ISO 27001 Stage 1 vs Stage 2 Audit -What to Expect at Each

Most certification confusion comes from one assumption -that the audit is one event. It is not. The certification audit is two events, run by the same auditor weeks apart, looking at different things and finding different problems. Teams that prepare for "the audit" as a single event prepare for one of the stages well and the other badly.

This piece walks through what each stage actually is, what auditors do at each, the gap between them, and the preparation tasks that change depending on which stage is next. If you have completed your internal audit and want to know what the certification body will do differently, this is the next read.

1. Why There Are Two Stages

The two-stage audit structure is required by ISO/IEC 17021-1 -the standard that governs how certification bodies operate. The split exists for a specific reason: it gives the audit cycle a built-in checkpoint. Stage 1 tests whether the organisation is ready to be audited at depth; Stage 2 does the depth audit.

Why split it at all? Because effectiveness cannot be tested in a single sitting. Effectiveness requires evidence over time -operating logs, change records, training completion across a period, incident response history. Stage 1 establishes the design and the readiness; Stage 2 tests the operation. The gap between them lets the organisation:

Close Stage 1 findings -usually documentation or process gaps that need fixing before deeper testing makes sense.
Accumulate evidence -controls that were just implemented need time to operate so Stage 2 can sample meaningful records.
Confirm scope -Stage 1 may identify scope ambiguity that needs to be tightened before Stage 2 testing.

📌

Same certification body, usually the same lead auditor

Stage 1 and Stage 2 are normally conducted by the same certification body, and the same lead auditor where possible. This is intentional -the auditor builds context at Stage 1 they use at Stage 2. Switching auditors between stages is rare and reduces audit efficiency.

2. Stage 1 -Documentation & Readiness

Stage 1 is sometimes called the "readiness review" or the "documentation audit." Both names are accurate but understate what it actually does.

What the auditor does at Stage 1

Onsite or remote, typically 1-3 days. The auditor will:

Read your documentation set. All 14 mandatory documents, plus the Annex A control policies you have implemented. They will check version control, approval signatures, and content alignment with the standard.
Verify scope. Confirm the ISMS scope statement matches what they observe on the ground. If the scope says "production SaaS infrastructure" but a sample of systems is hosted on a different cloud account, that is a scope clarity finding.
Review the SoA. Spot-check controls. Where excluded, look for justification. Where included, look for evidence the control is at least designed (operating evidence comes at Stage 2).
Confirm management commitment. Look at management review minutes, evidence of executive sponsorship, internal audit programme document.
Plan Stage 2 sampling. Based on what they read, decide which areas to focus on in Stage 2 and what evidence to request in advance.

What auditors find at Stage 1

Stage 1 findings are usually conformity gaps in the design -documentation that does not exist or does not meet the standard's requirements. Common findings:

SoA missing implementation status. Controls listed as "included" but with no indication of whether they actually operate. Stage 2 will not be able to sample what is unclear at Stage 1.
Scope statement too narrow or too broad. Scope that excludes obvious in-scope assets or includes things you cannot evidence. Either way the auditor will ask for clarification before proceeding.
Mandatory document missing. Risk assessment methodology not documented, internal audit programme document not produced, management review procedure not written.
Stale documents. Documents last reviewed two or three years ago, signed by people who have left.
Evidence of executive engagement weak. Management review minutes that are perfunctory or missing required inputs.

⚠

Stage 1 outcomes that matter

The Stage 1 report concludes with one of three outcomes: ready to proceed to Stage 2, ready to proceed with corrective actions in progress, or not ready. The third outcome is rare for organisations that have done a thorough internal audit. The second is common and is not failure -it just means the gap window absorbs Stage 1 findings before Stage 2.

3. Stage 2 -The Effectiveness Audit

Stage 2 is the audit most people imagine when they think "ISO 27001 audit." It is the deep test. Onsite or hybrid, typically 2-5 days for small-to-medium organisations, longer for larger ones.

What the auditor does at Stage 2

The auditor does not re-read what was already covered at Stage 1. They test whether what is documented is actually happening.

Interview control owners. The auditor walks through scenarios with the people responsible for each control. "Talk me through how you handle a vendor onboarding." "Show me what happens when a high-severity vulnerability is discovered." They listen for whether the actual practice matches the documented process.
Sample records over the audit period. For each control, request 3-5 examples spanning the audit window -typically the last 3-6 months. Examples: 5 access reviews, 3 incident records, 4 change requests for production, 2 vendor security reviews.
Test technical controls. Depending on the scope, the auditor may ask to see logging in action, MFA enforcement on production systems, backup restoration evidence, encryption configuration. They are not a penetration tester; they verify the control is operating as described.
Verify Stage 1 findings closed. Any corrective action plan from Stage 1 will be re-tested. If a Stage 1 Minor NC was "training records incomplete," they will sample current training records to confirm the gap has been addressed.
Conduct a closing meeting. Present findings, agree classifications, set timelines for corrective action.

What auditors find at Stage 2

Stage 2 findings are usually effectiveness gaps -controls that are documented but not operating as described, or operating with gaps in execution. Common findings:

Records that do not match the documented frequency. Policy says quarterly access reviews; evidence shows the last one was 8 months ago.
Inconsistent application of a control. Some teams follow the change management process; others bypass it. A sampling-based audit will surface the inconsistency.
Operational gaps in incident response. Procedure says incidents are logged within 24 hours; sample of incidents shows median time-to-log is 4 days.
Logging that exists but is never reviewed. Logs are captured; but the documented log review process produces no records of actual reviews.
Awareness training not completed. The training programme exists, completion records exist, but coverage is below 100% and there is no remediation tracking.
Risk treatment plan stale. Risks identified at the start of the project are still showing the same status months later, indicating no active treatment management.

4. The Gap Between Stages -What to Use It For

The 4-8 week gap is not waiting time. It is the closure window. What happens in it largely decides whether Stage 2 goes smoothly.

Week 1-2: Stage 1 findings closure

Any Major NC from Stage 1 must be closed. Any Minor NC should be closed where possible. For each: documented corrective action, evidence of implementation, brief impact statement. Send the closure pack to the certification body at least 2 weeks before Stage 2.

Week 2-4: Operational evidence accumulation

Any control that was newly implemented for Stage 1 will have minimal operating evidence. Use the gap to run another cycle of each -another round of access reviews, another batch of training completions, another vulnerability scan, another incident response drill if you can naturally schedule one. Stage 2 wants to see operating evidence, not just freshly-deployed controls.

Week 4-6: Stage 2 prep

Build a Stage 2 evidence pack. For every control in the SoA, identify the 3-5 records that demonstrate operation. Pre-position them so the auditor can be shown evidence within minutes, not hours. This is not about hiding things -it is about respecting the auditor's time and showing the ISMS is organised.

Week 6-8: Final readiness check

A final internal mini-audit focused only on the areas Stage 1 flagged. If Stage 1 said the access review process was weak, run a fresh access review and verify it now meets the standard. If Stage 1 said incident response timing was unclear, conduct a small tabletop and capture the timing record.

🎯

The gap is a project sprint, not a holiday

Teams that treat the gap as breathing room arrive at Stage 2 with Stage 1 findings still open. Teams that treat it as a 4-8 week sprint to close findings and produce evidence arrive at Stage 2 ready. The certificate goes to the second group.

5. Side-by-Side Comparison

STAGE 1

Documentation & Readiness

Duration

1-3 days onsite or remote

Focus

Design -does the ISMS exist on paper, is it ready for testing

What they read

14 mandatory documents
SoA + risk treatment plan
Internal audit reports
Management review minutes
Annex A control policies

What they look for

Missing documents
Scope ambiguity
Stale or unapproved documents
Weak management engagement

Outcome

Ready / Ready with corrective actions / Not ready

STAGE 2

Effectiveness Audit

Duration

2-5 days onsite or hybrid (longer for large orgs)

Focus

Operation -does the ISMS actually work, with evidence

What they sample

Access reviews
Change requests
Incident records
Training completion
Vulnerability scans
Vendor reviews

What they look for

Inconsistent control application
Records not matching documented frequency
Operational gaps in execution
Stage 1 findings not closed

Outcome

Recommend certification / Recommend with conditions / Do not recommend

The biggest practical difference: Stage 1 tests what exists; Stage 2 tests what happens. You can pass Stage 1 with a brand-new ISMS that has been operating for one week. You cannot pass Stage 2 the same way -the auditor needs records spanning at least the previous 3 months, and ideally longer.

6. How to Prepare for Each

Before Stage 1

All 14 mandatory documents finalised, version-controlled, approved, dated.
SoA complete with status for every Annex A control (included / excluded with justification).
Internal audit completed across the full ISMS scope. Findings closed or in active corrective action.
At least one management review meeting documented with the standard's required inputs.
Risk register populated, treatment plan in active management.
Stage 1 evidence pack assembled -a folder structure mapping each clause and control to the document that satisfies it.

Before Stage 2

All Stage 1 Major NCs closed; Minor NCs closed where possible with documented corrective action plans for the rest.
At least 3 months of operating evidence for every control in the SoA. Fresh evidence accumulated during the gap window for newly-implemented controls.
Stage 2 evidence pack ready -pre-positioned records the auditor can request and receive within minutes.
Control owners briefed on what to expect in interviews. Walk-through scenarios rehearsed once or twice.
Technical evidence prepared -logging dashboards accessible, sample backup restorations, sample MFA enforcement evidence.
A clear contact for each control area so the auditor knows who to ask, without senior management acting as a bottleneck.

💡

The dry-run interview

Stage 2 will involve the auditor interviewing control owners. Run a 30-minute dry-run interview with each owner before Stage 2 -a colleague playing the auditor, asking the kinds of questions an auditor would ask. This surfaces nervous-presentation patterns ("we always do X") that turn into findings ("but the sample shows you did not"). Better to find this in a dry-run than in the real interview.

Need help getting both stages right?

SecComply prepares organisations for both stages of the certification audit -pre-Stage 1 readiness check, gap-window corrective action management, Stage 2 evidence pack, and dry-run interviews with control owners.

Book certification prep →

FAQ

Can Stage 1 and Stage 2 be combined?▼

No. ISO/IEC 17021-1 -the standard that certification bodies operate under -explicitly requires Stage 1 and Stage 2 to be separated by a time interval. The interval allows the organisation to close Stage 1 findings and accumulate the operational evidence Stage 2 needs to sample. Most certification bodies require at least 4 weeks between stages; some require 6 or 8.

What is the typical gap between Stage 1 and Stage 2?▼

4-8 weeks is typical, though some certification bodies will permit longer gaps (up to 6 months) when major findings need closure. The minimum is set by the certification body, not by the standard, but realistically you need at least 4 weeks to close documentation gaps and 8 weeks to demonstrate fresh operational evidence on any controls flagged at Stage 1.

Can certification be denied at Stage 1?▼

Yes. If Stage 1 surfaces fundamental gaps -missing mandatory documents, scope undefined, no risk assessment performed -the certification body may recommend not proceeding to Stage 2 until those gaps are closed. This is rare for organisations that have done a proper internal audit beforehand.

What is a Stage 1 nonconformity?▼

Stage 1 findings are typically conformity gaps -documents missing, processes undefined, mandatory clauses not addressed. They are usually classed as Minor NCs at Stage 1 because operational evidence has not yet been tested. The exception is missing mandatory documents (the SoA, risk methodology, scope), which can be Major NCs.

Do all Stage 1 findings need to be closed before Stage 2?▼

Major Stage 1 findings must be closed before Stage 2 starts. Minor findings should ideally be closed but can sometimes be carried into Stage 2 with documented corrective action plans, depending on the certification body. Stage 2 will re-examine any unresolved Stage 1 issue and escalate it if the gap persists.