Conditions to pursue ISO 27001 certification

Answer: If you do not have evidences to show compliance with all requirements from sections 4 to 10, and that controls from Annex A stated as applicable in the Statement of Applicability (SoA) are implemented and working it makes no sense to go for a certification audit, since the certification auditor will not have enough evidences to verify if the ISMS is implemented and operational.

For further information, see:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

2. How long should I be operational prior conducting the audit? 6 mos minimum.

Answer: A good reference you can use to define the time you need a process or control to be operating to have enough data to be audited is to ensure it has already completed at least three cycles of operation. For example, if a full backup process is performed once a week, then you should wait at least three weeks to audit this process.

But it is important to note that certification bodies have their own criteria about the duration of the ISMS operation before the certification, so you must contact then previously to align this situation.