If your company holds a valid ISO 27001 certificate, your CyberVadis assessment process includes two features designed to save you time: a dedicated certificate upload stage and automatic prefilling of controls within your certification scope.
How the ISO pathway works
Your assessment follows the same five stages as the standard process: registration, qualification questionnaire, full questionnaire, expert analysis, and results. However, between the qualification stage and the full questionnaire, you will be directed through an additional step: the Certificate Stage.
Stage 1: The Certificate Stage
After completing the qualification questionnaire, you will be directed to the Certificate Stage before accessing the full questionnaire. Here you will:
Declare that your organisation holds a valid ISO 27001 certificate
Select your certification version ISO 27001:2013 or ISO 27001:2022
Upload your ISO 27001 certificate
Upload your Statement of Applicability (SoA)
Both the certificate and the SoA are required. The SoA is particularly important: it defines which controls are within your certification scope and determines which questions will be pre-filled in the next stage.
Stage 2: ISO prefill in the questionnaire
Once your certificate and SoA have been uploaded, the controls that fall within your ISO certification scope will be automatically pre-filled in your questionnaire. This means you will not need to answer those questions from scratch: the platform recognises that your ISO certification already covers those controls.
Controls outside your certification scope will not be pre-filled and must be completed manually in the usual way.
What you still need to do
ISO prefill saves significant time, but your responsibility does not end there. For every pre-filled control, you must:
Review the pre-filled answer: confirm it accurately reflects your current certified practices
Check your evidence: ensure your certificate and SoA are valid, current, and not expired
Mark the question as complete: use the green toggle at the top of each question page to mark reviewed questions as "Question Completed"
Complete remaining questions manually: work through any controls outside your ISO scope as you would in a standard assessment
Important: CyberVadis is complementary to ISO 27001, not redundant
Holding an ISO 27001 certificate or any other certification such as SOC 2 does not replace the CyberVadis assessment.
Here is why:
Complementary, not redundant: certifications like ISO 27001 and SOC 2 demonstrate strong security governance and are a recognized mark of maturity. CyberVadis provides an additional independent evaluation designed specifically for third-party risk management - a distinct purpose that existing certifications do not fulfil on their own.
Broader methodology coverage: while ISO 27001 is a comprehensive framework, the CyberVadis methodology aggregates and aligns requirements from multiple major frameworks and regulations including NIST, NIS2, DORA, ANSSI, and others. This gives your clients a more complete and multi-framework view of your cybersecurity maturity than any single certification can provide.
Your ISO certification is a valuable asset in the assessment, it accelerates the process and strengthens your evidence base. But the CyberVadis scorecard serves a different purpose: it gives your clients an independent, standardized, and continuously updated view of your security posture across a broader set of requirements.