What ISO 27001 Stage 1 vs Stage 2 Audits Actually Look Like – SME Guidance

ISO 27001 certification audits can appear challenging for SMEs and startups, particularly for teams new to formal assessments. The audit process typically follows a two-stage structure:

• Stage 1 – Documentation and readiness review
• Stage 2 – Full implementation and evidence verification

Understanding how each stage is usually conducted may give teams greater clarity on common audit practices and help them organise evidence. This guide outlines what Stage 1 and Stage 2 commonly involve, the types of documentation and evidence auditors may request, and practical considerations for small teams preparing for certification.

Why This Article Matters for SMEs and Startups

SMEs and startups often search for guidance when approaching ISO 27001 certification audits. Common questions include:

• How Stage 1 and Stage 2 audits differ
• What types and amount of evidence auditors typically review
• Expected duration of each audit stage
• Frequent issues that may cause delays
• Ways to organise ISMS documentation and processes efficiently

This guide provides a clear, SME-focused overview of the ISO 27001 audit process using concise, accessible language.

ISO 27001 Audit Overview: The Two-Stage Process Explained

ISO 27001 certification audits generally follow a two-stage approach designed to review both the design and practical operation of your ISMS:

• Stage 1 Audit: Review of documentation and readiness
• Stage 2 Audit: Verification of implementation and evidence

This two-step process allows auditors to identify and address any foundational issues before the complete certification assessment. Understanding this structure helps SMEs and startups organise ISMS materials, gather evidence efficiently, and navigate the audit process with greater clarity.

What Stage 1 vs Stage 2 Audits Typically Involve

A practical overview of what SMEs and small teams may expect during ISO 27001 certification audits.

ISO 27001 Stage 1 Audit Overview

Stage 1 generally takes around 0.5 – 1.5 days depending on ISMS complexity, auditor discretion, and the certification body’s approach and is often conducted remotely.

Purpose of Stage 1

Depending on the certification body, Stage 1 generally involves reviewing documentation readiness and assessing whether the ISMS appears structured enough to proceed to Stage 2. Auditors typically look for:

• Presence of ISMS documentation
• Alignment with ISO/IEC 27001:2022 requirements
• Logical connection between risks, controls, and evidence
• Basic indicators of implementation

This stage focuses on documentation rather than detailed control testing.

Typical Stage 1 Review

Auditors may examine:

• ISMS scope, risk assessment, and methodology
• Risk treatment plan and Statement of Applicability
• Information Security and essential policies typically required by the standard
• Documented procedures, internal audit reports, and management review minutes
• High-level leadership involvement

Additional context may include: tech stack overview, roles and responsibilities, system and architecture diagrams, and supplier and cloud service summaries.

Common Stage 1 Questions

Typical questions may include:

• “How was the scope determined?”
• “How is the risk register maintained?”
• “Who is responsible for which controls?”
• “How is documentation maintained?”
• “How are internal audits performed?”
• “How does leadership evaluate ISMS performance?”
  

Output of Stage 1

The outputs of stage 1 may include:

• Stage 1 Audit Report
• Findings, if any
• Readiness feedback for Stage 2
• Suggested Stage 2 timing

Findings are often minor and typically relate to documentation completeness or clarity.

Common Stage 1 Issues SMEs May Face

• Incomplete or unclear Statement of Applicability
• Risk assessment not linked to Annex A controls
• Management review not documented
• Internal audit not completed
• Scope unclear or overly broad
• Policies lacking structure or ownership

Many issues can typically be addressed with organised documentation.

ISO 27001 Stage 2 Audit Overview

Stage 2 generally takes around 1 – 3 days depending on ISMS size, complexity, and auditor discretion, and can be conducted remotely or on-site based on the certification body’s methodology, availability of evidence, and the organisation’s operational setup. This stage typically focuses on verifying implementation and reviewing operational evidence for a sample of controls.

Purpose of Stage 2

Depending on the certification body, Stage 2 generally involves assessing whether the ISMS appears to operate effectively in practice. Auditors may review:

• Implementation of Annex A controls from the Statement of Applicability (SoA)
• Staff adherence to documented processes
• Consistency and maintenance of evidence
• Operation of the ISMS across the year

This stage emphasises practical evidence rather than documentation alone.

Typical Stage 2 Evidence Review

• Access Management: Onboarding / offboarding records, access reviews, MFA, administrative approvals
• Asset Management: Device inventory, encryption status, lost device handling
• Supplier Management: Supplier lists, SLAs / contracts, risk assessments, reviews
• Incident Management: Incident logs, investigations, post-incident reviews
• Business Continuity: Business impact analysis (BIA), RTO / RPO definitions, testing or simulation evidence
• Training: Completion records, schedules, induction / refresher logs

Additional areas may include monitoring logs, change approvals, internal audit outcomes, management review decisions, and document version control.

Typical Stage 2 Interview

Auditors may speak with multiple roles to understand operational practice:

Interviews are generally conversational and process-focused.

Output of Stage 2

The Stage 2 Audit Report may include:

• Conformities
• Observations
• Nonconformities (if any)
• Recommendation for certification (or justification for withholding)

The certification panel usually performs a final review before the certificate may be issued.

Common Stage 2 Issues SMEs Encounter

• Missing evidence for controls listed in the SoA
• Inconsistent access reviews
• Incomplete supplier assessments
• Incident management processes not tested
• Business continuity activities incomplete
• Partial training records
• Inconsistent control application across teams

Many issues relate to missing or inconsistent evidence and may require additional corrective actions.

Nonconformities (NCs): Remediation and Timelines

During Stage 2, auditors may identify nonconformities (NCs). Certification is typically paused until NCs are addressed, as per the specific policies of the certification body. NCs are generally classified as:

• Minor NCs: Localised gaps or process weaknesses. An action plan is typically requested, outlining how and when the issue will be addressed.
• Major NCs: More significant failures to meet a specific standard requirement or critical ISMS gaps. Evidence of resolution is typically required before certification can be recommended.

Closure Window: Certification bodies often request that NCs (Minor and Major) are addressed, or action plans formally accepted, within roughly 90 days of the last audit day; actual requirements may vary. Missing this period may result in additional review or repeating parts of the certification process, any fees or costs are determined by, and may vary according to, the certification body.

Stage 1 vs Stage 2 – Side-by-Side Comparison

How SMEs Can Prepare Efficiently for Stage 1 and Stage 2

Preparation can be approached in a structured, manageable way. Small teams often find that clear organisation and consistent documentation reduce stress during audits.

Stage 1 Preparation Tips

• Review that the risk assessment and Statement of Applicability (SoA) appear clearly connected.
• Prepare a well-organised document pack.
• Complete internal audit and management review: Many teams find it helpful to complete at least one cycle of internal audit and management review before Stage 1, as auditors commonly review these activities to assess operational insight.
• Keep scope statements concise and realistic.
• Review policies to confirm they reflect current processes.
  

Stage 2 Preparation Tips

• Conduct a pre-audit review of evidence.
• Organise evidence in a clear folder structure.
• Check onboarding and offboarding records.
• Review supplier assessments and associated documentation.
• Confirm device inventory and encryption records.
• Check training records for completeness.
• Review incident logs and related records.
  

When SMEs Typically Schedule Stage 2

Most certification bodies suggest leaving around 4 – 8 weeks between Stage 1 and Stage 2 audits. This allows teams time to review Stage 1 findings and organise additional evidence.

Small teams with a more established ISMS may schedule Stage 2 sooner, while newer teams might benefit from extra preparation time to address documentation or process gaps.

After Stage 2 – Typical Next Steps

Following Stage 2, the certification body usually reviews the auditor’s report through its internal panel. This step helps ensure consistency, quality assurance, and alignment with the certification body’s own internal procedures. If the review is favourable, the ISO 27001 certificate may be issued.

Certificates are often valid for up to three years, with annual surveillance audits typically conducted to assess ongoing ISMS conformance.

Final Takeaway for SMEs and Startups

ISO 27001 certification audits generally follow a two-stage approach:

• Stage 1: Focuses on documentation and ISMS structure.
• Stage 2: Examines implementation and operational evidence.

For smaller teams, keeping processes clear, simple, and aligned with everyday operations can support smoother audits. The audit aims to demonstrate organised, repeatable practices rather than producing perfect documents; however, successful certification is always subject to the final review of the certification body.

Practical ISO 27001 templates may assist teams in organising documentation, tracking evidence, and preparing audit materials.

Next Step: For teams seeking structure, practical ISO 27001 templates may be helpful to explore here.

Next Article: In ISO 27001 Certification Costs for SMEs in 2026 – Estimates and Budget Guide, we outline typical ISO 27001 certification costs for SMEs in 2026, including fees, training, internal resources, and potential re-audit expenses.

Related Guides

Explore these ISO 27001 resources to help your SME build a practical, lean ISMS: 

Start Here: Complete Guide

• ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.

E. Audit, Certification, and Evidence – Detailed Guides by Topic

• ISO 27001 Certification Costs for SMEs in 2026 – Estimates and Budget Guide – Practical breakdown of initial implementation costs, recurring expenses, and tips for cost-conscious SMEs.
• ISO 27001 Implementation Timelines for Lean Startups and SMEs – Practical guidance for planning and executing ISO 27001 with templates to help small teams target a 3 – 6 months timeframe.
• ISO 27001 Evidence: How Lean Teams Can Approach Audit Verification (SME Guide) – Practical tips for SMEs to organise policies, logs, and records, streamline documentation, and prepare evidence efficiently for audits.
• ISO 27001 Internal Audit: Guidance for SMEs on Clause 9.2 Requirements – Guide for SMEs on planning, conducting, and documenting internal audits, managing independence, and mapping evidence within the PDCA cycle.

Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.