ISO Certifications
Need help determining if ISO is right for you?
International Organization for Standardization (ISO) engagements have become increasingly important for organizations, especially those delivering products and services outside of the continental United States. ISO standards allow for the standardization of requirements and controls, providing customers with confidence that their systems and data are protected. Baker Tilly takes these standards very seriously and aims to continually position itself as the premier provider of quality ISO reports for organizations seeking to deliver peace of mind.
Learn more below about the different types of ISO reports we deliver to determine which report is best for your company:
- ISO 27001:2022 provides a framework and the necessary requirements for the design, implementation and continuous monitoring of an Information Security Management System (ISMS). Have you considered your organization’s ability to sufficiently protect your systems and data?
- ISO 27701:2019 provides organizations with guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS).
Certification process
Year 1 – Initial ISO certification
- Stage 1 audit is usually carried out over one or two days and typically occurs onsite. For organizations with more than one location, the audits are usually carried out at your central function location.
- Stage 2 audit evaluates the implementation and effectiveness of your organization’s management system(s).
Year 2 – Surveillance
The first of the surveillance audits is still checking that the documented processes comply with the standard, but will only look at several mandatory processes and a selection of the remaining processes.
Year 3 – Surveillance
The final year in the three-year cycle will consist of another surveillance audit, covering several mandatory processes and the remaining processes not covered in the previous year.
Effective dates and transition
Below are key dates for the transition period as defined by the International Accreditation Forum (IAF) [1].
April 30, 2023
Accreditation bodies/auditors must be ready to assess to ISO 27001:2022.
Oct. 31, 2023
Organizations seeking initial ISO 27001 certification will be required to adopt the new standard.
April 30, 2024
All existing ISO/IEC 27001:2013 certified clients shall be audited (surveillance or recertification audits) against ISO/IEC 27001:2022.
Oct. 31, 2025
Organizations with an active ISO 27001 certification will be required to transition to the new standard. All ISO 27001:2013 certificates issued after Oct. 31, 2022, will expire on Oct. 31, 2025.
ISO 27001 is a globally recognized security framework that assesses how well organizations safeguard their data. Discover what exactly is ISO 27001, and why businesses should consider getting certified.
ISO impartiality and inquiries
ISO/IEC 27001 outlines the requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system (ISMS). It is an internationally accepted standard and is a valuable way to differentiate your organization as it demonstrates compliance with industry standards and your commitment to keeping information secure.
Pre-certification process
New application requests for certification services can be sent through our contact us page. Baker Tilly will then conduct a client evaluation. As part of the process, the client will provide information pertaining to the ISMS scope, boundaries of the system, and other relevant documentation in order to determine fee arrangements and resourcing needs. This includes information about the approximate number of people, infrastructure, software components, key activities and data, and locations (physical and virtual) of the ISMS. If available a statement of applicability and other ISMS scoping documentation are helpful in completing this process.
The initial certification audit is conducted in two stages as follows:
Stage 1 audit
An evaluation is performed in several steps of the management system and documentation with a primary focus on the design of the system. First, Baker Tilly will audit the ISMS documentation. Second, an evaluation of the ISMS scope including personnel, services/products, and sites included within the scope. Third, the auditor verifies that the organization has completed an internal audit, management review, and accepted risk registry and treatment. Finally, the organization’s understanding of the standard, including the scope of the audit and resources will be evaluated. Much of the information reviewed during stage 1 will help in the planning for stage 2.
Stage 2 audit
The second stage of the initial certification involves detailed testing to determine if the organization has effectively implemented and is consistently monitoring its ISMS in accordance with ISO/IEC 27001. This stage is performed onsite with the organization’s process owners at its various locations as detailed in the audit plan. Baker Tilly will then determine if it will issue certification to the client.
Baker Tilly is responsible for and will retain authority for its decision relating to certification, including the granting, refusing, maintaining, renewing, suspending, restoring, or withdrawing of certification. The client is responsible for maintaining compliance with ISO/IEC 27001 requirements during the period of certification. Following the confirmation of the successful remediation of necessary corrective actions, the findings and recommendations made in the audit report will be reviewed and considered for certification will be conducted. If the organization’s ISMS is approved for certification, Baker Tilly will issue an ISO/IEC 27001 certification / or scope of certification, which is valid for three years from the issuance date and subject to the successful completion of annual surveillance audits. Based on the results of surveillance audits or other circumstances, Baker Tilly holds the right to suspend, withdraw, or reduce the scope of the certification. Refusal of certification could occur due to the client’s non-compliance with a number of factors including Baker Tilly’s terms and agreements. Detailed information and documentation outlining terms and conditions will be provided upon completion of the certification process. All decisions will be communicated to the organization in writing detailing the grounds for refusal of certification. When a client’s certification is suspended, refused, or withdrawn the client must cease the use of the certification mark or any promotional material that advertises the fact that the client is certified.
Surveillance audits are conducted annually and are required in order to help ensure the certified organization is able to maintain its compliance with the standard. As part of this process, limited testing and an onsite review will be conducted to determine the impact of any significant changes since the original certification and that the initial certification scope remains valid.
Before the certificate expires, arrangements for recertification are planned. Recertification activities include a full audit of the ISMS.
If during the three-year certification cycle there are changes in the scope of the certification or changes to requirements, this will be discussed with the Baker Tilly certification team.
Information about a particular certified client shall not be disclosed to a third party without the written consent of the certified client except as required in ISO/IEC 17021.
Baker Tilly is committed to maintaining professionalism in our organization and our clients. As such Baker Tilly is impartial, intellectually honest, and free of conflicts of interest. This policy helps ensure commitments to independence, impartiality, and objectivity of its management systems certification activities.
Our stated impartiality policy clearly identifies and assesses all relationships that may result in a conflict of interest or may pose a threat to impartiality. The policy helps ensure that our personnel are, and will remain, impartial in our certification activities.
Baker Tilly will not provide advisory or management systems consulting services to assist in the design, selection, or implementation of controls or internal audit services used to meet the ISO/IEC 27001 requirements. This requirement does not prevent Baker Tilly from performing ISO/IEC 27001 pre-audit assessment services.
Baker Tilly maintains a Client Directory containing the current status of all client certifications.
Clients can appeal an application, certification, or other decisions taken by Baker Tilly. The appeal must be submitted by requesting and completing an appeals document which will be provided by Baker Tilly via email. Acknowledgment of receipt of the appeal will be conveyed by Baker Tilly and the client will be notified of the status of the appeal. Baker Tilly personnel involved in the certification activity will not be involved in the matter of the appeal. Baker Tilly will ensure the investigation, and decision on an appeal submitted does not result in any discriminatory action taken against the client and will give formal notice to the appellant at the end of the process.
Once a decision has been made regarding the appeal, no counterclaims can be made by either party to change the decision unless additional supporting documentation is provided. Baker Tilly will consider the results of historical cases when similar appeals are received. If an appeal is successful and certification is insured or reinstated, claims cannot be made against Baker Tilly for reimbursement of costs associated with the withholding, suspension, or withdrawal notification.
Baker Tilly shall acknowledge the receipt of any complaint and will provide the client with the progress of its resolution. The decision, formally communicated at the end of the complaint-handling process, will be communicated by individuals not previously involved in the subject or the complaint. Prior to disclosing any complaints against Baker Tilly or its clients, both parties will collectively discuss such matters unless disclosure is required by law.
Baker Tilly clients are responsible for maintaining the certified ISMS. If the client fails to complete the surveillance audits or recertification activities or fails to remediate major non-conformities within the specified time frame, Baker Tilly will initiate certification suspension procedures. Suspension status will be communicated to the client, and the client will have six months from the audit to remediate the issues, after which certification may be restored. If remediation is not completed, Baker Tilly will determine if certification should be withdrawn, or the scope of certification reduced. The client should contact Baker Tilly upon reduction or expansion of the ISMS scope to initiate the scope review process.
If a client fails to maintain compliance with certification conditions, Baker Tilly reserves the right to suspend certification. During a suspension period, certification is invalid, and these periods are reflected in the status field within our client directory.
Rules for the use of the Baker Tilly name and logo are documented within the terms and conditions section of our client agreement and within documentation given to clients upon successful certification. We closely monitor the use of our name and logo to ensure compliance with standards governing us as a certification body. Complaints against Baker Tilly or our clients are not made public unless required by law. Certified clients may use our certification mark subject to the following conditions:
- The certification mark may be used on correspondence, advertising, and promotional material in conjunction with the certified client’s name, and shall not be used in connection with services, activities, or locations not covered by the scope of certification;
- The certification mark shall not be used on a product nor product packaging nor in any other way that may be interpreted as denoting product conformity;
- The certification mark shall not be altered, including both style and colors;
- Upon termination of certification, the certified client shall immediately discontinue the use of the mark. Use of the marks is not to be reinitiated unless certification is fully reinstated.
Connect with our team leader

[1] IAF Mandatory Documen: Transition requirements for ISO/IEC 27001:2022, Aug. 9, 2022, International Accreditation Forum (IAF).