What to expect from Stage 1 and Stage 2 ISO 27001 audits

First-timers to the world of management standards and certification will, without a doubt, find the audit a daunting prospect. Even those with experience implementing management systems will often find the certification audit a bit frightening. With the right preparation, though, it need not be as intimidating as it seems.

If you are attempting certification with the assistance of a consultancy firm, it is likely that the consultant will arrange a pre-certification audit closer to your scheduled certification audit, to establish whether your ISMS will achieve a successful pass. Consider this a pre-certification ‘dress rehearsal’ audit, enabling you to identify any potential problems that can be ironed out beforehand, and an opportunity for the organisation’s staff to be prepared for the big day.

The certification audit will be conducted by an independent certification body (selected by you), and consists of ‘Stage 1’ and ‘Stage 2’ audits.

Stage 1 audit

The Stage 1 audit is often called a ‘documentation review’ audit because the auditor will review your documentation to establish whether it is in line with the requirements of ISO 27001:2013. This stage is more of a ‘reconnaissance’ audit, or a ‘pre-assessment’, whereby the auditor does a high-level review of your ISMS and establishes whether the internal audit programme is in place.  Stage 1 is completed on-site to determine whether your ISMS has met the minimum requirements of the Standard and is ready for a certification audit. The auditor will point out any areas of nonconformity and potential improvements of the management system.

Stage 2 audit

The Stage 2 audit is often referred to as the ‘certification audit’. During a Stage 2 audit, the auditor will conduct a thorough assessment to establish whether the organisation’s ISMS is compliant with the ISO 27001 standard and seek evidence that the organisation is following the documentation (policies, procedures, etc.) in practice. The auditor (or auditors) will review their audit checklists and provide feedback to the client regarding any nonconformities.

Upon a successful pass, the auditor will issue a certificate stating that the business has met the ISO 27001 requirements, and recommend the company for ISO 27001 certification.

Don’t get caught ill-prepared for an audit. Use vsRisk, the information security risk assessment software, to produce ISO 27001-compliant, audit-ready reports, including the Statement of Applicability and risk treatment plan, that will impress even the toughest of auditors.

vsRisk also integrates with the ever-popular ISO 27001 Documentation Toolkit, enabling you to  accelerate the implementation of controls with one click.

Purchase vsRisk Standalone with the ISMS Documentation Toolkit and save 10%!

Contact us if you would like a personal demo of vsRisk.

Leave a Reply

Your email address will not be published. Required fields are marked *