ISO 27001 Stage 1 vs Stage 2: What Auditors Actually Look For

Every year, I watch organisations spend months building their ISMS — policies written, risk registers populated, controls documented — only to stumble in the certification audit over issues that a practitioner would have caught in week one. The gap is almost never technical. It's almost always a misunderstanding of what the auditor is actually looking at, and why.

This article breaks down Stage 1 and Stage 2 audits from the auditor's perspective — what we're genuinely assessing at each stage, where most organisations fall short, and what "audit-ready" actually means in practice.

What Stage 1 Is — and Is Not

Stage 1 is commonly described as a "documentation review." That framing is accurate but incomplete — and the incompleteness is what catches people out.

Yes, Stage 1 involves reviewing your documented ISMS. But the auditor isn't just checking that the documents exist. They're assessing three things:

Scope adequacy — Does the scope statement accurately reflect the boundaries of the ISMS? Are there obvious exclusions that should be included?
System maturity — Has the ISMS been operational long enough to generate meaningful evidence? A risk assessment completed the week before Stage 1 is a red flag, not a green light.
Stage 2 readiness — Is the organisation likely to be able to demonstrate implementation during Stage 2? The auditor is making a professional judgement about whether Stage 2 is worth scheduling.

"Stage 1 is where I decide whether Stage 2 will be a productive engagement or a waste of everyone's time. If the documented ISMS can't answer basic questions about how risks are being managed, Stage 2 will find the same problems — just more expensively."

Common Stage 1 findings that delay Stage 2

Scope statement that excludes business units clearly within the ISMS boundary
Risk register with no treatment plans or residual risk acceptance decisions
Statement of Applicability (SoA) with exclusions not justified against the organisation's risk context
Internal audit not yet completed — or completed but with no management review of findings
Policies approved but with no evidence of communication to relevant personnel
Objectives defined but with no measurable targets or progress tracking

Practitioner Note

The SoA exclusion justification is the most commonly underestimated Stage 1 requirement. Saying "not applicable" for Annex A.5.19 (Information security in supplier relationships) without justification — when your organisation clearly uses third-party cloud infrastructure — will generate a major nonconformity at Stage 1 every time.

What Stage 2 Is Actually Assessing

Stage 2 is where implementation is verified. The auditor is no longer reading documents — they're looking for evidence that the controls described in your ISMS are actually operating as described, and that they've been operating for a sufficient period.

The ISO 17021 standard (which governs how certification bodies must operate) requires auditors to assess effectiveness, not just conformity. This distinction matters enormously in practice.

Conformity means: "You have a procedure for X."
Effectiveness means: "Your procedure for X is actually achieving its intended outcome."

Organisations that prepare only for conformity audits — producing documents and records on request — consistently miss the effectiveness dimension. Here's how that plays out in practice.

Access control — conformity vs effectiveness

Conformity check: Do you have an access control policy? Yes. Do you have a user access provisioning procedure? Yes. Do you have a record of the last access review? Yes.

Effectiveness check: I'd like to see the access review results for your production system. I see 14 accounts flagged for removal three months ago — can you show me evidence those were removed? I notice three accounts belong to employees who left last year. What does your leavers procedure say, and why weren't these caught?

The second line of questioning is what happens in a well-conducted Stage 2. The document exists. The control failed in operation.

The controls auditors sample most heavily

ISO 27001:2022 has 93 Annex A controls across four themes. In practice, most Stage 2 auditors sample from the same areas — not because the other controls don't matter, but because these are where implementation gaps most commonly exist:

A.5.9 / A.5.10 — Asset inventory and acceptable use: Is the inventory current? Is there a process to update it when assets change?
A.5.15 / A.5.18 — Access control and access rights review: Is the review happening at the stated frequency? What happens when it finds issues?
A.5.19 / A.5.20 — Supplier security: Do supplier agreements include the required security clauses? Has a risk assessment been done for critical suppliers?
A.8.8 — Vulnerability management: What's the process for identifying and remediating vulnerabilities? What's the evidence it's running?
A.5.24 to A.5.28 — Incident management: Has there been a real incident? How was it handled? Even if there hasn't, what does the test or tabletop exercise record show?
A.6.3 — Awareness training: Can employees describe the key information security policies? Training records are not enough — auditors will ask staff directly.

The Evidence That Matters Most

Audit evidence is not the same as documentation. A policy document is not evidence that a control is operating. Evidence of operation includes:

System-generated logs (access logs, change logs, monitoring alerts)
Completed forms and checklists with dates and signatures
Meeting minutes that reference ISMS agenda items
Email threads showing approval decisions
Ticket records from IT service management systems
Training completion records from your LMS
Completed internal audit reports with findings and corrective actions

Practitioner Note

The management review is the single most important record in your Stage 2 audit package. It's the control that demonstrates leadership involvement — Clause 9.3 of ISO 27001. I have raised major nonconformities purely on the basis of a management review that existed on paper but showed no evidence of actual decision-making. The minutes must reflect substantive discussion, not just a rubber stamp.

Nonconformities: Major vs Minor — What's the Difference?

A major nonconformity means the certification will not be issued (or will be suspended) until the issue is resolved. It arises when:

A clause requirement of ISO 27001 is completely absent
The absence creates a systemic failure in the ISMS
Multiple minor nonconformities in the same area indicate a systemic problem

A minor nonconformity means a partial failure against a requirement — the system is largely in place but has a specific gap. Certification can proceed with a corrective action plan agreed and evidence of correction provided within the stated timeframe (usually 90 days).

An observation is not a nonconformity but is a signal that an area may become one. Experienced auditees take observations seriously and address them before the next surveillance audit.

Practical Checklist: Are You Ready for Stage 2?

Stage 2 Readiness — Key Indicators

Internal audit completed within the last 6 months, covering the full ISMS scope
Internal audit findings have documented corrective actions and closure evidence
Management review completed with minutes showing substantive decisions
Risk assessment updated within the last 12 months; treatment plans in place
SoA reviewed and exclusion justifications updated to current risk context
At least one cycle of access reviews completed with evidence of outcomes
Supplier security assessments completed for critical third parties
Staff can articulate the information security policy and their responsibilities
At least one incident or near-miss has been formally recorded and handled
Vulnerability assessment or penetration test completed and findings tracked
ISMS objectives have measurable targets with at least one measurement cycle completed

The organisations that pass Stage 2 cleanly — no major nonconformities, minimal minors — are not the ones with the most polished documentation. They're the ones where the ISMS is genuinely operating as described. That's what auditors are looking for, and it's what we help clients build.

Preparing for ISO 27001 certification?

We offer a pre-Stage 2 readiness review that identifies exactly what an auditor will find — before they find it. Let's talk.

Schedule a Free Consultation →