Stage 1 vs Stage 2 ISO 27001 audit: what to prepare for each

Getting ISO 27001 certified involves two audit stages with a gap between them. Understanding what each stage tests — and how to prepare specifically for each — is one of the most practical things you can do before your first certification project.

The overall process runs: define scope → build your ISMS → Stage 1 audit → address findings → observation period → Stage 2 audit → receive certificate → surveillance audits (years 1 and 2) → recertification audit (year 3).

Stage 1: The documentation review

Stage 1 is a documentation review. The auditor — typically one or two people from your certification body — reviews your ISMS documentation to assess whether your management system is designed correctly and whether you are ready to proceed to Stage 2. It typically takes one to two days and can often be conducted remotely.

The auditor is not testing whether your controls are working at Stage 1. They are checking whether your management system documentation is in place, coherent, and meets the requirements of the standard.

What auditors look for at Stage 1

• ISMS scope document — Clear boundaries defining what is in and out of scope. Organisational units, systems, locations, and exclusions should be explicitly documented.
• Information Security Policy — Top-level policy signed by leadership, reviewed within the past year, and communicated to all relevant staff.
• Risk assessment methodology — A documented, consistent approach to identifying, analysing, and evaluating risks. It must be repeatable — the same methodology applied by two different people should produce comparable results.
• Risk treatment plan — Every identified risk matched to a treatment decision (accept, mitigate, transfer, avoid) with ownership assigned and timelines documented.
• Statement of Applicability — All 93 Annex A 2022 controls listed with applicability decisions and justifications for any exclusions. Included controls must reference where they are implemented.
• Management review records — Evidence of at least one management review meeting covering the required agenda items: previous actions, audit results, risk treatment status, objectives, and resource needs.
• Internal audit records — Evidence that at least one internal audit cycle has been completed or is planned. The audit must cover all ISMS scope areas.
• Roles and responsibilities — Documented assignment of ISMS roles. The standard requires top management involvement — this cannot be entirely delegated to the IT team.

Common Stage 1 findings

• SoA not updated for 2022 controls (still referencing 2013 numbering)
• Risk assessment methodology documented but not actually applied consistently — the risk register uses a different scoring approach than the methodology describes
• Internal audit not yet completed — the standard requires evidence of internal auditing before Stage 2
• Management review meeting not minuted or agenda items missing
• ISMS objectives not defined or not measurable

The gap between Stage 1 and Stage 2

After Stage 1, the certification body will issue a report listing any non-conformities or observations. Major non-conformities must be closed before Stage 2 can proceed. Observations and minor non-conformities are typically addressed during Stage 2 or through the surveillance cycle.

The gap between stages is typically one to three months. Use this time to close Stage 1 findings, complete your internal audit if it was not done, and ensure your controls are actually running and generating evidence. Stage 2 is about proof.

Stage 2: Operational effectiveness

Stage 2 is significantly more intensive than Stage 1. The auditor verifies that your controls are not just documented — they are actually operating as described and have been throughout a sufficient period. Stage 2 typically runs two to four days for a small to medium organisation and must be conducted on-site for at least part of the engagement.

The auditor will sample evidence, interview staff, and observe processes. Interviews are particularly important: auditors speak to employees who are not part of the compliance team to verify that they understand the policies relevant to their work.

What auditors check at Stage 2

• Evidence that controls operated as described — Access review records, vulnerability scan reports, patch logs, change approval tickets, incident records. Auditors will sample these and trace them back to the control in the SoA.
• Staff interviews — Can your developers explain your change management process? Does your HR lead know what to do when an employee leaves? Auditors probe whether training is effective, not just whether training records exist.
• Management review in the period — A management review must have occurred during the period being assessed. Not just planned — completed, with minutes.
• Internal audit in the period — An internal audit covering the full ISMS scope must have been completed. Findings from the internal audit should be tracked to closure.

Common Stage 2 findings

• Evidence gaps — the control is described and implemented, but no evidence was collected that it ran during the observation period. Quarterly access reviews that were completed but not documented are the most common example.
• Stale access reviews — access reviews were completed but not acted on. Former employees still have access, or elevated permissions were not reviewed.
• Training records missing for staff hired during the observation period
• Incident response procedure was never invoked — if you had zero incidents, auditors will verify your monitoring is actually capable of detecting them

After certification: what comes next

ISO 27001 certification is valid for three years, with annual surveillance audits. Year 1 and Year 2 surveillance audits are shorter than the initial certification audit — they verify that your ISMS is still operating and that any prior findings have been addressed. The Year 3 recertification audit is essentially a full Stage 2 repeat.

The organisations that find surveillance audits easy are the ones that never stopped running their ISMS. The ones who struggle are the ones who treated certification as a project with an end date.

Maintain your evidence collection, complete your management reviews, and run internal audits every year. The surveillance audit should feel routine, not like a crisis.