documentation of the organisation covering various areas such as:

  • The proposed scope of your registration.
  • The status of implementation of your management system (e.g risk assessment).
  • The appropriate regulatory and legal requirements.
  • Your management policies and objectives.
  • Whether the system addresses the key areas of your business.
  • Your site-specific activities – top level process review..
  • Your key management elements, e.g. internal audits, reviews, and complaints procedures.
  • The statement of applicability of Annex A controls.
  • Your readiness to move onto Stage 2 of the assessment, the Registration Assessment.

The preliminary assessment results will provide insights on the organisation’s readiness to proceed to the registration assessment stage. The preliminary assessment report will highlight any areas that need to be addressed before the next stage of the assessment. The organisation will be given time to address these issues before scheduling the registration assessment.

Stage 2 – recertification assessment

This stage involves a full review of the organisation’s management system, ensuring that it is controlled and has predictable outcomes. At the end of the registration assessment, the auditor issues a detailed report including the outcome (e.g. recommend registration). The report will also provide an overview of the non- conformities encountered during the assessment if applicable. Nonconformities are classified as Major, Minor or Opportunity for Improvement (OFI).


A major nonconformity indicates a failure to fulfil one or more requirements of ISO/IEC 27001, or a situation that raises significant doubt about the ability of the client’s ISMS to achieve its intended outputs. By default, it is expected that a satisfactory action.

Page 35 of 35 plan for Major cause(s), correction and corrective action will be received by NSAI within 30 days after the audit and that the effectiveness of correction and corrective action can be demonstrated by documentary evidence, or by a re-audit. The major nonconformity should be addressed before the auditor can recommend the organisation for certification.

As for a Minor nonconformity, it indicates a failure to comply with the requirements of the scheme that is less significant than a Major Audit Finding. As such, a satisfactory action plan, correction and corrections will be expected by NSAI within 30 days after the registration audit.

When the auditor is satisfied with the response provided, the organisation’s file is transferred to NSAI technical and management team to review and issue the certificate. Certificates are generally valid for 3 years.

OFIs are comments identified by the auditor and do not require a response from the organisation that applied for certification. These comments can be used to improve the effectiveness of their ISMS.

2. Surveillance and recertification audits

After successful registration, NSAI schedules surveillance audits to monitor the organisation’s management system yearly to ensure that the expected outcomes are continuously achieved. During the surveillance audits, part of the management system is reviewed. The management system will undergo a full review during the reassessment audit, the third or expiry year of the certificate.



During this audit, the auditor will review the performance of management system taking into consideration previous review results. Any nonconformity raised at the reassessment audit are handled as when raised during registration assessments. The certificate is renewed once a satisfactory response to identified issues is received from the organisation.

ISMS MODULES

Packages

Legal

Contact

Self Assessment

Support

Address

National Standards
Authority of Ireland
1 Swift Square
Northwood, Santry,
Dublin 9,
Ireland D09 A0E4

Copyright © 2025 NSAI

Site by noise