What to expect from Stage 1 and Stage 2 ISO 27001 audits

Those who are just getting to know ISO 27001 will no doubt find the audit a daunting prospect.

It’s a big, complex task that can be tricky for even experienced professionals. But, as with many challenges, you can overcome any concerns by preparing. Once you understand how the process works, it won’t seem nearly as intimidating.

If you’re attempting certification with the assistance of a consultancy firm, the consultant will probably arrange a pre-certification audit closer to your scheduled audit. This helps them see whether your ISMS (information security management system) is likely to meet all the necessary criteria.

Consider this a pre-certification ‘dress rehearsal’ audit. It allows you to identify any potential problems that can be ironed out before the actual audit, and it gives your staff the opportunity to see how the big day will play out.

The certification audit is conducted by an independent certification body (selected by you), and consists of ‘Stage 1’ and ‘Stage 2’ audits.

Stage 1 audit

The Stage 1 audit is often called a ‘documentation review’ audit, because the auditor will review your processes and policies to establish whether they’re in line with the requirements of ISO 27001.

This stage is more of a ‘reconnaissance’ audit, or a ‘pre-assessment’, where the auditor does a high-level review of your ISMS and establishes whether the internal audit programme is in place.

Stage 1 is completed on-site to determine whether your ISMS has met the minimum requirements of the Standard and is ready for a certification audit. The auditor will point out any areas of nonconformity and potential improvements of the management system.

Stage 2 audit

The Stage 2 audit is often referred to as the ‘certification audit’. During a Stage 2 audit, the auditor will conduct a thorough on-site assessment to establish whether the organisation’s ISMS complies with ISO 27001.

They auditor will also be looking for evidence that the organisation is following the documentation that they’ve previously reviewed.

The auditor will review their audit checklists and provide feedback to the client regarding any nonconformities.

If everything is in order, the auditor will issue a certificate stating that your organisation’s ISMS complies with ISO 27001, and recommend you for ISO 27001 certification.

Are you prepared for a certification audit?

Don’t get caught out by your ISO 27001 certification audit. Use vsRisk, the information security risk assessment software, to produce ISO 27001-compliant, audit-ready reports, including the Statement of Applicability and risk treatment plan, that will impress even the toughest of auditors.

vsRisk also integrates with the ever-popular ISO 27001 Documentation Toolkit, enabling you to  accelerate the implementation of controls with one click.


A version of this blog was originally published on 23 July 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.