ISO 27001 certification runs as a two stage initial audit by an accredited certification body. Stage 1 reviews whether your ISMS documentation and management system are in place; Stage 2 tests whether the system actually operates the way the documents claim. Both are required, and Stage 2 only proceeds once Stage 1 is clear.
What is the difference between a Stage 1 and Stage 2 ISO 27001 audit?
Stage 1 checks the paperwork and readiness. Stage 2 checks reality. The certification body splits the initial audit in two because there is no point testing whether controls operate if the management system behind them does not yet exist.
Stage 1 is a documentation and readiness review against ISO/IEC 27001:2022. The auditor confirms your scope, reads the information security policy, the risk assessment and risk treatment, and the Statement of Applicability, then decides whether you are ready to be tested. Stage 2 is the certification audit proper, where the auditor samples evidence across your operation to confirm the controls you selected are implemented and working. The split is set by ISO/IEC 17021-1, the standard certification bodies are accredited against, not by ISO 27001 itself. A clean Stage 1 does not certify you. Only Stage 2 does. For where both fit in the wider timeline, see how long ISO 27001 certification takes.
| Aspect | Stage 1 audit | Stage 2 audit |
|---|---|---|
| Purpose | Documentation and readiness review | Implementation and effectiveness test |
| What the auditor examines | Scope, policy, risk assessment and treatment, Statement of Applicability, early ISMS records | Evidence, interviews, control operation, internal audit and management review records |
| What they are deciding | Are you ready for Stage 2 | Does the ISMS conform and operate |
| Typical outcome | List of concerns to close first | Certificate issued, or nonconformities to clear |
| Set by | ISO/IEC 17021-1 | ISO/IEC 17021-1 |
What happens in the Stage 1 audit?
Stage 1 confirms your ISMS exists on paper and that you are ready for Stage 2. The auditor reviews documentation, checks scope, and flags anything that would sink Stage 2 before you spend money on it.
They will want the ISMS scope, the information security policy, the risk assessment and risk treatment process and results, the Statement of Applicability, your objectives, and evidence the management system has started to run, your internal audit and management review records. The Statement of Applicability has to exist before Stage 1; it is the document the whole audit hangs off. The most common Stage 1 outcome is not failure, it is a list of areas of concern the auditor expects closed or matured before Stage 2. Treat them as the real findings. A Stage 1 that comes back spotless usually means nobody looked hard enough. Working through the readiness checklist before this point is the cheapest way to keep Stage 1 short.
What happens in the Stage 2 audit?
Stage 2 tests whether the ISMS works in practice. The auditor moves from reading documents to sampling evidence, interviewing people, and checking that the controls you selected are actually operating.
Expect the auditor to trace controls end to end: pull a sample of access reviews, ask for the last management review minutes, check that risks were treated the way the plan says, read incident records, and test that staff do what the policy claims. This is where a paper ISMS comes apart. You cannot certify a system that has existed for a fortnight, because there is no operating record to sample. ISO 27001 sets no fixed minimum operating period, but Stage 2 needs evidence the system has run, at least one full internal audit and one management review, plus the day to day records the controls generate. Pass Stage 2 and the certification body issues your certificate, valid for three years.
How long is the gap between Stage 1 and Stage 2?
Usually a few weeks to a couple of months. The gap exists so you can close the concerns Stage 1 raised; it is not dead time.
ISO/IEC 17021-1 requires the certification body to agree the interval with you and to allow time to resolve Stage 1 concerns. Too short a gap and you walk into Stage 2 with the gaps the auditor already flagged. Too long and Stage 1 findings go stale and may need rechecking. In Cybernion engagements the gap is usually a few weeks; that figure is indicative and set by what Stage 1 surfaced, not a rule. The audit effort itself, the number of days on site at each stage, scales with the number of people in your ISMS scope under ISO/IEC 27006-1, not with your revenue, which is also what drives the cost.
What happens if the auditor finds nonconformities?
It depends on severity. A major nonconformity stops certification until it is fixed and verified; a minor one you can usually clear with a corrective action plan.
A major nonconformity is a requirement that is absent or has broken down, for example no risk treatment, or a Statement of Applicability that does not match what you do. The certificate is withheld until you correct it and the auditor confirms the fix, sometimes with a follow up visit. A minor nonconformity is a single lapse against a requirement that is otherwise met; you submit a root cause and corrective action plan, and it is checked at the next surveillance audit. Observations and opportunities for improvement are not nonconformities and do not block certification, though ignoring them across cycles tends to turn them into findings.
Where do Stage 1 and Stage 2 sit in the three year cycle?
They are the start of it. After the two stage initial audit, certification runs on a three year cycle, with lighter surveillance audits in years one and two and a recertification audit in year three.
The initial Stage 1 and Stage 2 happen once, at the front. Surveillance audits in the following two years sample part of the ISMS rather than the whole, confirming it is still running and improving. In year three a recertification audit, broader than surveillance but usually lighter than the original Stage 2, renews the certificate for another three years. The 2013 to 2022 transition closed on 31 October 2025, so every current certificate is against ISO/IEC 27001:2022; if you are new to this, start with what ISO 27001:2022 is and the ISO 27001 guide.
Frequently asked questions
Stage 1 rarely ends in outright failure, but the auditor can decide you are not ready and delay Stage 2 until documentation and records are in place. The usual outcome is a list of concerns to close first.
Yes. The Statement of Applicability must exist before Stage 1. It lists every Annex A control with its inclusion or exclusion justified, and the audit works from it.
Once Stage 2 is clear and any nonconformities are closed and verified, the certification body issues the certificate. It is valid for three years, subject to annual surveillance audits.
Usually yes. Continuity helps, since the Stage 2 auditor already understands your scope and the concerns raised at Stage 1, though the certification body decides.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, Information security management systems, 2022
- ISO/IEC 17021-1:2015, Conformity assessment, requirements for bodies providing audit and certification of management systems, 2015
- ISO/IEC 27006-1:2024, Requirements for bodies providing audit and certification of ISMS, 2024
Last updated: 21 June, 2026