The Certification Tracker in Venvera helps you manage the entire ISO 27001 certification lifecycle — from initial planning through Stage 1 and Stage 2 audits, annual surveillance audits, and the three-year recertification cycle. Whether you are pursuing certification for the first time or maintaining an existing certificate, this page provides a single view of your certification status, audit history, and upcoming milestones.
Understanding ISO 27001 Certification
ISO 27001 certification is an independent, third-party assessment confirming that your ISMS meets the requirements of the standard. Certification is granted by an accredited certification body (CB) and follows a defined lifecycle:
The 3-Year Certification Cycle
| Year | Activity | Purpose |
|---|---|---|
| Year 1 | Initial Certification (Stage 1 + Stage 2) | Full assessment of ISMS documentation and implementation. If successful, certificate is issued with a 3-year validity. |
| Year 2 | Surveillance Audit 1 | Partial reassessment to verify continued conformity. Typically covers a subset of ISMS requirements and Annex A controls. |
| Year 3 | Surveillance Audit 2 | Second partial reassessment. Together with Surveillance 1, should cover all ISMS requirements over the cycle. |
| Year 3 (end) | Recertification Audit | Full reassessment before the certificate expires. A new 3-year cycle begins if successful. |
Stage 1 Audit — Documentation Review
The Stage 1 audit is a readiness assessment. The CB reviews ISMS documentation to verify: scope definition (Clause 4.3), security policy (Clause 5.2), risk assessment and treatment processes (Clauses 6.1.2, 6.1.3), Statement of Applicability, mandatory documented information (Clause 7.5), and that internal audits and management reviews have been conducted. Stage 1 may be conducted on-site or remotely.
Stage 2 Audit — Implementation Audit
The Stage 2 audit is the main on-site assessment. Auditors verify that the ISMS is implemented and operating as documented, SoA controls are effective, risk assessments are consistent with practice, staff understand their responsibilities, and Stage 1 findings have been addressed. Stage 2 typically occurs 1–3 months after Stage 1.
Surveillance Audits
Annual surveillance audits verify continued conformity. They sample different ISMS areas each year, covering corrective actions, internal audit results, management review outputs, selected controls, and any significant changes. Over two surveillance audits, the CB should cover all requirements.
Recertification
Before the certificate expires, a recertification audit reassesses the entire ISMS (similar to Stage 2). Successful recertification begins a new 3-year cycle.
Certification Tracker Page in Venvera
The Certification Tracker page (ISO 27001 > Certification) displays the heading Certification Tracker with the subtitle "Track your ISO 27001:2022 certification journey". A Save button persists all changes.
Status Banner
At the top of the page, a prominent status banner displays the current certification status with a colour-coded icon and badge, the certification body name, certificate number, and a Days to Expiry countdown. The countdown is colour-coded:
| Condition | Colour | Display |
|---|---|---|
| Expired (past expiry date) | Red | Shows number of days overdue (e.g., "45d overdue") |
| Less than 90 days to expiry | Orange/Amber | Shows remaining days (e.g., "72d") |
| 90 or more days to expiry | Green | Shows remaining days (e.g., "245d") |
Certification Status Options
The status dropdown tracks your position in the certification lifecycle:
| Status | Colour | When to Use |
|---|---|---|
| Not Started | Grey | Certification has not been initiated. You are building the ISMS but have not engaged a certification body. |
| Planning | Blue | You have begun planning for certification: selecting a CB, scheduling audits, performing readiness reviews. |
| Stage 1 Scheduled | Orange | The Stage 1 documentation review audit has been scheduled with the CB. |
| Stage 1 Complete | Amber | Stage 1 is complete. You are addressing any findings before Stage 2. |
| Stage 2 Scheduled | Orange | The Stage 2 implementation audit has been scheduled. |
| Certified | Green | Your organisation has achieved ISO 27001 certification. The certificate is valid. |
| Surveillance Due | Amber | An annual surveillance audit is due. Plan and schedule with your CB. |
| Recertification Due | Red | The certificate is approaching expiry and a recertification audit is needed. |
| Expired | Red | The certificate has expired. Recertification or new initial certification is required. |
Certification Details Section
This section captures the core certification information:
| Field | Type | Required | Description |
|---|---|---|---|
| Certification Body | Text input | Optional | The name of your certification body (e.g., BSI, DNV, TUV, Bureau Veritas, LRQA, Schellman) |
| Certificate Number | Text input | Optional | The unique certificate number issued by the CB |
| Status | Dropdown | Required | Current certification status (see status options above) |
| Initial Cert Date | Date picker | Optional | The date when the organisation first achieved ISO 27001 certification |
| Current Cert Date | Date picker | Optional | The date of the most recent certification or recertification |
| Expiry Date | Date picker | Optional | The date when the current certificate expires (typically 3 years after current cert date) |
Certification Audit Stages Section
This section tracks the two stages of the initial certification audit, displayed side by side:
Stage 1 — Documentation Review
| Field | Type | Description |
|---|---|---|
| Date | Date picker | The date when the Stage 1 audit was conducted or is scheduled |
| Result | Dropdown | Options: (blank), Pass, Pass with Observations, Fail |
Stage 2 — Implementation Audit
| Field | Type | Description |
|---|---|---|
| Date | Date picker | The date when the Stage 2 audit was conducted or is scheduled |
| Result | Dropdown | Options: (blank), Pass, Pass with Observations, Minor NCs, Major NCs, Fail |
Surveillance & Recertification Section
This section manages ongoing audit activities after initial certification:
Next Surveillance Date: A date picker to record when the next surveillance audit is scheduled. Update this after each surveillance audit is completed.
Audit History: A dynamic list where you can add records for each surveillance or recertification audit. Click Add Audit to add an entry with the following fields:
| Field | Type | Description |
|---|---|---|
| Date | Date picker | The date the audit was conducted |
| Type | Dropdown | Options: Surveillance, Recertification |
| Result | Dropdown | Options: (blank), Pass, Observations, Minor NCs, Major NCs |
| Notes | Text input | Any additional notes about the audit findings, actions required, or outcomes |
Use the Remove button to delete a history entry. Build a complete audit trail over the certification lifecycle.
Notes Section
A free-text area for general certification notes, action items, reminders, or any information that does not fit the structured fields above.
Step-by-Step: Managing Your Certification
When you begin using the Certification Tracker, set the status to Not Started or Planning depending on where you are in the process. If you already hold certification, set the status to Certified and populate all date fields.
Enter your chosen or current certification body name and certificate number (if applicable). Common certification bodies include BSI, DNV, TUV, Bureau Veritas, LRQA, and Schellman.
When your Stage 1 audit is scheduled, update the status to Stage 1 Scheduled and enter the date. After the audit, record the result (Pass, Pass with Observations, or Fail) and update the status to Stage 1 Complete.
Schedule the Stage 2 audit (typically 1–3 months after Stage 1). Update the status to Stage 2 Scheduled, enter the date, and record the result after the audit. If the result is Pass or Pass with Observations, update the status to Certified and enter the certification and expiry dates.
Set the Next Surveillance Date (typically 12 months after initial certification). When the surveillance audit is completed, add an entry to the Audit History with the date, type (Surveillance), result, and notes. Update the Next Surveillance Date for the following year.
As the expiry date approaches, update the status to Recertification Due. Schedule the recertification audit and record it in the Audit History as type Recertification. If successful, update the Current Cert Date and Expiry Date for the new 3-year cycle and reset the status to Certified.
Click Save after every update to persist your certification data. The Days to Expiry countdown updates automatically based on the Expiry Date field.
The Certification Lifecycle in Detail
Understanding the full lifecycle helps you plan resources and maintain continuous readiness:
Pre-Certification (Months 1–6)
Define ISMS scope, complete risk assessment and treatment, implement Annex A controls and the SoA, develop mandatory documentation, conduct at least one internal audit cycle, hold at least one management review, and engage a certification body.
Initial Certification (Months 6–9)
Stage 1 documentation review, address findings, Stage 2 implementation audit, resolve any nonconformities, and certificate is issued.
Maintaining Certification (Ongoing)
Continue operating the ISMS (risk reviews, incident management, training), conduct internal audits, hold annual management reviews, address NCs promptly, undergo annual surveillance audits, and update the ISMS for changes.
Tips for Certification Success
- Start early: Engage your CB at least 6 months before your target date. Popular CBs have long lead times.
- Keep the NC register current: Close NCs promptly with documented root cause analysis.
- Ensure management reviews are up to date: Include all Clause 9.3 required inputs and improvement decisions.
- Maintain audit evidence: Keep records of audit findings, risk assessments, training, and incidents accessible.
- Brief staff: Ensure personnel can explain their ISMS roles and relevant controls.
- Monitor Days to Expiry: Begin recertification planning when the counter drops below 180 days.