How to Prepare for an ISO 27001 Stage 2 Audit

How to prepare for an ISO 27001 Stage 2 audit; what evidence auditors examine, and how to make sure your team is ready on the day.

The Stage 2 audit is the one that matters most. It’s the evidence-based assessment where your auditor moves beyond reviewing documents and starts looking at whether your ISMS is actually operating. Pass Stage 2 and you’re certified. Walk in unprepared and you risk major nonconformities that delay your certificate.

This guide on hor to prepare for an ISO 27001 stage 2 audit tells you exactly what auditors look at in Stage 2, how to prepare your evidence, and how to make sure your team is ready.

What Is the Stage 2 Audit?

The Stage 2 audit is the second and final stage of the ISO 27001 certification process. Where Stage 1 is a documentary review — checking that your ISMS is designed correctly — Stage 2 is an operational review. The auditor is verifying that your ISMS is actually working as documented.

In practical terms, this means the auditor will:

  • Interview key staff to test their understanding of roles and procedures
  • Review records as evidence that your controls are operating
  • Observe processes where relevant
  • Assess whether your documentation matches what’s actually happening
  • Identify any gaps between your policy and your practice

Stage 2 typically takes one to two days for a small organisation, conducted on-site or remotely. The auditor works through your Annex A controls, your clauses, and your Statement of Applicability systematically.

When Should You Schedule Stage 2?

The gap between Stage 1 and Stage 2 should be enough time to:

  • Address any observations raised in the Stage 1 report
  • Generate meaningful evidence of your ISMS in operation

For most organisations, four to eight weeks between Stage 1 and Stage 2 is about right. Any shorter and you risk going into Stage 2 with thin evidence. Any longer and momentum tends to drop.

The key requirement is that by Stage 2 your ISMS must have been operating for a period that allows you to demonstrate it — which means at minimum:

  • One management review has been held and documented
  • One internal audit has been completed and documented
  • Staff awareness training has been delivered and recorded
  • Your controls are in place and have been in operation for a meaningful period (not activated the day before the audit)

Stage 2 Audit — What Actually Happens

The Stage 2 audit is where your certification body tests whether your ISMS is operating effectively in practice. Here's what to expect from opening meeting to closing statement.

Typical duration
1–3 days
Format
On-site or remote
Auditor focus
Evidence of operation
Output
Certificate or NCRs
👋
Opening Meeting
Morning — Day 1
Formal start to the audit. The auditor outlines the scope, schedule, and how findings will be communicated. Attendees typically include the ISMS Manager and senior leadership.
Auditor does
Confirms scope, introduces audit criteria, sets out the day's programme and communication channels
You should
Have ISMS Manager and a senior leader present. Keep answers factual and concise — don't volunteer information beyond what's asked
📋
Documentation Walkthrough
Morning — Day 1
The auditor reviews your core ISMS documentation — policies, risk register, SoA, treatment plan — to confirm they're up to date and internally consistent.
Auditor does
Cross-checks SoA against risk register; checks policies are approved, dated, and in scope
You should
Have all documents version-controlled and accessible. Know where everything is — don't hunt for documents during the audit
🔍
Control Sampling & Evidence Testing
Core of the audit
The bulk of the Stage 2 audit. The auditor samples controls from your SoA — interviewing staff, reviewing records, and testing whether controls are actually operating as documented.
Auditor does
Selects controls to test (often risk-weighted), asks for evidence, interviews team members, checks logs and records
You should
Have subject matter experts available for each area. Produce evidence promptly — delays create doubt. Answer what you know; say "I'll confirm that" if unsure
👥
Staff Interviews
Throughout the audit
Auditors speak to staff beyond the ISMS team to test whether security awareness is embedded. They may speak to developers, HR, finance, or operations staff without the ISMS Manager present.
Auditor does
Asks staff about their security responsibilities, how they report incidents, and whether they've received training
You should
Brief all staff in advance — not on what to say, but on what the audit is and why security awareness matters. Authenticity counts
📝
Auditor Debrief (Internal)
End of each day
The auditor consolidates their notes and prepares findings. This is normal and expected — you may have limited contact with the auditor during this period.
Auditor does
Reviews notes, classifies findings (Major NC / Minor NC / OFI), prepares closing statement
You should
Be available to answer follow-up questions. Don't read silence as a bad sign — auditors are thorough by nature
🏁
Closing Meeting
Final session
The auditor presents all findings verbally. This is your chance to clarify any factual inaccuracies before findings are formalised in the written report. The auditor will state their certification recommendation.
Auditor does
Presents findings, states recommendation (certify / certify with conditions / not certify), explains next steps
You should
Listen carefully, take notes, and only challenge factual errors — not audit judgements. A positive recommendation here means you're almost there
🏆
Certificate Issued
Typically 2–4 weeks after audit
If no major nonconformities are raised, the certification body carries out a technical review and issues your ISO 27001:2022 certificate. Minor nonconformities must have a corrective action plan agreed before certificate issue.
Auditor does
Submits recommendation to certification body's review panel; formal certificate issued after internal sign-off
You should
Submit corrective action plans for any minor NCs promptly. Prepare to add the certificate to your website, proposals, and security questionnaires
The single most important thing to remember: The Stage 2 auditor is not trying to catch you out — they're trying to determine whether your ISMS is genuine and operational. Calm, well-prepared, and honest is exactly the right approach.

What Evidence Does the Auditor Want to See?

For each area of your ISMS, the auditor will look for evidence that the thing you say you do is actually being done. Here’s what that typically looks like across the key areas:

Management commitment (Clause 5)

  • Signed information security policy, with a recent review date
  • Management review minutes showing senior leadership was genuinely involved
  • Evidence that information security objectives exist and have been communicated

Risk assessment and treatment (Clause 6)

  • A completed risk register with scores and treatment decisions
  • A risk treatment plan with owners and progress against actions
  • Statement of Applicability — completed, linked to the risk assessment, with justified exclusions
  • Evidence that the risk assessment has been reviewed (at least since it was first created)

Operational controls (Clause 8 / Annex A)

For each control you’ve included in your SoA, auditors will look for evidence of it operating. Common areas they test:

  • Access control — evidence that access reviews happen. A log of joiners/movers/leavers. Proof that access is removed promptly when staff leave.
  • Password and authentication — MFA enforcement settings, or records of an access audit. Auditors sometimes ask to see a system’s authentication settings directly.
  • Supplier management — supplier register, evidence of supplier reviews (even an email exchange counts), contracts or terms referencing security obligations.
  • Training and awareness — training records showing who completed what and when. Completion reports from your e-learning platform, or a signed attendance register if you delivered it in-house.
  • Incident management — your incident log. Even if you’ve had no significant incidents, you should have a log showing near-misses or minor events reviewed. An empty incident log with no explanation raises questions.
  • Asset register — complete, with named owners, up to date. Auditors check that the assets listed match reality — they may ask questions about systems you use that aren’t in the register.
  • Physical security — if you have office space, the auditor may ask to see it (or a photo). Clear desk evidence. CCTV records if relevant.
  • Backup — evidence that backups are happening and have been tested. A backup log, or the system report from your backup solution.
  • Patching and vulnerability management — evidence of regular patching. Most organisations show a report from their endpoint management or cloud console.
  • Business continuity — your BCP/DR plan, and ideally evidence of a test or walkthrough.

Performance evaluation (Clause 9)

  • Internal audit report and any resulting corrective actions
  • Management review minutes (must cover all Clause 9.3 inputs)
  • Corrective action records — showing that findings are tracked and closed

Improvement (Clause 10)

  • Corrective action records — the same ones that feed into management review
  • Evidence that the ISMS is improving — not just static

What Auditors Test — and What Good Evidence Looks Like

Stage 2 auditors sample your controls and look for evidence they're working in practice. Here's what passes scrutiny — and what raises a finding.

ISMS Area
✓ Strong evidence
✗ Weak evidence (raises findings)
⚠️Risk Assessment
  • Dated, approved risk register with consistent scoring
  • Risk treatment plan linked to risk IDs
  • Evidence of regular review (version history)
  • Risk register undated or not recently reviewed
  • Risks listed but no treatment decisions recorded
  • No clear link between risks and SoA controls
📄Statement of Applicability
  • All 93 controls addressed with clear justifications
  • Exclusions documented and risk-justified
  • Version-controlled and signed off by management
  • Controls marked applicable with no implementation evidence
  • Exclusions with no documented rationale
  • SoA not linked to actual controls in use
🔑Access Control
  • User access review completed within last 6 months
  • Leavers deprovisioned within defined SLA — log evidence
  • MFA enabled on all critical systems
  • Former employees still have active accounts
  • No record of periodic access reviews
  • Shared or generic login credentials in use
🚨Incident Management
  • Incident log with dates, classification, and resolution notes
  • At least one incident worked through documented procedure
  • Post-incident reviews recorded
  • No incidents ever logged ("we haven't had any")
  • Procedure exists on paper but never tested
  • No evidence staff know how to report incidents
👥Training & Awareness
  • Training completion records for all staff
  • Training content relevant and dated within last 12 months
  • New starter induction includes security awareness
  • Training done but no records kept
  • Same training delivered 3+ years ago with no refresh
  • Staff unaware of their security responsibilities when asked
🔎Internal Audit
  • Completed audit report with findings classified and dated
  • Corrective actions tracked to closure with evidence
  • Auditor independent of the area audited
  • No internal audit conducted before Stage 2
  • Audit completed but findings not acted upon
  • ISMS Manager audited their own work
🏛️Management Review
  • Signed minutes covering all Clause 9.3.2 inputs
  • Action log with owners, deadlines, and closure evidence
  • Senior leader attendance confirmed in record
  • No management review held or no record retained
  • Minutes that simply say "all agreed, no actions"
  • Review held without top management present
🤝Supplier Security
  • Supplier register with risk classifications
  • Contracts include information security clauses
  • Evidence of periodic supplier security reviews
  • No supplier inventory maintained
  • Contracts in place but no security requirements included
  • Critical suppliers never formally assessed
The pattern auditors look for: Controls that exist on paper but show no evidence of actually being used. A policy without records is a policy that hasn't been implemented — and that's a finding, not a near miss.

How to Prepare Your Team

The auditor will interview people beyond the ISO 27001 lead. They’ll typically want to speak to:

  • Senior management (to test leadership commitment)
  • Someone from IT or operations (on technical controls)
  • A general member of staff (to test awareness)
  • Potentially a department head or process owner (on supplier management, HR controls, etc.)

Brief everyone before the audit. Staff don’t need to know the standard in detail, but they should:

  • Know that an audit is happening and roughly what it involves
  • Know what the ISMS is and what their responsibilities are
  • Know where to find the information security policy
  • Know what to do if they spot a security incident
  • Know the basics of your key policies (password rules, acceptable use, clear desk)

Auditors are experienced at distinguishing genuine awareness from pre-drilled responses. The goal isn’t to coach staff on what to say — it’s to make sure they genuinely understand what’s expected of them. If your training programme has been effective, this takes care of itself.

Prepare your evidence folder. Organise your evidence so you can retrieve it quickly during the audit. The more time you spend searching for things during the audit, the less time the auditor spends reviewing them. A shared folder structure with clearly labelled subfolders by control or clause area works well.

Stage 2 Audit Readiness Checklist

Use this checklist in the 4–6 weeks before your Stage 2 audit. Items marked Must Have are critical — missing any of these will result in a major nonconformity.

Must Have Major NC risk if missing
High Priority Minor NC risk if missing
Good Practice Strengthens your audit position
📋
Core ISMS Documentation
8 items
Information Security Policy — approved, dated, and communicated Must Have
Risk Assessment — current, approved, and consistently scored Must Have
Risk Treatment Plan — linked to risk IDs, with owners and status Must Have
Statement of Applicability — all 93 controls addressed with justifications Must Have
ISMS Scope document — formally defined and approved Must Have
Information security objectives with measurable targets High Priority
Asset register — up to date and with owners assigned High Priority
All policies version-controlled and accessible to relevant staff
👥
People & Awareness
6 items
Security awareness training completed — records retained for all staff Must Have
Roles and responsibilities documented and communicated Must Have
New starter security induction process in place High Priority
Staff can explain how to report a security incident when asked
Leaver process documented — deprovisioning within defined SLA High Priority
ISMS owner and top management sponsor clearly identified
⚙️
Operational Processes & Records
8 items
Internal audit completed — report issued, findings classified Must Have
Management review held — signed minutes and action log retained Must Have
Incident log maintained — at least some incidents or near-misses recorded Must Have
Corrective actions from internal audit — tracked and evidenced High Priority
Supplier register — critical suppliers identified and risk-rated High Priority
Business continuity / DR plan documented and tested
Change management process — records of significant changes
Nonconformity register — open issues tracked with owners
💻
Technical Controls & Evidence
6 items
User access review completed within last 6 months — documented Must Have
MFA enabled on all internet-facing and privileged systems High Priority
Vulnerability scanning — recent results available and remediation tracked High Priority
Patch management — evidence critical patches applied within SLA
Logging and monitoring — active and reviewed regularly
Encryption in use for sensitive data at rest and in transit
Run this checklist 4–6 weeks before your audit — not the night before. Any gaps you find need time to be evidenced, not just fixed. A control implemented the day before an audit without supporting records is almost as weak as one that doesn't exist.

Common Stage 2 Nonconformities (and How to Avoid Them)

Thin or missing operational records. The most common Stage 2 issue. Your policy says you do something (e.g. quarterly access reviews, annual supplier assessments), but there’s no record that you’ve actually done it. If it’s not recorded, it didn’t happen.

Controls not yet implemented. A control is included in the SoA but hasn’t actually been deployed. For example, MFA is listed as an implemented control but screenshots show it’s disabled for some users. Make sure everything in your SoA as “implemented” is actually in operation.

Staff unaware of basic policies. An auditor asks a member of staff what to do if they receive a suspicious email, and the response is a blank look. Your training programme needs to cover the basics and be verifiable.

No evidence of supplier security assessment. You have a supplier list, but no evidence that any of them have been assessed. Even a short email asking a key supplier about their security certifications and keeping the response on file counts as evidence.

Management review too thin. Minutes that say “information security was discussed and everything is fine” aren’t sufficient. The Clause 9.3 inputs must be specifically addressed and decisions documented.

Corrective actions from internal audit not progressed. Your internal audit found three issues. None of them have been addressed or have a plan. This is often raised as a nonconformity.

What Happens After Stage 2?

If Stage 2 passes without major nonconformities, the auditor submits their report to a review panel at the certification body. Assuming the panel approves, you receive your certificate — typically within a few weeks of the final audit.

If minor nonconformities are raised, you’ll have a defined period (usually 60–90 days) to submit evidence of corrective action. Minor nonconformities don’t prevent certification, but they must be closed.

If major nonconformities are raised, certification cannot be granted until they’re fully resolved. This usually means another partial or full Stage 2 visit. Major nonconformities at Stage 2 are relatively unusual if the Stage 1 was handled well, but they do happen if there are significant gaps between documentation and practice.

Read more about how to respond to audit findings and nonconformities.

Related Guides

ISO 27001 Online Course + Full Toolkit

Stop guessing. Follow a proven step-by-step process.

Highly recommended for anyone looking to understand ISO 27001, whether attempting it on your own or even using a consultant.

Verified Trust.me Review

✓ Full toolkit included
✓ Learn as you build
✓ 12-month access

✓ 6 hours of video
✓ Email consultancy
✓ 30-day upgrade credit to consultancy

£285

Instant access

iso 27001 course screenshot
View Details Try the demo →

Includes full document toolkit · 30-day consultancy upgrade credit

FAQs

What is the difference between a Stage 1 and Stage 2 audit?

The Stage 1 audit is a readiness review — the auditor checks that your ISMS documentation exists, is complete, and is sufficiently developed to proceed to the full audit. It’s largely a desk review. The Stage 2 audit is where certification is actually determined: the auditor tests whether your controls are genuinely operating in practice by interviewing staff, sampling records, and reviewing evidence of real activity. Passing Stage 1 means you’re ready to be assessed; passing Stage 2 means you’ve earned the certificate.

How long does a Stage 2 audit typically take?

Duration depends on the size and complexity of your organisation and the scope of your ISMS. For a small organisation (under 50 people with a straightforward scope), one to two days is typical. Mid-sized organisations commonly see two to three days. Larger or more complex scopes can run to four or five days. Your certification body will confirm the planned duration in advance — this is set by IAF (International Accreditation Forum) guidelines based on staff headcount and scope. Remote audits have become common since 2020 and are equally valid for certification purposes.

What happens if we get a major nonconformity during Stage 2?

A major nonconformity means certification cannot be recommended until the issue is resolved. You’ll be required to submit a root cause analysis and corrective action plan — typically within 30 days — and the auditor will need to verify that the corrective action has been effectively implemented, often via a follow-up visit or remote review. This doesn’t necessarily mean starting the whole audit process again, but it does delay certification and adds cost. This is why completing a thorough internal audit before Stage 2 is so important — major nonconformities should ideally be found and resolved internally, not by your certification body.

Can we fail the Stage 2 audit entirely?

Yes, though outright failure — where the certification body declines to certify and requires a full repeat audit — is relatively rare. The more common outcome is certification with minor nonconformities that require corrective action plans, or a delay caused by one or two major nonconformities that need to be resolved before the certificate is issued. Organisations that have completed a genuine internal audit, addressed the findings, and held a management review are well-positioned. The most common reason for significant Stage 2 problems is attempting to certify before the ISMS has actually been operating for a meaningful period — typically at least three months of evidenced operation is expected.

Should we brief our staff before the Stage 2 audit — and what should we tell them?

Yes, absolutely — but brief them honestly, not with scripted answers. Auditors are experienced at distinguishing between staff who understand their security responsibilities and staff who have been coached on what to say. Tell your team what the audit is, why it matters, who the auditor is, and that they may be asked about their security awareness, how they report incidents, and how they handle specific types of information. Encourage them to answer honestly and to say “I don’t know” if they’re unsure rather than guessing. Genuine, imperfect answers are far better received than rehearsed ones that unravel under follow-up questions.

Previous post

ISO 27001 Internal Audit Programme: How to Plan and Run It

NEXT post

How to Choose an ISO 27001 Certification Body (UK Guide)

Photo of author

Written by

Alan Parker

Alan Parker is an ISO 27001 consultant who has helped dozens of UK small businesses achieve certification — often without a dedicated security team or a large budget. With over 30 years in IT governance and qualifications including ITIL v3 Expert, ITIL v4 Bridge, and PRINCE2 Practitioner, Alan writes in plain English for busy teams who need to get things done. Named IT Project Expert of the Year (2024, UK).

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG