The number and variety of information systems (IS) certifications have increased continuously as the use of information technology has diversified and expanded. IS certifications are neutral third-party attestations of specific system characteristics and management principles to prove compliance with requirements. The reasons for organizations to adopt IS certifications are diverse, such as fostering learning and improvement, or demonstrating regulatory compliance. However, because of organizations’ diverse motivations to adopt certifications, organizations also differ in their degree of internalizing the certification. In particular, superficial, ceremonial adoption and a lack of internalization of certifications become critical issues harming the certification’s reputation and effectiveness. This short paper reports on preliminary findings from a qualitative study on the development of a data protection certification. Based on unique access to case companies throughout the certification attestation process, our research will provide insights into how motivations for adoption impact the internalization processes of organizations.