ISO 27001 Stage 1 vs Stage 2: What's the Difference?
What Are ISO 27001 Stage 1 and Stage 2 Audits?
ISO 27001 certification requires two distinct audits: Stage 1 and Stage 2. Both stages are mandatory, and understanding what happens in each - and how they differ - is essential for passing your certification audit efficiently.
Stage 1 is the documentation review, sometimes called the readiness or desktop audit. The auditor examines your ISMS policies, procedures, and documentation to confirm they meet ISO 27001:2022 requirements. This stage does not test whether controls are working; it simply checks whether your system design is compliant on paper.
Stage 2 is the certification or main audit. Here, auditors assess implementation and effectiveness. They interview employees, review evidence of controls in action, and verify that your ISMS operates in practice as documented. If you pass Stage 2, the certification body recommends you for certification.
Stage 1 Audit: Documentation Review
The purpose of Stage 1 is to determine if your ISMS is designed to meet the standard. Auditors review your documentation remotely or on-site, typically in one day (though larger or more complex organisations may require longer).
What Auditors Check in Stage 1
ISMS Scope: A clearly defined scope that describes what systems, locations, and services are included.
Context of the Organisation: Evidence you have identified internal and external issues, and interested parties.
Information Security Policy: A board-approved policy communicated to relevant stakeholders.
Statement of Applicability (SoA): A complete SoA listing which Annex A controls are applicable, with justifications for exclusions.
Risk Assessment and Treatment: Your methodology, risk register, and risk treatment plan.
Internal Audit and Management Review: Evidence that you have conducted at least one internal audit and one management review of the ISMS.
If the auditor finds major gaps - such as missing mandatory documentation or an incomplete SoA - they may delay Stage 2 until you resolve the issues. Minor observations can often be closed before or during Stage 2.
Typical Duration and Timing
Stage 1 usually lasts one day for small to medium SaaS companies. You should schedule it once your ISMS has been operating for at least three months and you have sufficient records from internal audits and management reviews. Preparing for an ISO 27001 audit involves ensuring all documentation is finalised and approved before the auditor arrives.
Stage 2 Audit: Implementation and Effectiveness
Stage 2 validates that your ISMS works in practice. Auditors visit your site (or conduct a virtual audit) to observe processes, interview staff, and review live evidence of control operation.
What Auditors Check in Stage 2
Control Implementation: Evidence that the controls listed in your SoA are operational.
Staff Interviews: Auditors speak with employees across roles to confirm they understand their security responsibilities and follow documented procedures.
Evidence of Practice: Records such as access reviews, security incident logs, backup test results, patch management reports, and change control approvals.
Risk Treatment Actions: Proof that risks identified in your risk register have been treated according to your plan.
Continuous Improvement: Evidence that you monitor, measure, and improve the ISMS, including corrective actions from internal audits.
Auditors also verify that any nonconformities found in Stage 1 have been closed. The ISO 27001 Stage 2 audit checklist provides a full breakdown of required evidence and common control tests.
Typical Duration and Timing
Stage 2 typically takes place two to six weeks after Stage 1 (Tempo likes to move quickly between the 2 stages and often aims for 2 or 3 weeks). Audit duration depends on the size and complexity of your organisation - small tech companies may require two to three days, while larger enterprises can expect a week or more. The ISMS must have been operating for at least three months before Stage 2, with documented evidence showing that controls have been in use over time.
Key Differences Between Stage 1 and Stage 2
| Feature | Stage 1 | Stage 2 |
|---|---|---|
| Primary Focus | Is your documentation compliant? | Do your controls work in practice? |
| Location | Often remote or desktop review | Often remote (on-site might be required if client has critical physical infrastructure) |
| Duration | 1–2 days (typically) | 2–12+ days (varies by organisation size) |
| Outcome | Green light to proceed or delay Stage 2 | Certification recommendation or nonconformities |
| Evidence Type | Policies, SoA, risk register, procedures | Access logs, incident records, interviews, observations |
| Goal | Confirm ISMS design meets ISO 27001 | Validate ISMS implementation and effectiveness |
Common Challenges and How to Avoid Them
Stage 1 Stumbling Blocks
Incomplete Statement of Applicability: Failing to justify excluded controls or missing new controls from the 2022 revision.
Risk Assessment Gaps: Not documenting your methodology, or missing evidence that risks have been reviewed and approved by management.
No Internal Audit: Some organisations schedule their internal audit too late and do not have evidence to show the auditor at Stage 1.
Stage 2 Stumbling Blocks
Insufficient Operating Evidence: Controls must show consistent operation over time. One-off evidence or practices that only started days before the audit rarely pass.
Staff Unaware of Procedures: Employees cannot explain their security responsibilities or the incident response process.
Outstanding Stage 1 Findings: Major nonconformities from Stage 1 must be closed before Stage 2 can proceed.
How Long Between Stage 1 and Stage 2?
Most certification bodies schedule Stage 2 four to six weeks after Stage 1, although Tempo often favours a shorter gap of 2 to 3 weeks. This gap allows you to close any observations or minor nonconformities found during the readiness review, but still progress promptly towards certification. However, Stage 2 must occur within six months of Stage 1, or the Stage 1 audit may need to be repeated.
The exact timing depends on your readiness and the auditor's availability. Working with a tech-focused certification body that understands SaaS workflows can reduce scheduling delays and streamline the process.
After Stage 2: Certification, Surveillance, and Recertification
Once you pass Stage 2, the certification body issues your ISO 27001 certificate, valid for three years. You are required to undergo annual surveillance audits in years one and two to demonstrate ongoing compliance and continual improvement. At the end of year three, you must complete a full recertification audit to renew your certificate.
Surveillance audits are shorter than the initial Stage 2 and focus on a subset of controls, recent changes, and evidence that the ISMS continues to operate effectively.
Preparing for Both Stages
Success in both Stage 1 and Stage 2 depends on preparation. Start by conducting a gap assessment to identify missing documentation or controls. Implement your ISMS and operate it for at least three months, generating real evidence such as access reviews, incident logs, and internal audit findings. Run a thorough internal audit and hold a management review before Stage 1.
For Stage 2, brief your team on their roles, prepare evidence files organised by Annex A control, and ensure all records are current and accessible. Tempo Audits works with tech companies to simplify this process, offering remote-first audits, plain-English communication, and auditors trained on the tools SaaS companies use.
Understanding the difference between ISO 27001 Stage 1 and Stage 2 audits helps you plan effectively, allocate resources, and achieve certification with less friction.