ISO/IEC 27001 is the international standard for information security management systems. Certification to ISO 27001 is a formal attestation, issued by an accredited certification body, that an organization has implemented and operates an information security management system (ISMS) conforming to the standard. Certification is granted following a two-stage external audit and is typically valid for three years, with annual surveillance audits during that period. The completion of an ISO 27001 certification engagement is one of the most concrete information-security milestones a B2B software company can achieve, and it changes what the testimonial wall is allowed to say and what it should now say.
From the customer-success and testimonial-wall perspective, ISO 27001 certification is genuinely different from the financial-event completions covered in our other guides and even from the SOC 2 audit attestation. A SOC 2 report is a point-in-time or period attestation that an organization's controls meet the AICPA trust service criteria; an ISO 27001 certificate is an attestation that the organization operates a management system, not just a set of controls. The distinction matters for the testimonial wall because the language of ISO 27001 is the language of an ongoing system — risk assessment, statement of applicability, internal audits, management review — rather than a snapshot.
This guide separates the ISO 27001 certification process into four phases, explains what changes for the testimonial wall in each phase, and provides per-phase playbooks. The dynamics differ from the discrete balance-sheet events covered in our other guides, and the testimonial-wall playbook differs accordingly.
The four phases of ISO 27001 certification
ISO 27001 certification is not a single event; it is a multi-quarter engagement with a discrete kickoff, a Stage 1 readiness audit, a Stage 2 certification audit, and an ongoing surveillance cycle. The testimonial wall should treat each phase differently.
Phase 1: ISMS implementation and internal readiness. The organization defines the scope of the ISMS, conducts an information security risk assessment, prepares the statement of applicability (the document that lists which Annex A controls are implemented and which are excluded with justification), implements the selected controls, and runs at least one cycle of internal audits and management reviews. This phase typically lasts six to twelve months for a first-time implementation and is the most labor-intensive phase by a wide margin.
Phase 2: Stage 1 audit (documentation review). The accredited certification body performs a documentation review of the ISMS — risk assessment methodology, statement of applicability, policies, procedures, internal audit results, and management review minutes. The Stage 1 audit identifies any gaps that would prevent certification at Stage 2. The output is a Stage 1 audit report listing findings (minor or major nonconformities) that must be addressed before Stage 2.
Phase 3: Stage 2 audit (certification audit). The certification body conducts on-site or remote fieldwork — interviewing personnel, sampling evidence, testing control operation, and verifying that the ISMS is operating in practice. The body then issues a Stage 2 audit report listing any findings. If no major nonconformities are open at the end of Stage 2, the certification body issues an ISO 27001 certificate, typically valid for three years from the date of issue.
Phase 4: Surveillance and recertification cycle. During the three-year certification period, the certification body conducts annual surveillance audits — smaller in scope than the Stage 2 audit but covering critical controls and any prior findings. At the end of the three-year cycle, a full recertification audit is required to renew the certificate for another three years.
Each phase has its own testimonial-wall risks. The biggest mistake is to treat the Stage 2 audit pass as a single day-one event and ignore Phases 1, 2, and 4.
Per-phase playbook for the testimonial wall
Phase 1: ISMS implementation and internal readiness
During the implementation phase, the testimonial wall is operating without the formal ISO 27001 certificate — and that is the most important fact to internalize. Any quote that uses formal ISMS language ("our information security management system," "our certified controls," "our ISO 27001 program") is making a claim the company cannot yet substantiate with an external certificate.
First, audit existing security-related quotes for forward-looking language. A common pre-certification testimonial pattern reads "we trust [Company]'s information security program" or "their ISMS is mature." These quotes are fine when the customer is speaking from personal experience of working with the security team, but they should not be paired with marketing copy that implies certification. Treat each quote with one of three options:
- Keep the personal-experience framing. "Their security team gave us the most thorough vendor risk review we've completed this year" is durable because it is anchored in the customer's experience, not in a claim about formal certification.
- Avoid pairing with certification language. Do not place a personal-experience security quote next to copy that says "ISO 27001 certified" before the certificate is issued. The juxtaposition implies certification that does not exist.
- Retire if formal claims are made. If a quote uses words like "certified," "ISO 27001 attested," or "accredited" before the certificate is issued, retire the quote. The cost of misrepresenting certification status is higher than the cost of removing one testimonial.
Second, prepare the testimonial-collection pipeline for the post-certification phase. Identify three to five customers — preferably ones operating in regulated industries (financial services, healthcare-adjacent, government suppliers) — who would be willing to provide a refreshed quote after the certificate is issued. Seed the conversation during implementation, when the customer can already see security maturity improvements.
Phase 2: Stage 1 audit (documentation review)
The Stage 1 audit is a documentation review only. Passing Stage 1 does not yield a certificate; it confirms that the documentation is ready for the Stage 2 fieldwork. The testimonial-wall trap during this phase is the same as the SOC 2 observation-period trap: the company often announces "ISO 27001 in progress" externally, and marketing teams start tightening the language on the testimonial wall to match the future certification. This is premature.
Hold the line on certification language until the certificate is issued. "ISO 27001 in progress" is not "ISO 27001 certified." The testimonial wall should continue to use personal-experience security framing throughout this phase. Specifically, avoid the following pre-certification patterns:
- Adding "ISO 27001" to security-related testimonial captions before the certificate is issued.
- Pairing customer quotes with ISO 27001 trust badges that imply certification.
- Using "ISO 27001 certified" anywhere on the testimonial page until the certificate is in hand.
Build the post-certification quote inventory now. Reach out to the customers identified in Phase 1 and prepare draft quotes that you can refresh and confirm after the certificate is issued. The draft quotes should focus on the customer's experience of working with the company's security posture and ISMS in practice — vendor risk reviews, security questionnaires, incident response, data-portability requests — rather than on the certificate itself.
Phase 3: Stage 2 audit (certification audit)
Phase 3 is the highest-leverage moment for the testimonial wall. The certification body is producing the Stage 2 audit report, and within a few weeks the company will know whether the certificate will be issued, conditionally issued (pending closure of minor nonconformities), or withheld. The testimonial wall playbook splits sharply by outcome.
If no major nonconformities and the certificate is issued cleanly. This is the standard outcome for a well-prepared first engagement, and it unlocks the strongest testimonial-wall moves. Specifically:
- Refresh the security-anchored quotes from the inventory built in Phases 1 and 2. Reach back to the customers and ask if they would be willing to refresh the quote in light of the just-issued ISO 27001 certificate. Most will agree, and some will offer to strengthen the quote based on their direct experience of the security program.
- Add an "ISO 27001 certified" trust badge near the security testimonials. Place it in a way that connects the customer experience quotes with the formal certification. The pairing is what makes both more credible than either alone. Include the certificate number and the accredited certification body name to enable verification.
- Create a section of the testimonial page anchored to the security and risk-management dimension. Customers in regulated industries — financial services, healthcare-adjacent, public sector — are the ones who will value this section most, and their quotes belong here.
If minor nonconformities are open at the end of Stage 2. Most first-year ISO 27001 audits surface at least one or two minor nonconformities. These do not prevent certification, but they require a corrective action plan and follow-up evidence. The testimonial wall should be careful:
- Wait for the certificate to be formally issued before claiming "ISO 27001 certified." The Stage 2 audit pass is a precursor; the issued certificate is the artifact. Use precise language: "ISO 27001 Stage 2 audit completed, certificate pending corrective actions" if there is external pressure to communicate progress.
- Pair refreshed testimonials with the certificate, not with the audit completion. A "Stage 2 passed" caption next to a strengthened security testimonial creates a credibility gap if sophisticated buyers ask to see the certificate.
If major nonconformities are open at the end of Stage 2. This outcome means the certificate will not be issued without rework. The testimonial wall should not amplify ISO 27001 status at all. Continue with personal-experience security framing only, and address the underlying ISMS issues before returning to certification-based marketing.
Phase 4: Surveillance and recertification cycle
The post-certification phase is where most testimonial walls go stale. The certificate is issued, the trust badge is added, the security testimonials are refreshed once — and then the wall sits unchanged for three years until the recertification cycle.
Build a quarterly refresh cycle for the security-anchored quotes. Each quarter, identify one or two customers who have had a notable security-related experience (a clean vendor risk review, a successful penetration test, a smooth data-portability request, a positive third-party security questionnaire response) and add their quote to the wall. This keeps the security section feeling current and prevents the impression that the testimonial wall is frozen to the date the certificate was issued.
Track surveillance audits and reflect the outcomes appropriately. Each annual surveillance audit produces a surveillance report. A clean surveillance report is itself an opportunity to refresh the security narrative. Do not let surveillance audits pass without acknowledgment in the testimonial-wall content cycle.
Plan for the recertification audit eighteen months in advance. The recertification audit is broader in scope than a surveillance audit, and a poor result can lead to certificate suspension or withdrawal. By the eighteenth month of the certification period, prospects in regulated industries will start asking about the recertification roadmap. Plan the recertification audit early and reflect the recertification calendar in the testimonial-wall language as the date approaches.
Manage the recertification-period quote freeze. During the months leading up to recertification, the wall is again in a "current certificate still valid, next certificate in progress" state. The strongest move is to keep the security testimonials in place, anchored to personal experience rather than certification, and to refresh the certification status language only once the recertification certificate is issued.
Common testimonial-wall failures around ISO 27001
Three failure modes show up repeatedly in our review of B2B software testimonial walls after an ISO 27001 certification.
Failure 1 — premature certification claims. An "ISO 27001 in progress" trust badge appearing next to security testimonials before the certificate is issued. This creates legal exposure under truth-in-advertising rules and reputational exposure with sophisticated buyers who will check the certificate registry. Anchor all certification-related copy to the actual certificate issue date and certificate number.
Failure 2 — expired or near-expiration certificate references. An ISO 27001 trust badge that still shows a certificate with an expiration date inside the next ninety days, with no visible plan for the recertification audit. This signals that the company has not completed its recertification cycle on time. Either remove the expiration date reference or update the badge as soon as the recertification certificate is issued.
Failure 3 — confusing ISO 27001 with adjacent frameworks. ISO 27001 is sometimes conflated on testimonial walls with ISO 27002 (the controls reference), ISO 27017 (cloud-specific controls), or ISO 27018 (cloud PII controls). Each is distinct, and sophisticated buyers in regulated industries will notice the difference. Use precise framework names and certificate numbers in the trust-badge area, and let the customer-experience quotes do the persuasion work.
Each failure is recoverable with a targeted refresh, but the cost of recovery grows with the time the failure has been live on the wall.
Where ISO 27001 fits in the broader compliance and testimonial sequence
An ISO 27001 certification is one node in the broader compliance landscape that includes SOC 2 attestation, HIPAA compliance for healthcare-adjacent products, and other framework-specific reviews. Each framework has its own attestation language, its own testimonial-wall implications, and its own renewal cycle. The general principle is consistent across all of them: anchor the testimonial wall to customer experience first and formal certification second, and the wall will remain durable through audit cycles, surveillance findings, and framework migrations.
Pair this guide with handling negative testimonials and criticism for the cases where a security-related quote becomes a liability, and with how to verify testimonial authenticity for the substantiation discipline that compliance-adjacent testimonials require.