ISO 27001 · 1 July 2026
ISO 27001 Stage 1 and Stage 2 audits: what to expect
Certification to ISO/IEC 27001:2022 is awarded by a UKAS-accredited certification body following a two-stage audit. This guide explains what Stage 1 and Stage 2 involve, how findings are handled, and how to prepare so there are no surprises.
Who certifies you — and why UKAS matters
Certification isn’t self-declared. An independent certification body assesses your ISMS against the standard. For your certificate to carry weight with clients and buyers, choose a body accredited by UKAS (the United Kingdom Accreditation Service). A UKAS-accredited certificate is the one most customers and public-sector procurement teams expect to see.
The two-stage model
Certification audits are deliberately split into two stages so that problems are found early, before the full assessment.
| Stage 1 | Stage 2 | |
|---|---|---|
| Focus | Documentation and readiness | Effectiveness and implementation |
| Question it answers | ”Is the ISMS designed correctly?" | "Is the ISMS actually working?” |
| Main activity | Reviewing documents and scope | Testing controls and evidence |
| Outcome | Readiness confirmed; gaps flagged | Recommendation for certification |
Stage 1: documentation and readiness review
Stage 1 checks that your ISMS is designed and documented correctly and that you’re ready for the deeper Stage 2 assessment. The auditor typically:
- Confirms the scope of your ISMS is clear and appropriate.
- Reviews core documents — the information security policy, risk assessment, risk treatment plan and Statement of Applicability.
- Checks that mandatory elements such as internal audit and management review are established.
- Identifies any gaps or areas of concern to resolve before Stage 2.
Stage 1 is best thought of as a readiness check. Its output is a set of observations telling you exactly where you stand. There is usually a gap between Stage 1 and Stage 2 to give you time to address anything raised.
Stage 2: the effectiveness audit
Stage 2 is the main event. The auditor tests whether the ISMS is operating in practice, not just on paper. They will:
- Sample controls from your SoA and look for evidence they’re working.
- Interview staff to check awareness and that responsibilities are understood.
- Review records such as access logs, training records, incident logs and audit results.
- Verify that your risk treatment plan has been implemented.
- Confirm internal audits and a management review have taken place.
The auditor is looking for evidence over assertion — proof that what you’ve documented is genuinely happening day to day.
How findings are handled
Audit findings are usually classified as:
- Major nonconformity — a significant failure, such as a whole requirement not implemented. Majors must be resolved before certification is recommended.
- Minor nonconformity — a smaller lapse or isolated gap. These typically need a corrective action plan but don’t necessarily block certification.
- Observation or opportunity for improvement — not a breach, but a suggestion worth acting on.
For any nonconformity you’ll usually complete root cause analysis and a corrective action to fix it and prevent recurrence. A calm, well-evidenced response to findings reflects well on your ISMS.
What happens after Stage 2
If Stage 2 is successful, the auditor recommends certification, which is then confirmed by the certification body. Your certificate is typically valid for three years, subject to ongoing checks. That’s not the end of the journey, though — it’s the start of a cycle that includes annual surveillance audits and recertification every three years.
How to prepare with confidence
Preparation is what turns an audit from stressful into routine. Before Stage 1:
- Make sure your documentation is complete and consistent — see our documentation checklist.
- Confirm your risk assessment, treatment plan and SoA tell one story.
- Run at least one internal audit and a management review — see our guide to internal audits.
- Check that staff can explain their security responsibilities.
- Gather evidence that controls are operating: logs, records, tickets and screenshots.
A short pre-audit readiness review often uncovers the small inconsistencies that would otherwise become findings.
Common reasons audits stumble
- Documentation that doesn’t match reality — the plan says one thing, practice does another.
- No completed internal audit or management review, both of which are mandatory.
- Thin evidence that controls are actually operating.
- Scope confusion, where the boundary of the ISMS is unclear.
- Unresolved Stage 1 gaps carried into Stage 2.
If any of the terms here are unfamiliar, our glossary explains them plainly.
How we can help
We provide practical support throughout the audit journey — helping you get documentation audit-ready, run your internal audit and management review, and prepare your team so Stage 1 and Stage 2 run smoothly — as part of a transparent, fixed-fee engagement with a clear delivery process. Our free ISO 27001 gap assessment tool is a quick way to gauge your readiness.
Learn more about our ISO 27001 service or get in touch to plan your certification.
Need help in practice? See our ISO 27001 service.