CSM27001: How to Apply

The steps towards achieving ISO/IEC 27001 certification are shown below :

roadmap v2

Organisations should complete an application form and provide relevant supporting information to request for quotation. Kindly note that the quotation for audit days will vary depending on the scope of certification, the size of the organisation, complexity of the scope etc.

Application Review
The application will be reviewed by Certification Body (CB) to ensure information about the organisation and its management system is sufficient and the CB has the competence and ability to perform the certification activity. Based on this review, the CB will either accept or decline the application.

Stage 1 Audit
The purpose of Stage 1 Audit is to verify that the organisation’s management system is implemented and the organisation’s preparedness of Stage 2 audit. CB will review the organisation’s management system documented information and obtain the necessary information regarding the scope of management system.

Stage 2 Audit
Stage 2 audit evaluates the implementation, including effectiveness of the organisation’s ISMS. Where Non-conformities and Opportunities for Improvements are observed, the CB will formally document them. The organisation should provide an appropriate set of corrective actions to resolve the identified non-conformities.

Certification Decision
All information and audit evidence gathered during Stage 1 and Stage 2 audits will be analysed in order to review the audit findings and agree on the audit conclusions. The CB will make the final decision after all non-conformities have been resolved. The decision include granting or refusing certification, expanding or reducing the scope of certification.

Surveillance audits are conducted periodically for the CB to maintain confidence that the organisation’s certified management system continues to fulfil the standard requirements. 

Recertification audit will be conducted if the organisation wishes to renew its certification. The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system, and its continued relevance and applicability for the scope of certification.


Information Security Certification Body (ISCB)
CyberSecurity Malaysia,
Level 7 Tower 1, Menara Cyber Axis,
Jalan Impact, 63000 Cyberjaya,
Selangor Darul Ehsan, Malaysia.

Monday - Friday 08:30-17:30 MYT (Note: closed on Saturday, Sunday and Public Holiday)

T: +603 - 8800 7999
F: +603 - 8008 7000


For certification enquiry: