ISO 27001 Stage 2 audit guide: Checklist & certification process

This guide explains ISO 27001 Stage 2 requirements, preparation steps, timelines, common pitfalls, and how to achieve certification confidently.

Key takeaways

  • Stage 2 is the real test, confirming your ISMS works in practice and deciding whether you achieve ISO 27001 certification.

  • Strong preparation, clear evidence, and operational maturity reduce stress, prevent delays, and help you achieve certification smoothly and confidently.

  • Most organisations get certified, but timing depends on readiness, evidence quality, and how quickly nonconformities are properly resolved.

The ISO 27001 Stage 2 audit is the moment of truth in your certification journey. Up to this point, you have built your Information Security Management System. You have written policies. You have carried out risk assessments. And you may already have Stage 1 behind you!

But Stage 2 is different. This is the point where an independent auditor looks beyond your documents and asks a simple question:

Is your ISMS actually working in practice?

It is the final decision point for certification, which is why many organisations feel the pressure. Small gaps between policy and practice often cause problems.

In this guide, our expert ISO 27001 auditors outline exactly what is reviewed during Stage 2, the evidence required, common pitfalls, timelines, outcomes, and how to prepare for certification.

Understanding ISO 27001

ISO 27001 is an international standard for information security, published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It provides a structured framework for identifying risks, protecting sensitive data, and continually improving security processes through a formal Information Security Management System (ISMS).

What is the purpose of the Stage 2 audit?

The purpose of the ISO 27001 Stage 2 audit is to confirm that your ISMS is not only documented but also operating effectively in practice. This stage ultimately determines whether certification is awarded.

During the audit, a certification body (preferably UKAS-accredited in the UK, but potentially accredited by another IAF accreditation body) assesses whether:

  • Security controls are implemented and working as intended

  • Controls align with your Statement of Applicability (SoA)

  • All relevant clauses of ISO/IEC 27001:2022 are fulfilled

  • Risks are actively managed and monitored

  • Processes are supported by clear, objective evidence

If significant nonconformities are identified, certification is delayed until corrective actions are completed and verified. 

If your system demonstrates effectiveness and compliance, you are issued a 3-year ISO 27001 certificate, subject to annual surveillance audits.

ISO 27001 Stage 1 vs Stage 2 audit

Many organisations feel confident after Stage 1, only to realise that Stage 2 is a very different experience. While both stages form part of the same certification journey, they serve distinct purposes. Understanding this difference is essential.

Here is a clear comparison table:

Where Stage 2 fits in the ISO 27001 certification journey

Pre-audit → Stage 1 (readiness review) → Stage 2 (certification decision) → Certification → Surveillance years 1 & 2 → Recertification at year 3.

Stage 2 sits at the centre of the journey, confirming your ISMS works in practice before ongoing annual checks and 3-year renewal.

ISO 27001 Stage 2 audit preparation checklist

Preparing for an ISO 27001 Stage 2 audit becomes much easier when you know what areas will be examined. At this stage, your auditor is assessing implementation and effectiveness across your entire ISMS, not just documents.

Use this practical checklist to guide your preparation:

ISMS scope & context

☐ Scope is clearly defined and reflects current operations

☐ Boundaries, locations, and services are accurate

☐ Interested parties and compliance obligations are identified

Leadership & governance

☐ Roles and responsibilities are assigned and understood

☐ Security objectives are measurable and monitored

☐ Leadership involvement can be demonstrated

Risk management

☐ Risk assessments are current and reflect real business risks

☐ Risk treatment plans are implemented

☐ Residual risks are documented and reviewed

Statement of Applicability (SoA)

☐ Controls are selected and justified based on risk

☐ Implementation status matches reality

☐ Evidence exists for each applicable control

Policies & procedures

☐ Approved, communicated, and regularly reviewed

☐ Reflect actual operational practice

Operational controls

☐ Access control and user lifecycle records

☐ Asset inventory with ownership assigned

☐ Cryptography and data protection measures

☐ Secure configuration and change management records

☐ Monitoring and logging evidence

Incident & resilience

☐ Incident logs and response records

☐ Root cause analysis and corrective actions

☐ Business continuity and disaster recovery testing evidence

Third parties

☐ Supplier risk assessments

☐ Security clauses in contracts

☐ Ongoing supplier monitoring

People & oversight

☐ Security awareness and training records

☐ Internal audit reports and corrective actions closed

☐ Management review minutes demonstrating performance monitoring and continual improvement

This checklist can act as a practical Stage 2 audit readiness plan, helping ensure your ISMS performs as expected on audit day.

What happens during the Stage 2 audit? [How Tempo structures it!]

The ISO 27001 Stage 2 audit is structured, planned, and clearly communicated from the start. We schedule the full audit days upfront and share a detailed audit plan, so you know exactly what will be covered and when. There are no surprises.

We’re remote by default!

For most tech and service-based organisations, the audit is fully remote. Using secure video calls and screen sharing, we review your ISMS without disrupting your operations. 

On-site visits are only required where critical physical infrastructure, such as server rooms, data centres or specialist facilities, need to be verified.

Opening meeting

Every Stage 2 audit begins with an opening meeting. We confirm the scope, objectives, timelines, and key contacts so everyone understands how the audit will run.

Flexible audit structure

There is always an opening and closing meeting, but within that, the structure flexes around how your team works best. We mix and match between the following two approaches depending on our clients’ preference:

  • Asynchronous approach: If your ISMS is well organised in a GRC platform (Governance, Risk, and Compliance platform) or shared workspace such as Google Drive, Notion or Sharepoint, we can review evidence independently and reconnect at agreed intervals. Communication can run through Teams, Slack, or similar channels, allowing your team to continue their day-to-day work.

  • Synchronous approach: Some clients prefer to stay with the auditor throughout, supporting evidence review and answering questions in real time. This can speed up clarification but requires more availability.

Most audits naturally become a hybrid of both, but we can change the emphasis depending on the customer.

What we review

During the ISO 27001 Stage 2 audit, we assess:

  • Implementation of Clauses 4-10*

  • All applicable Annex A controls* in your Statement of Applicability

  • Risk management and treatment effectiveness

  • Incident management and corrective actions

  • Evidence that controls are operating consistently

The focus is not just on whether a control exists, but whether it works in practice.

*Clauses 4–10 define how your organisation establishes, operates, monitors, and continually improves its Information Security Management System (ISMS).

*Annex A controls define the specific security measures your organisation selects and implements to treat identified information security risks.

Closing meeting

At the end of the audit, we present our findings, explain any nonconformities, and outline the next steps. By this point, you have a clear understanding of your certification position and what happens next.

Ready to secure your ISO 27001 certification?

Your Stage 2 audit is the final step between preparation and certification. If your ISMS is ready, it is time to formalise it and achieve recognised, UKAS-accredited ISO 27001 certification.

Request your ISO 27001 Stage 2 audit quote today and move one step closer to certification.

Evidence required for ISO 27001 Stage 2 audit

During your ISO 27001 Stage 2 audit, evidence is everything. This is how we confirm that your controls are not just written down, but are operating effectively.

What types of evidence work?

Honestly, almost all formats are acceptable, provided they are relevant and reliable:

  • Tickets from Jira, Linear, or GitHub Issues – show processes in action.

  • System logs from SIEM tools, cloud providers, or authentication platforms – objective proof of activity.

  • Screenshots of configurations and security settings – useful for demonstrating setup.

  • CSV or JSON exports from GRC or access management systems – easy to sample and verify.

  • Interviews with team members – often the clearest way to explain how controls operate.

The format matters far less than the substance. We are looking for evidence that proves controls are implemented, understood, and functioning consistently.

A practical tip: keep your evidence organised. A well-structured Google Drive, Notion workspace, or GRC platform makes the audit smoother and more efficient.

Top 3 real reasons companies struggle at Stage 2

First, an important reassurance: Stage 2 is rarely a “you failed, that’s the end” situation. Most organisations achieve certification once nonconformities are addressed. 

The real issue is usually delay, not disaster.

Here are the 3 most common reasons companies struggle.

  1. They never fully understood the standard

Some organisations build their ISMS using templates or external advice without properly reading ISO 27001 themselves. On paper, everything looks complete. 

But during Stage 2, when deeper questions are asked - Why was this control selected? How do you review this risk? Who owns this process? - uncertainty starts to show.

It is not about memorising the standard. It is about genuinely understanding what each requirement means for your business.

What helps:
Buy a copy of the ISO 27001 standard, and take time to read the clauses and Annex A. Make sure you can explain, in simple terms, how you meet each clause and control, and why you do what you do.

2. The internal audit was treated as a tick-box

Your internal audit should feel like a rehearsal for Stage 2. If it was rushed, lightly sampled, or carried out by someone without strong ISO 27001 knowledge, gaps will remain hidden.

What helps:
Use a competent internal auditor. Give them time. And most importantly, properly fix what they find.

3. Implementation was rushed

If you implemented controls just weeks before Stage 2, you may struggle to demonstrate monitoring, review cycles, or continual improvement. Staff may still be adapting to new processes.

What helps:
Allow your ISMS time to operate. Controls need to mature, and people need to embed new ways of working.

How long does the ISO 27001 Stage 2 audit take?

The length of your ISO 27001 Stage 2 audit depends mainly on the number of people in scope and the complexity of your organisation. 

Audit duration is not arbitrary. It follows the rules set out in ISO/IEC 27006, which defines minimum audit days to ensure assessments are thorough and meaningful.

Here is what that typically looks like:

Preparation timeline

Although the Stage 2 audit itself may last several days, preparation typically begins weeks in advance.

This gives you time to:

  • Complete internal audits

  • Conduct management review

  • Close Stage 1 findings

  • Test operational controls

  • Organise evidence clearly

The key point is this: audit duration is proportional to risk, scale, and complexity. It is designed to ensure your ISMS is properly evaluated, not rushed.

Stage 2 outcomes and what they mean

At the closing meeting of your ISO 27001 Stage 2 audit, you can expect one of the following outcomes:

  • Recommendation to certify – No nonconformities identified (rare, but possible).

  • Recommendation to certify subject to corrective actions – Minor nonconformities require a corrective action plan before the certificate is issued.

  • No recommendation to certify – Major nonconformities must be resolved and verified before certification can proceed.

Once corrective actions are approved and the technical review is completed, certificates are typically issued within around 7 days. Certification is valid for 3 years, with annual surveillance audits forming part of the ISO 27001 audit cycle.

What happens if Stage 2 is weak?

A weak ISO 27001 Stage 2 audit does not usually mean the end of certification. In most cases, organisations still achieve certification once identified nonconformities are properly addressed and verified.

However, the experience can be far more challenging than it needs to be.

  • It creates avoidable stress. Instead of confidently demonstrating your ISMS, your team may find themselves scrambling to explain gaps or gather missing evidence. That can feel discouraging after months of hard work.

  • It slows down certification. Closing nonconformities often takes time. Depending on their nature, corrective actions can take several weeks to implement, document, and verify.

  • It can delay commercial opportunities. If certification is tied to customer contracts, tenders, or partnerships, even a short delay can affect revenue timelines or competitive positioning.

How much does an ISO 27001 Stage 2 audit cost?

Certification bodies usually price ISO 27001 as a full package, covering both Stage 1 and Stage 2, because they are sequential parts of the same process. 

For UK tech companies, costs typically start from £4,000 for the complete certification audit. Pricing depends on company size, organisational complexity, ISMS scope, and the certification body’s rates. 

To get an accurate quote, you will need to provide employee numbers, technical environment details, site information, and your timeline. You can request a quote here.

Why choose Tempo Audits for your ISO 27001 Stage 2 audit?

Tempo Audits is a UKAS-accredited certification body, meaning your ISO 27001 certificate carries recognised credibility with clients, partners, and regulators worldwide.

With a remote-first, tech-friendly approach and expert auditors who understand modern business environments, from startups to complex enterprises, Tempo Audits combines rigorous compliance checks with clear communication and practical guidance. 

This makes the Stage 2 audit less daunting and more efficient, helping you achieve certification smoothly and with confidence.

Ready to take the next step?

Request a quote for your ISO 27001 Stage 2 audit today.

Common Stage 2 audit questions / misunderstandings (FAQs)

  • Not always. Many (or most for Tempo) Stage 2 audits are conducted remotely using secure video calls and screen sharing. 

    On-site visits are typically only required where critical physical infrastructure (such as physical servers) need to be inspected, but the majority of Tempo’s clientele operate cloud servers which means a physical audit is not required.

  • In short, everything applicable within ISO/IEC 27001:2022. 

    The certification body must assess every clause and each applicable control listed in your Statement of Applicability. Preparation means ensuring you have clear evidence for each applicable control.

  • ISO 27001 is not a traditional pass-or-fail exam. Whilst the auditor provides a recommendation after the audit, this is not the end of the process for certification where they do not recommend certification.

    Most audits identify nonconformities. And certification depends on how quickly and effectively you resolve them. 

    For most organisations, the question is not if they will be certified, but when.

  • Stage 2 audits are usually scheduled 2-8 weeks after Stage 1 to allow time to address findings. We typically book both stages together and aim for a shorter 2-4 week gap than the average certification body.

    • ISMS owner or representative – Typically manages the full audit and acts as the main point of contact.

    • Leadership representative – Should attend the opening and closing meetings to demonstrate top management involvement.

    • Technical leads (e.g. CTO, IT, Security) – Join when controls relating to technology, infrastructure, or security operations are reviewed.

    • HR or people representatives – Required where training, awareness, or employee lifecycle controls are assessed.

    • Process owners and senior management – Available for scheduled interviews to explain how specific clauses or controls operate in practice.

  • There is no fixed “acceptable” number. Certification decisions are based on the severity of findings, not the quantity.

    • Minor nonconformities require a corrective action plan (ie a plan to resolve this non-conformity before the next audit) but do not usually prevent certification once the plan is approved.

    • Major nonconformities must be fully resolved and verified before certification can be granted.