If you go through an accredited certification process (for example, in the UK, a UKAS-certified body like BSI), you’ll undergo a two-stage audit for your ISO 27001 certification. The Stage 1 audit is the first (surprise!). It’s sometimes called the “documentary review” or the “readiness review” โ and it’s the point at which your documentation is formally reviewed by a third-party auditor for the first time.
Many organisations are nervous about going into their ISO 27001 Stage 1 audit, but they shouldn’t be as it’s designed to be a readiness check, not a pass-or-fail test. But going in underprepared will create problems that slow down your path to Stage 2.
The ISO 27001 Certification Journey
Where Stage 1 sits in the full path to certification
The auditor doesn’t want to waste their time or yours if your organisation clearly isn’t ready, so they do a quick one-day run-through to ensure all the major components of an ISMS are in place.
What Is the Stage 1 Audit?
The Stage 1 audit is a basic documentary review.
The auditor isn’t yet checking whether your Annex A controls are working in practice โ they’re checking whether your ISMS is designed correctly and whether you’re ready for the evidence-based Stage 2 review.
Stage 1 vs Stage 2: What's the Difference?
The two-stage certification process serves very different purposes โ here's what to expect from each
Documentary Review
- ISMS scope document
- Information security policy
- Risk assessment & methodology
- Statement of Applicability
- Risk treatment plan
- Internal audit & management review records
Evidence Review
- Evidence controls are operating
- Staff interviews & knowledge checks
- Access control logs & records
- Training records
- Incident logs
- Supplier review evidence
In practical terms, this means the auditor will:
- Review your core ISMS documentation
- Check that your scope is clearly defined and appropriate
- Confirm that your risk assessment methodology is sound
- Assess your Statement of Applicability
- Identify any obvious gaps in your documentation
- Confirm whether you’re ready to proceed to Stage 2 (and if so, when)
Stage 1 is typically conducted remotely (via video call and shared documents), though some certification bodies prefer to conduct it on-site.
What Documents Does the Auditor Review?
Stage 1 Document Readiness Checklist
The core documents your auditor will want to review โ and what they're checking for
This varies slightly by certification body, but the core documents the Stage 1 auditor will want to see are:
- The ISMS scope document โ What is in scope? What’s excluded and why?
- The information security policy โ Does it commit senior management? Does it set a framework for objectives?
- The risk assessment โ Is there a defined methodology? Has it been applied consistently? Are risks assessed against documented criteria?
- The Statement of Applicability (SoA) โ Are all 93 Annex A controls referenced? Are exclusions justified? Are the included controls traceable to the risk assessment?
- The risk treatment plan โ Are risks above the acceptance threshold being addressed?
- Management review records โ Has at least one management review been conducted? Is it documented?
- Internal audit records โ Has at least one internal audit been conducted? Are findings documented?
- Key policies โ Information security policy, acceptable use, access control, incident response, and any other policies relevant to the scope
- Organisational information โ An overview of the organisation, its context, and the interested parties that affect the ISMS
Some auditors will also ask for staff training records, your asset register, and evidence of defined roles and responsibilities.
You’ll notice that these are pretty much the key outputs of Clauses 4 to 10 in ISO 27001, so often referred to as the “mandatory ISO 27001 documents”.
All of which I give you in my free template toolkit ๐
ISO 27001 Full Document Toolkit
Every document your auditor
expects to see.
130 Word & Excel templates, ready to edit. Policies, risk register, Statement of Applicability, audit pack, staff communications โ all updated for ISO 27001:2022.
130 templates
Instant download
Written by practising consultant
ISO 27001:2022
How to Prepare: A Practical Checklist
Documentation
Work through these before your Stage 1 date:
โ ISMS scope โ Written, clear, and approved. Includes what’s in scope, what’s excluded, and the interfaces/dependencies with out-of-scope areas.
โ Information security policy โ High-level, signed by senior management, includes commitment to continual improvement and compliance.
โ Risk assessment โ Methodology documented, applied consistently, risks scored, reviewed and approved by the appropriate person.
โ Statement of Applicability โ All 93 Annex A controls referenced, included/excluded decisions documented with justifications, linked to risk treatment.
โ Risk treatment plan โ Actions documented for all risks above threshold, with owners and target dates.
โ Policies suite โ Key supporting policies in place (acceptable use, access control, incident response, remote working, password, supplier security, clean desk, data classification).
โ Roles and responsibilities โ Defined and documented. Who is responsible for information security? Who is the management representative?
โ Internal audit โ At least one internal audit conducted and documented, covering key ISMS clauses and controls.
โ Management review โ At least one management review conducted, with minutes that cover the required agenda items from Clause 9.3.
โ Document control โ All documents have version numbers, review dates, and approval records.
Logistics
โ Confirm the Stage 1 date, time, and format (remote or on-site) with your certification body
โ Identify who from your organisation will attend โ typically the project lead plus the most senior person responsible for the ISMS
โ Organise your documents so you can share them quickly during the audit (a shared folder structure works well)
โ Brief senior management on what to expect โ auditors sometimes ask leadership questions directly
โ Know your own scope and be prepared to explain why it’s drawn where it is
What the Auditor Is Really Looking For
Beyond the document checklist, experienced auditors are looking for a few things that less experienced organisations miss:
Coherence between documents. Your risk assessment, your Statement of Applicability, and your risk treatment plan should tell a consistent story. If your SoA includes a control that has no corresponding risk in your risk assessment, the auditor will ask why.
Evidence of senior management involvement. Is the information security policy genuinely signed off by the right person? Are management review minutes substantive, or do they look like they were written by one person to satisfy a checkbox?
A scope that makes sense for your business. Auditors sometimes see scopes that are either unrealistically narrow (suggesting the organisation is trying to game the process) or poorly defined (suggesting they haven’t thought it through). Be prepared to explain your scope rationale.
Signs that the ISMS is operational. Even at Stage 1, auditors look for early signs that the system is live, not just documented. Internal audit and management review records are the clearest evidence of this.
A risk assessment that reflects real thought. A risk assessment in which every risk is scored exactly the same, or in which all risks happen to fall just below the acceptance threshold, will draw scrutiny.
The Three Documents That Must Align
Your Risk Assessment, Statement of Applicability, and Risk Treatment Plan tell one connected story โ auditors will check they're consistent
Risk Assessment
Identifies your information security risks, scores them for likelihood and impact, and determines which require treatment.
- Lists every identified risk
- Links each risk to an asset
- Scores each risk consistently
- Documents acceptance criteria
- Signed off by management
control selection
consistent
treatment actions
Statement of Applicability
References all 93 Annex A controls and records which are included, which are excluded, and why.
- All 93 controls referenced
- Inclusions linked to risk assessment
- Exclusions have written justifications
Risk Treatment Plan
Documents what actions will be taken for each risk above the acceptance threshold.
- Action for every treated risk
- Named owner per action
- Target completion dates
Stage 1 Outputs and Findings
At the end of Stage 1, the auditor will produce a report. This will typically include:
A readiness assessment โ a statement of whether the organisation is ready to proceed to Stage 2 and if so, a recommended timeframe
Observations โ areas where documentation is unclear, incomplete, or inconsistent that should be addressed before Stage 2 (these are not formal nonconformities but are things you should fix)
Minor or major nonconformities โ if significant issues are found, the auditor may raise formal nonconformities. Major nonconformities at Stage 1 are unusual but do happen if the fundamental ISMS design is flawed.
The gap between Stage 1 and Stage 2 is typically two to six weeks. Use this time to address any observations and make sure your evidence is in order for Stage 2.
Common Stage 1 Findings (and How to Avoid Them)
Incomplete Statement of Applicability. All 93 controls must be referenced, with a clear included/excluded decision and a rationale for each exclusion. Missing controls or unexplained exclusions are the most common Stage 1 finding.
Risk assessment and SoA don’t align. If a control is included in the SoA but there’s no corresponding risk in the risk register, or a significant risk exists with no corresponding control, the auditor will flag it.
Management review hasn’t happened. Or the minutes are thin โ a one-line note that a meeting occurred isn’t sufficient. Management review minutes should cover the specific inputs required by Clause 9.3 (audit results, incidents, risk assessment status, objectives progress, etc.).
Scope is poorly defined. Vague language about what’s in scope creates problems. Name the specific services, systems, locations, or business functions covered.
No documented internal audit. The internal audit must be documented โ who conducted it, what was covered, what was found, and what’s being done about findings.
After Stage 1: Getting Ready for Stage 2
Once Stage 1 is complete and you’ve addressed the auditor’s observations, the focus shifts to Stage 2 โ the evidence review.
At Stage 2, the auditor will want to see that your controls are actually operating, not just documented. Read the guide to preparing for Stage 2 here.
Useful Resources
- ISO 27001 mandatory documents โ what you need
- Statement of Applicability guide
- How to create a risk treatment plan
- ISO 27001 internal audit guide
- ISO 27001 certification process overview
FAQs
How long does an ISO 27001 Stage 1 audit take?
For most small and medium-sized organisations, Stage 1 takes one to two days. It’s primarily a document review โ the auditor works through your core ISMS documentation and raises any gaps or inconsistencies they find. Larger organisations with more complex scope may need slightly longer, but Stage 1 is almost always shorter than Stage 2.
Can you fail a Stage 1 audit?
Not in the way most people fear. Stage 1 is designed as a readiness check, not a pass-or-fail gate. The most likely outcome is a list of observations โ things to address before Stage 2 โ which is perfectly normal and expected. A true failure at Stage 1 (where the auditor says you’re not ready to proceed) is rare, and usually only happens when the fundamental ISMS design is significantly flawed. The more common problem is going in with incomplete documentation and needing to reschedule Stage 2 further out than planned.
Do you need to have all your controls fully implemented before Stage 1?
No โ that’s what Stage 2 is for. At Stage 1, the auditor is checking that your ISMS is designed correctly, your documentation is in place, and you have a credible plan. You do need your internal audit and management review completed before Stage 1, but you don’t need to show that every Annex A control is fully operational. Save that evidence for Stage 2.
How much time should you leave between Stage 1 and Stage 2?
Around six weeks is typical. You need enough time to read the Stage 1 report carefully, address any observations the auditor raised, and make sure your evidence is organised and ready. Compressing this gap too tightly is a common mistake โ if Stage 1 throws up more observations than expected, you’ll want breathing room to fix them properly rather than rushing into Stage 2.
What happens if the auditor finds a major nonconformity at Stage 1?
Major nonconformities at Stage 1 are uncommon but do happen โ usually when something fundamental is missing, such as no risk assessment methodology, a scope that makes no sense, or an SoA that hasn’t been completed. If one is raised, Stage 2 will be delayed until the issue is resolved and evidence of the fix is reviewed. The auditor will tell you what needs to be addressed and typically allow a defined period to close it before rescheduling. It’s a setback, not the end of the road.
