ISO 27001 Audit Process: What to Expect at Every Stage
The ISO 27001 audit process is the final gate between your implementation work and certification. Understanding exactly what auditors look for, how the two-stage ISO 27001 audit process works, and how to prepare your evidence will dramatically improve your chances of passing on the first attempt.
This guide covers every phase of the ISO 27001 audit process, from selecting a certification body to handling nonconformities and maintaining certification through surveillance audits. Whether you are a startup founder hiring your first compliance lead or an SMB security manager preparing for your initial certification, this walkthrough gives you the complete picture of what to expect and how to prepare.
How the ISO 27001 Certification Audit Works
The ISO 27001 audit process is a structured assessment conducted by an accredited certification body (CB). Unlike internal audits or SOC 2 examinations, ISO 27001 audits follow a rigid two-stage format defined by ISO 17021 and IAF MD 22.
The certification body must be accredited by a national accreditation body that is a member of the International Accreditation Forum (IAF). In the United States, this is typically ANAB (ANSI National Accreditation Board). In the UK, it is UKAS.
Stage 1 Audit: Documentation Review
The Stage 1 audit is a readiness check. The auditor evaluates whether your ISMS documentation is complete and your organization is prepared for the full Stage 2 assessment.
What the Auditor Reviews in Stage 1
- ISMS scope statement and justification for any exclusions
- Information security policy signed by top management
- Risk assessment methodology and results
- Statement of Applicability (SoA) listing all 93 Annex A controls with justifications
- Risk treatment plan showing how identified risks are addressed
- Internal audit reports and results
- Management review minutes and decisions
- Corrective action records from internal audit findings
- Key ISMS procedures: incident management, access control, change management
Stage 1 Timeline and Format
Stage 1 typically takes 1 to 2 days. Many certification bodies now offer remote Stage 1 audits via video conference, which reduces travel costs. The auditor will:
- Review all mandatory documentation
- Interview key ISMS personnel (usually the ISMS Manager and one or two control owners)
- Assess the organization's readiness for Stage 2
- Identify any gaps that must be resolved before Stage 2
The auditor produces a Stage 1 report listing:
- Conformities: Areas that meet the standard
- Observations: Areas that could be improved but are not nonconformities
- Minor nonconformities: Issues that must be resolved before Stage 2
- Major nonconformities: Significant gaps that prevent Stage 2 from proceeding
Stage 2 Audit: Implementation Verification
Stage 2 is the main certification audit. The auditor verifies that your ISMS operates as documented and that controls are effective in practice.
What Happens During Stage 2
The auditor will:
- Interview employees across departments to verify security awareness and policy understanding
- Review evidence of control operation (logs, records, screenshots, reports)
- Test controls by requesting demonstrations or samples
- Trace processes end-to-end (for example, following an incident from detection through resolution and lessons learned)
- Verify corrective actions from Stage 1 findings
- Assess management commitment through evidence of resource allocation and leadership involvement
Stage 2 Duration
Stage 2 duration is calculated based on organization size, scope complexity, and number of sites:
| Employees in Scope | Audit Days (Single Site) | |--------------------|-----------------------| | 1 to 25 | 3 to 5 days | | 26 to 45 | 5 to 6 days | | 46 to 65 | 6 to 7 days | | 66 to 125 | 7 to 8 days | | 126 to 175 | 8 to 9 days | | 176 to 275 | 9 to 10 days | | 276 to 425 | 10 to 12 days |
Multi-site organizations with sampling methodologies may require fewer days per site but more total days.
Common Stage 2 Audit Questions
Auditors consistently ask these types of questions:
- "Show me your most recent risk assessment. How did you determine the likelihood and impact scores?"
- "Walk me through how you handled the last security incident."
- "How do you verify that third-party suppliers meet your security requirements?"
- "What training did this employee receive, and when?"
- "Show me evidence that management reviewed the ISMS in the last 12 months."
- "How do you track and remediate vulnerabilities?"
Prepare your team by conducting mock interviews covering these scenarios.
Understanding Audit Findings
Knowing how auditors categorize their findings helps you respond quickly and effectively during the ISO 27001 audit process.
Types of Nonconformities
| Finding Type | Definition | Impact | |-------------|-----------|--------| | Major nonconformity | Absence or total failure of a required control or process | Certification cannot be granted until resolved and verified | | Minor nonconformity | Partial failure or isolated instance of non-compliance | Must be corrected within 90 days; does not block certification | | Observation | An area for improvement, not a compliance failure | No corrective action required; consider for continuous improvement | | Opportunity for improvement | A suggestion from the auditor | Optional; shows maturity if addressed |
How to Respond to Nonconformities
For each nonconformity, you must provide:
- Root cause analysis: Why did this happen? (Use techniques like 5 Whys or fishbone diagrams)
- Corrective action: What specific action will prevent recurrence?
- Evidence of implementation: Proof that the corrective action was executed
- Verification of effectiveness: Evidence that the fix actually works
Selecting a Certification Body and Preparing for Your Audit
Choosing the right certification body is one of the most important decisions in the ISO 27001 audit process. Here is what to evaluate:
Accreditation: Must be accredited by an IAF member body (ANAB, UKAS, JAS-ANZ, DAkkS, etc.). Check the IAF CertSearch database to verify.
Industry experience: Some certification bodies specialize in specific sectors (healthcare, financial services, technology). An auditor who understands your industry will conduct a more efficient and relevant audit.
Geographic presence: If you have multiple locations, a certification body with local auditors reduces travel costs.
Reputation: Ask peers in your industry which certification body they use. Check for complaints or accreditation suspensions.
Cost: Get quotes from at least three certification bodies. Prices vary by 30 to 50% for the same scope. Be cautious of significantly low quotes, as they may indicate inexperienced auditors or accreditation issues.
The Pre-Audit Checklist
Use this checklist in the 4 to 6 weeks before your Stage 2 audit. Startups and SMBs should start this preparation early since smaller teams have less bandwidth for last-minute evidence gathering.
Documentation readiness:
- All mandatory documents are current, approved, and version-controlled
- The SoA matches your current risk assessment
- Internal audit was conducted within the last 12 months
- Management review was conducted within the last 12 months
- All corrective actions from the internal audit are closed or in progress with evidence
Evidence preparation:
- 3 to 6 months of operational evidence is organized and accessible
- Security incident logs with response records
- Access review records showing periodic user access reviews
- Training records for all in-scope personnel
- Change management records
- Backup and recovery test results
- Vulnerability scan results and remediation records
- Supplier security assessment records
Personnel preparation:
- ISMS Manager can explain the entire ISMS structure, scope, and risk methodology
- Control owners can demonstrate how their controls operate
- All in-scope employees understand the information security policy
- Management sponsor can articulate why the organization pursued ISO 27001
Logistics:
- Audit room with whiteboard, projector, and network access is reserved
- Document repository access is arranged for the auditor
- Key personnel schedules are cleared for audit interview slots
After the Audit: Costs, Surveillance, and Recertification
The ISO 27001 audit process does not end at certification. Here is what comes next and what it costs.
Surveillance Audits (Years 1 and 2)
After initial certification, your certification body conducts surveillance audits annually. These are smaller than the initial audit (typically 30 to 40% of the Stage 2 duration) and focus on:
- Verifying corrective actions from previous audits
- Checking continued operation of the ISMS
- Reviewing changes to scope, risks, or controls
- Sampling different controls than previous audits
Surveillance audits can result in nonconformities that, if not addressed, may lead to certificate suspension. For startups and SMBs, surveillance audits are often smoother than the initial certification because the team has already established evidence collection habits.
Recertification Audit (Year 3)
Every three years, you undergo a full recertification audit. This is similar in scope to the original Stage 1 and Stage 2 process but considers your ISMS maturity and the full audit history. Organizations that have maintained their ISMS well typically find recertification smoother than initial certification.
ISO 27001 Audit Costs
| Audit Type | Small Company | Mid-Market | Enterprise | |-----------|--------------|-----------|-----------| | Stage 1 + Stage 2 (initial) | $10,000 to $20,000 | $20,000 to $40,000 | $40,000 to $80,000 | | Annual surveillance | $4,000 to $8,000 | $8,000 to $15,000 | $15,000 to $30,000 | | Recertification (Year 3) | $8,000 to $16,000 | $16,000 to $32,000 | $32,000 to $65,000 |
These costs are for the certification body ISO 27001 audit process fees only. They do not include internal preparation, consulting, or technology costs. For a full cost breakdown, see our ISO 27001 certification cost guide.
Startups and SMBs can reduce costs by using a GRC platform that automates evidence collection. Platforms like Vanta and Drata cut audit preparation time by 40 to 60%, which directly reduces consulting hours.
For a complete walkthrough of the steps before you reach the audit stage, see our ISO 27001 implementation guide.
Frequently Asked Questions
How long does the ISO 27001 audit process take?
Stage 1 takes 1 to 2 days. Stage 2 takes 3 to 12 days depending on organization size and scope. Most mid-sized companies complete both stages of the ISO 27001 audit process within 6 to 8 weeks of each other.
Can ISO 27001 audits be done remotely?
Yes. Since 2020, IAF MD 4:2018 allows remote auditing techniques. Stage 1 is commonly done remotely. Stage 2 may be partially or fully remote depending on the certification body and the nature of your controls. Physical security controls typically require on-site verification.
What percentage of organizations pass on the first attempt?
Industry estimates suggest 70 to 80% of organizations pass Stage 2 on the first attempt when using experienced consultants. Self-guided implementations have a lower first-attempt pass rate of roughly 55 to 65%.
What if we fail the Stage 2 audit?
If you receive major nonconformities, the auditor will schedule a follow-up audit (typically within 90 days) to verify corrective actions. You do not need to repeat the entire ISO 27001 audit process. Minor nonconformities can usually be resolved through documentation submitted to the auditor without an additional on-site visit.
How often are surveillance audits?
Surveillance audits occur annually in years 1 and 2 after initial certification. A full recertification audit is required in year 3, and the cycle repeats.
Can we switch certification bodies?
Yes. You can transfer your certificate to a new certification body at any point in the three-year cycle. The new CB will conduct a transfer audit to verify your ISMS still meets the standard. This is common when organizations are dissatisfied with audit quality or want better pricing.
