Most organisations that fail their ISO 27001 audit — or receive more findings than expected — do not fail because they have poor security. They fail because of avoidable preparation mistakes: documentation that does not match practice, processes that exist on paper but not in operation, and gaps that a structured pre-audit review would have identified.
First-time certification is achievable without major findings. It requires understanding what auditors actually look for at each stage, running a rigorous internal audit before the external one, and being honest with yourself about where the gaps are. This guide gives you the practical preparation framework.
Understanding the Two Stages
The certification process has two distinct stages, and preparation for each is different.
Stage 1 is a readiness review — sometimes called a documentation review or desktop audit. The auditor is assessing whether your ISMS is sufficiently mature and documented to proceed to Stage 2. They review your key documentation, confirm the scope is clearly defined, and identify any significant gaps that would prevent a successful Stage 2 audit.
Stage 1 typically takes half a day to one day on-site or remotely. Findings at Stage 1 are usually documented as observations or areas for attention before Stage 2, rather than formal nonconformities. The practical purpose is to ensure that proceeding to Stage 2 is worthwhile — not to fail you outright.
Stage 2 is the certification assessment — the substantive audit. Auditors assess whether your ISMS is implemented and operating effectively, not just documented. They interview staff, examine records and evidence, and sample controls across your control set and the standard’s clauses.
Stage 2 is where most findings occur. Preparation for Stage 2 should be significantly more thorough than for Stage 1.
What Auditors Are Actually Assessing
Before preparing, it helps to understand what auditors are looking for. A common misconception is that an ISO 27001 audit is primarily a documentation review. It is not. Documentation is necessary but not sufficient.
Auditors are looking for evidence of a functioning management system — one that:
Is embedded in real operations. Policies that staff have never read, risk assessments that were completed by a consultant and never reviewed internally, procedures that do not match how work actually happens — these gaps surface quickly under interview.
Produces meaningful outputs. Management review minutes with real discussion and real decisions. An internal audit that found things and produced corrective actions. A risk register that reflects your actual operating environment.
Is controlled and maintained. Documents with approval records, current review dates, and accessible locations. Not a folder of unlabelled Word documents.
Shows evidence of continual improvement. Even for a first certification, auditors look for evidence that the ISMS has developed since implementation began — issues identified, addressed, and improved upon.
Stage 1 vs Stage 2: What You Need Ready
Stage 1 reviews your readiness — Stage 2 assesses whether your ISMS is actually working in practice
Stage 1 Preparation
Key documents the auditor will want to see
At Stage 1, your auditor will typically request:
- Scope statement — clear, specific, and reflective of actual operations
- Information Security Policy — approved at senior management level, current, accessible
- Risk assessment and risk treatment plan — completed, risk owner-signed, treatment decisions documented
- Statement of Applicability — all 93 Annex A controls addressed, applicability justified
- Information security objectives — defined, measurable, with owners
- ISMS documented information list — an overview of your document set
What triggers a Stage 1 failure
Stage 1 findings that prevent proceeding to Stage 2 are rare, but they do happen. The most common triggers:
- Scope statement so vague or contradictory that the auditor cannot determine what the ISMS covers
- Risk assessment not completed or clearly inadequate
- Statement of Applicability missing or not covering all Annex A controls
- No information security policy
- Evidence that the ISMS is purely theoretical with no implementation activity
If any of these are outstanding, address them before Stage 1 — not after. Stage 1 findings that require significant remediation before Stage 2 extend your timeline by weeks.
Stage 2 Preparation
Stage 2 preparation is where the real work is, and where most first-time candidates underinvest.
Run a full internal audit first
The single most effective preparation activity for Stage 2 is a rigorous internal audit conducted by someone other than the ISMS lead — either another qualified internal auditor or an external consultant. The internal audit should cover the full scope of the ISMS and all applicable clauses.
The purpose is to find the gaps before the certification body does. A well-executed internal audit will surface the same findings the external auditor would find — giving you time to close them before Stage 2.
An internal audit conducted by the ISMS lead auditing their own work is significantly less reliable. Internal auditors must be independent of the processes they are auditing.
Ensure your documentation matches reality
The most common source of Stage 2 findings is a gap between what documentation says and what actually happens. Before your audit:
- Walk through your incident response procedure with the people who would actually follow it. Does it match how they would respond?
- Review your access control procedure against how access is actually provisioned and reviewed
- Check your supplier register against your actual supplier list — are there services missing?
- Confirm that approval records on documents are genuine and current
If procedures do not reflect reality, either update the procedure or change the practice — but the two must align.
Prepare your evidence packs
Stage 2 auditors will ask for evidence of control implementation. Having this organised in advance saves time during the audit and demonstrates that the ISMS is well-managed. Key evidence packs to prepare:
- Access control: who has access to what systems, recent access reviews, leaver process records
- Training and awareness: completion records, materials, dates
- Incident management: incident log (even if empty, the log should exist), any closed incidents with records
- Risk assessment: current version, review history, treatment plan
- Supplier management: supplier register, assessment records, contracts with security clauses
- Internal audit: report, findings, corrective action records
- Management review: minutes, actions, attendance
Brief your staff
Auditors interview staff — not just the ISMS lead. At Stage 2, a certification auditor will typically speak with two or three people across different functions. These conversations are a key source of evidence for or against control effectiveness.
Brief staff on what to expect: the auditor will ask about their awareness of security policies, how they handle certain situations (e.g. what they would do if they noticed a security incident), and what training they have received. Staff should answer honestly — auditors are experienced at detecting coached responses, and honest answers that reveal gaps are more useful than rehearsed answers that don’t.
The brief should reassure staff that there are no wrong answers — the audit is an assessment of the system, not of individuals. Staff who are nervous or evasive in interviews do not help the process.
The Common First-Time Failures
These are the most frequent findings at first-time Stage 2 audits.
First-Time Audit Findings: What Trips Organisations Up
Most first-time findings are avoidable — they reveal gaps between documentation and reality
Nonconformity: Internal audit not conducted. If you have not conducted an internal audit before Stage 2, this is a mandatory nonconformity. There is no flexibility on this — it is a clause 9.2 requirement.
Nonconformity: Management review not conducted. Similarly, if the management review has not taken place before Stage 2 or if the evidence is very thin, this is a finding. Senior management must be present and all required inputs must be addressed.
Nonconformity: Risk assessment not reviewed or approved. A risk assessment completed months ago and not reviewed by risk owners is not a current, authorised document. Risk owners should have confirmed and accepted residual risks.
Minor nonconformity: Access review not completed. Stating in your access control procedure that access reviews happen quarterly, and then having no evidence of a completed review, is a minor finding.
Minor nonconformity: Training not completed for all staff. An awareness training programme that has not been completed by all in-scope staff, or where records are incomplete, is a common finding.
Observation: Documentation not accessible to staff. Policies stored somewhere staff cannot easily find them — particularly if staff interviewed cannot locate them — is an observation if not a formal finding.
Managing Findings During the Audit
Stage 2 audits typically end with a closing meeting where the auditor presents their findings. Do not be defensive. Auditors are experienced professionals and their findings are generally accurate — pushing back on well-evidenced findings rarely succeeds and can make the process more difficult.
For minor nonconformities, you will typically have a defined window (often 30, 60, or 90 days depending on the certification body) to provide evidence of corrective action. You do not need to have implemented the fix during the audit — you need a credible corrective action plan and evidence of implementation within the agreed period.
For major nonconformities, certification cannot proceed until the issue is remediated and the auditor is satisfied. This may require a follow-up visit or remote evidence submission. Major findings extend your timeline but are not necessarily fatal to first-time certification if addressed promptly.
Timeline: When to Do What
At least 8 weeks before Stage 2: Complete your internal audit. Allow time to address findings before the external audit.
At least 6 weeks before Stage 2: Hold your management review. Minutes should be complete and actions logged.
At least 4 weeks before Stage 2: Confirm all key documents are approved, current, and accessible. Complete staff training. Close as many internal audit corrective actions as possible.
2 weeks before Stage 2: Brief staff who may be interviewed. Prepare evidence packs. Confirm access control reviews have been completed and recorded.
1 week before Stage 2: Walk through your document register and confirm nothing is obviously missing. Confirm who is available on audit day and what rooms or facilities the auditor needs.
Common Mistakes
Starting Stage 2 before genuinely being ready. The temptation to proceed to Stage 2 before the ISMS is truly operational — because of commercial pressure or project timelines — is understandable but counterproductive. A Stage 2 audit with major findings delays certification longer than waiting another few weeks to get ready.
Overpreparing on documentation and underpreparing on operation. Organisations sometimes focus intensely on producing comprehensive documentation and underinvest in actually implementing and operating controls. Thick policy manuals with no evidence of operation do not pass Stage 2.
Conducting the internal audit and management review in the week before Stage 2. Both should have completed with enough time to act on their outputs. An internal audit completed two days before Stage 2 with no time to address findings is not meaningful preparation.
Not coaching — but also not briefing — staff. There is a balance between coaching staff to give particular answers (counterproductive) and leaving them entirely unprepared (also counterproductive). Staff should know what the audit is, why it is happening, and what kinds of questions to expect.
FAQs
What happens if we get a major nonconformity at Stage 2?
Certification is paused until the major nonconformity is remediated. The certification body will specify the remediation window and how evidence of closure should be provided. In some cases a follow-up audit visit is required; in others, documentary evidence is sufficient. Most organisations with a single major finding can still achieve certification in the same cycle after remediation.
Can we request a specific auditor for Stage 2?
You can express preferences, and certification bodies will try to accommodate reasonable requests — particularly continuity with the Stage 1 auditor or a request for sector-specific experience. You cannot guarantee a specific individual, and changes do occur. What the auditor knows about your business from Stage 1 is captured in their Stage 1 report regardless.
Should we hire a consultant to help with preparation?
It depends on your internal capability. Organisations with experienced internal resource who understand the standard well can prepare effectively without a consultant. Organisations where the ISMS lead is new to ISO 27001, where time is constrained, or where previous audit attempts have resulted in findings often benefit significantly from external support. A good consultant does not do the work for you — they help you identify and close gaps efficiently.
How long after Stage 2 do we receive the certificate?
Most certification bodies issue the certificate within two to four weeks of a successful Stage 2 audit, once the internal review and any minor nonconformity evidence has been processed. Some bodies can expedite this for urgent commercial requirements. Ask your certification body about their typical turnaround time when booking.
What is the difference between an observation and a nonconformity?
An observation is an auditor’s note of something that is not quite right but does not constitute a breach of the standard — perhaps a process that works but could be improved, or an area that might become a finding if not addressed. Observations do not require formal corrective action but should be noted and addressed in the ISMS improvement process. Nonconformities — minor or major — require documented corrective action and closure evidence.
