ISO 27001 Audit Process: What to Expect at Every Stage
TL;DR
- ISO 27001 certification audits follow a two-stage format under ISO/IEC 17021-1: Stage 1 checks whether your ISMS documentation is complete; Stage 2 verifies that controls are actually operating.
- Your certification body must be accredited by a recognized national body — ANAB in the US, UKAS in the UK, DAkkS in Germany. Certificates from unaccredited bodies carry no standing with customers or regulators.
- Stage 1 typically runs one to two days. Stage 2 duration scales with the number of employees in scope — a 25-person organization typically requires three to five audit days; a 175-person organization requires eight to nine.
- Nonconformities fall into two categories: major (certification blocked until resolved) and minor (must be corrected but does not block the certificate).
- The certificate is valid for three years. Annual surveillance audits in years one and two confirm the ISMS is still operating. A full recertification audit in year three renews it.
Who this is for
Security managers, compliance leads, and program owners preparing their organization for initial ISO 27001 certification. It also applies to anyone managing the ongoing surveillance and recertification cycle. If you are still building your ISMS before booking an audit, start with our ISO 27001 implementation guide.
How the Certification Audit Is Structured
ISO 27001 certification audits are conducted by accredited certification bodies (CBs) — independent third-party firms authorized to issue certificates under ISO/IEC 27001:2022. The audit format itself is governed by ISO/IEC 17021-1:2015, which sets the requirements for bodies providing audit and certification of management systems.
The two-stage format is mandatory. A CB cannot skip Stage 1 and jump directly to Stage 2.
To verify that your prospective CB is accredited, search iafcertsearch.org — the global database of accredited management system certificates maintained by the International Accreditation Forum and its successor, the Global Accreditation Cooperation Incorporated. In the US, ANAB (ANSI National Accreditation Board) is the primary accreditation body for ISO 27001 certification bodies. In the UK, it is UKAS. In Germany, DAkkS. In Australia, JAS-ANZ.
An unaccredited certificate has no recognized standing. Before signing any CB contract, confirm the CB's accreditation is current and specifically covers information security management systems (ISMS) under ISO/IEC 27001.
Major CBs active in this space include BSI Group, DNV, TÜV SÜD, and LRQA. Market share, geographic presence, and industry specialization vary — request quotes from at least three before committing.
Stage 1: Documentation Review
Stage 1 is a readiness check. The auditor determines whether your ISMS documentation is complete and whether your organization is prepared for the on-site or remote implementation audit in Stage 2.
What the Auditor Reviews
The Stage 1 auditor works through the mandatory documented information required by ISO/IEC 27001:2022:
- ISMS scope statement (Clause 4.3) — which parts of the organization, which locations, which business processes
- Information security policy (Clause 5.2) — signed and authorized by top management
- Risk assessment methodology and results (Clause 6.1.2) — documented method, risk register, likelihood and impact criteria
- Statement of Applicability (Clause 6.1.3d) — all 93 Annex A controls listed, with a justification for each inclusion or exclusion
- Risk treatment plan (Clause 6.1.3) — which risks are mitigated, transferred, accepted, or avoided, and who owns each decision
- Internal audit records (Clause 9.2) — at least one completed internal audit cycle with findings
- Management review records (Clause 9.3) — documented management review covering ISMS performance
- Corrective action records (Clause 10.1) — evidence that internal audit findings were addressed
Beyond the mandatory set, the auditor will check operational procedures for the controls within your scope — typically incident response, access control, and change management at a minimum.
The SoA deserves particular attention. Auditors cross-reference the SoA against the risk register. If a control is marked not applicable but the risk register shows a risk that control would mitigate, the mismatch is a finding.
Stage 1 Format and Duration
Stage 1 typically runs one to two audit days. Many CBs now conduct Stage 1 remotely via video conference, which reduces cost for both parties. The auditor interviews the ISMS manager and one or two control owners, reviews the documentation described above, and produces a written Stage 1 report.
The report classifies findings into four categories:
| Finding | Meaning | Effect on Stage 2 |
|---|---|---|
| Conformity | Meets the standard | No action required |
| Observation | Area for improvement, not a failure | No action required |
| Minor nonconformity | Partial failure or isolated gap | Must be resolved before Stage 2 proceeds |
| Major nonconformity | Absence or total failure of a required element | Stage 2 is deferred until resolved and the CB confirms the fix |
Budget four to eight weeks between Stage 1 and Stage 2. Organizations that try to compress this window often arrive at Stage 2 with incomplete corrective actions.
Stage 2: Implementation Audit
Stage 2 is the primary certification audit. The auditor's goal is to verify that the ISMS operates as documented — not just that the documents exist.
What the Auditor Does
The Stage 2 auditor:
- Interviews employees across departments to test security awareness and confirm that staff understand and follow applicable policies
- Reviews evidence of control operation — logs, access review records, incident reports, training records, patch management outputs, change tickets, supplier assessment records
- Traces processes end-to-end — for example, following a security incident from initial detection through containment, recovery, lessons learned, and corrective action
- Samples controls — not every control is tested; the auditor selects a representative sample and may revisit areas that were weak at Stage 1
- Verifies Stage 1 corrective actions — if Stage 1 found minor nonconformities, the auditor confirms they were resolved before closing the audit
How Stage 2 Duration Is Calculated
Audit duration is not arbitrary. Certification bodies calibrate it to the number of employees within scope, following guidance aligned with ISO/IEC 17021-1. Typical ranges for single-site organizations:
| Employees in Scope | Audit Days (Single Site) |
|---|---|
| 1 to 25 | 3 to 5 days |
| 26 to 45 | 5 to 6 days |
| 46 to 65 | 6 to 7 days |
| 66 to 125 | 7 to 8 days |
| 126 to 175 | 8 to 9 days |
| 176 to 275 | 9 to 10 days |
| 276 to 425 | 10 to 12 days |
Multi-site organizations require additional days based on site sampling methodology. The CB will provide an audit time calculation as part of the proposal — ask for the methodology if it is not included.
Questions Auditors Regularly Ask
These are not scripted questions; they reflect the areas the standard requires auditors to probe:
- "Show me your most recent risk assessment. How did you set the likelihood and impact scales?"
- "Walk me through your last security incident — from detection through resolution."
- "How do you verify that third-party suppliers meet your security requirements?"
- "What security training did this employee receive, and when? Can you show me the record?"
- "Show me evidence that management reviewed the ISMS performance in the past year."
- "How do you identify, track, and close vulnerabilities?"
Run at least one internal mock interview session before Stage 2. The goal is not to rehearse answers but to confirm that control owners can locate evidence quickly and explain what they do in plain terms.
Understanding Nonconformities
Categories and Consequences
Auditors classify all negative findings into one of four types. Two require formal response; two are advisory:
| Finding Type | Definition | Effect on Certification |
|---|---|---|
| Major nonconformity | Absence or total failure of a required control or clause requirement | Certificate cannot be issued until resolved and verified by the CB |
| Minor nonconformity | Isolated failure, partial implementation, or isolated lapse in an otherwise functioning control | Certificate can be issued; corrective action must be submitted and accepted within the timeframe the CB sets (typically three months) |
| Observation | Potential weakness that does not yet constitute a failure | No corrective action required; addressable through continuous improvement |
| Opportunity for improvement | A suggestion from the auditor | Optional |
A single major nonconformity is enough to defer the certificate. If Stage 2 ends with only minor nonconformities, the CB can issue the certificate provisionally while you submit corrective action evidence.
Responding to Nonconformities
The standard response structure for each nonconformity:
- Root cause analysis — why did the gap exist? Use 5 Whys or a structured method. Auditors read these closely and can identify when the analysis is superficial.
- Corrective action — what specific change prevents recurrence? Not a restatement of the problem.
- Evidence of implementation — screenshots, updated records, revised procedures — whatever demonstrates the action was taken.
- Verification of effectiveness — evidence that the corrective action worked, such as a follow-up review or a sample of the control operating correctly after the fix.
The auditor evaluates the quality of the corrective action response alongside the fix itself. A thorough root cause analysis and a targeted corrective action signals ISMS maturity, which matters at surveillance and recertification.
Choosing a Certification Body
What to Evaluate
Accreditation status. Check iafcertsearch.org before signing anything. Confirm accreditation covers ISO/IEC 27001 specifically, not just general management systems.
Industry experience. CBs that have audited in your sector — healthcare, financial services, SaaS, defense — will recognize your control environment faster and ask more relevant questions. Ask which sectors the assigned auditor has experience in.
Geographic coverage. Multi-site organizations benefit from CBs with local auditors. Travel costs are typically billable on top of the day rate.
Pricing. Get quotes from at least three CBs. For the same scope, quotes often vary substantially. Unusually low quotes may reflect limited auditor experience or accreditation gaps — check both before accepting.
Transfer policy. If you need to switch CBs mid-cycle, the new CB conducts a transfer audit rather than starting over. Confirm the CB's policy and that they accept transfers.
Remote vs. On-Site Audits
IAF MD 4 allows remote auditing techniques. Stage 1 is commonly conducted fully remote via video conference. Stage 2 may be partially or fully remote depending on CB policy and the nature of your controls. Physical security controls — data center access controls, clean-desk enforcement, visitor management — typically require on-site verification. Ask the CB how they handle hybrid scopes.
Preparing for the Audit
Documentation Readiness
In the four to six weeks before Stage 2, confirm:
- All mandatory documents are current, approved, and version-controlled
- The SoA reflects the current risk assessment — if new risks appeared since the last update, the SoA should reflect the treatment decisions
- Internal audit completed within the past 12 months, with findings documented
- Management review completed within the past 12 months, with records showing decisions and follow-up actions
- All internal audit corrective actions are closed or formally in progress with evidence
Evidence Preparation
Organize three to six months of operational evidence before the audit, not during it. The auditor will request samples; you want retrieval to take minutes, not hours. Focus on:
- Security incident logs with detection time, response actions, and resolution
- Access review records showing periodic reviews were conducted and acted on
- Training records for all in-scope personnel
- Change management records from the audit period
- Backup and recovery test results
- Vulnerability scan results and the remediation actions taken
- Supplier security assessment records
Gaps in evidence are a common source of minor nonconformities at Stage 2. The control may have operated correctly, but if the record was not kept, the auditor cannot confirm it.
Personnel Preparation
Three roles receive the most auditor attention:
- ISMS manager — must explain the ISMS scope, risk methodology, and how the management system connects policy to control operation
- Control owners — must demonstrate how their specific control works and produce evidence on request
- Management sponsor — asked about resource allocation decisions and why the organization pursued certification
All in-scope employees should be able to name the information security policy and explain what they do when they receive a suspicious email or identify a potential security incident.
Surveillance Audits (Years 1 and 2)
Certification is valid for three years, but it is not self-sustaining. Your CB conducts surveillance audits annually in years one and two. These are shorter than the initial Stage 2 — typically covering 30 to 40 percent of the Stage 2 scope — and focus on:
- Verifying that prior nonconformities were resolved and the corrective actions held
- Confirming the ISMS continues to operate as designed
- Reviewing any changes to scope, business processes, or risk landscape since the last audit
- Sampling controls not reviewed in the previous audit cycle
Surveillance audits can still produce nonconformities. Unresolved major nonconformities from surveillance can lead to certificate suspension. Organizations that maintain consistent evidence collection between audits find surveillance substantially easier than the initial certification.
Recertification Audit (Year 3)
At the end of the three-year cycle, a full recertification audit is required. The format mirrors the original Stage 1 and Stage 2 sequence, but the CB's starting point is your three-year audit history. Recertification auditors typically sample areas that were weak in prior audits and check whether the organization's control environment has kept pace with changes in the business.
Organizations that kept their ISMS documentation current and addressed surveillance findings promptly tend to find recertification smoother than the initial certification, because the auditor has a track record to evaluate rather than starting from scratch.
After recertification, the three-year cycle repeats.
Frequently Asked Questions
How long does the full audit process take from Stage 1 through certificate issuance?
Stage 1 takes one to two days. Stage 2 takes three to twelve days depending on employee count in scope. After Stage 2, the CB's review and certificate issuance typically adds two to four weeks. Budget six to eight weeks between the start of Stage 1 and receiving the certificate, assuming no major nonconformities require resolution.
Can the audits be conducted remotely?
Yes. IAF MD 4 permits remote auditing techniques. Stage 1 is almost always available remotely. Stage 2 is frequently conducted as a hybrid — remote for documentation review and interviews, on-site for physical control verification. Confirm the CB's remote audit policy before booking.
What happens if Stage 2 ends with major nonconformities?
The certificate is not issued. You address the nonconformities and submit evidence to the CB. Depending on how many and how significant, the CB may accept documented evidence without a return visit, or schedule a follow-up audit to verify the fixes on-site. Ask the CB about their policy on this before Stage 2, so you know what to expect.
Can we switch certification bodies mid-cycle?
Yes. The new CB conducts a transfer audit to verify current conformance. Transfer is common when organizations are dissatisfied with audit quality, need a CB with specific industry credentials, or want to consolidate multiple management system certifications under one firm.
What does the 2022 version of the standard change for the audit?
ISO/IEC 27001:2022 reorganized Annex A from 114 controls across 14 domains to 93 controls across four themes — Organizational (37 controls), People (8), Physical (14), and Technological (34) — and added 11 new controls covering areas such as threat intelligence, cloud services security, and secure coding. Auditors verify against the 2022 version for all new certifications and recertifications. Organizations that certified under the 2013 version had until October 2025 to transition, per IAF MD 26:2023.
Is ISO 27001 certification the same as SOC 2?
No. ISO 27001 certification is issued by an accredited third-party CB after a conformance audit under ISO/IEC 17021-1. It produces a certificate valid for three years. SOC 2 is an attestation report issued by a licensed CPA firm under AICPA standards, covering a defined observation period. The two frameworks serve different markets, apply different methodologies, and produce different output documents. They are not interchangeable.
Sources used
- ISO/IEC 17021-1 — accessed 2026-05-12
- accredited certification bodies — accessed 2026-05-12
- ISO/IEC 27001:2022 — accessed 2026-05-12
- BSI Group — accessed 2026-05-12
- DNV — accessed 2026-05-12
- TÜV SÜD — accessed 2026-05-12
- LRQA — accessed 2026-05-12
- 93 controls across four themes — accessed 2026-05-12
- IAF MD 26:2023 — accessed 2026-05-12
Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.
