What to expect from Stage 1 and Stage 2 ISO 27001 audits

SMART Goals and Objectives for Internal Audits
February 7, 2020
February 10, 2020

Those who are just getting to know ISO 27001 will no doubt find the audit a daunting prospect.

It’s a big, complex task that can be tricky for even experienced professionals. But, as with many challenges, you can overcome any concerns by preparing. Once you understand how the process works, it won’t seem nearly as intimidating.

If you’re attempting certification with the assistance of a consultancy firm, the consultant will probably arrange a pre-certification audit closer to your scheduled audit. This helps them see whether your ISMS (information security management system) is likely to meet all the necessary criteria.

Consider this a pre-certification ‘dress rehearsal’ audit. It allows you to identify any potential problems that can be ironed out before the actual audit, and it gives your staff the opportunity to see how the big day will play out.

The certification audit is conducted by an independent certification body (selected by you), and consists of ‘Stage 1’ and ‘Stage 2’ audits.

Stage 1 audit

The Stage 1 audit is often called a ‘documentation review’ audit, because the auditor will review your processes and policies to establish whether they’re in line with the requirements of ISO 27001.

This stage is more of a ‘reconnaissance’ audit, or a ‘pre-assessment’, where the auditor does a high-level review of your ISMS and establishes whether the internal audit programme is in place.

Stage 1 is completed on-site to determine whether your ISMS has met the minimum requirements of the Standard and is ready for a certification audit. The auditor will point out any areas of nonconformity and potential improvements of the management system.

Stage 2 audit

The Stage 2 audit is often referred to as the ‘certification audit’. During a Stage 2 audit, the auditor will conduct a thorough on-site assessment to establish whether the organisation’s ISMS complies with ISO 27001.

They auditor will also be looking for evidence that the organisation is following the documentation that they’ve previously reviewed.

The auditor will review their audit checklists and provide feedback to the client regarding any nonconformities.

If everything is in order, the auditor will issue a certificate stating that your organisation’s ISMS complies with ISO 27001, and recommend you for ISO 27001 certification.

By Julia Dutton