The short answer is: it’s not the end-of-the-world event you probably fear. But it might be annoying, potentially expensive, time-consuming, and entirely avoidable with the right preparation.
Here’s what actually happens when a Stage 2 audit doesn’t go to plan — and what I’ve seen first-hand when an organisation pushes into audit before they’re ready.
First, understand what “failing” actually means
There’s no binary pass/fail moment in an ISO 27001 Stage 2 audit, which is what I think a lot of organisations assume and fear. What auditors issue are nonconformities — findings where your ISMS doesn’t meet the requirements of the standard. There are two types, and they have very different consequences.
A minor nonconformity is an isolated gap: a single missing record, a procedure that exists but isn’t being followed consistently, a control that’s implemented but not documented properly. Minor nonconformities are common — most organisations pick up some during Stage 2 — and they don’t prevent certification. You’ll typically have a defined window to provide evidence of corrective action, and once your certification body is satisfied, the certificate is issued without an additional audit visit.
A major nonconformity is a different matter entirely. It indicates a fundamental failure in your ISMS — a required process that’s entirely absent, a systematic breakdown in how controls are implemented, or a complete lack of risk assessment activity. A major nonconformity will put your certification on hold until the issue is fully resolved and verified through a follow-up audit visit.
The other thing worth knowing: multiple minor nonconformities against the same clause can be escalated to a major. Auditors look at the cumulative effect, not just individual findings in isolation.
For example, if you have a risk methodology and risk log, and treatment plans, it all looks good. If you were missing any of those, you are looking at a major nonconformity, but if your auditor found several instances of things not matching up (e.g. missing records, or treatments, etc), then they might feel there are sufficient minor nonconformities that indicate the process isn’t working at all, and then issue a major nonconformity in the findings.
How long do you get to fix things?
This is where a lot of people assume there’s a fixed rule — there isn’t. Remediation timescales are set by each certification body (CB) at its own discretion. UKAS accredits and oversees certification bodies in the UK, but it doesn’t prescribe specific windows for closing nonconformities. Each CB sets its own policy.
In practice, the industry norm for minor nonconformities is generally 90 days to submit evidence of corrective action, though some bodies operate on shorter timelines. For major nonconformities, a follow-up audit visit is required before certification can proceed — and, depending on your certification body’s availability and the complexity of the issues to be addressed, that could add several months to your timeline.
The cost implications are potentially significant, too.
A follow-up audit visit may mean additional auditor fees on top of what you’ve already paid — and the longer the delay, the more pressure builds on a business that’s likely already committed the certificate to a client, a tender, or a contract.
The practical takeaway: ask your certification body upfront what their specific policy is on remediation windows.
Don’t assume.
What the remediation process looks like
When nonconformities are raised, ISO 27001 Clause 10.1 requires you to respond with a formal corrective action. That means identifying the root cause, implementing a fix, and providing documented evidence that the issue has been resolved. Saying you’ve fixed it isn’t enough — you need to show it.
For minor nonconformities, that evidence is typically reviewed by your certification body without an additional visit. For majors, an auditor returns to verify the remediation — in person or remotely, depending on your CB’s approach.
A case study
In most cases, I get clients to their Stage 2 audit well-prepared, and they sail through. But I want to share a case where that didn’t happen — not because of the programme we ran together, but because the client chose to push ahead against my advice, before we’d even completed it. It still makes my blood run a little cold, and, honestly, I still really don’t understand why they did it. If I had to guess, it was driven by a fear of a senior manager.
This company rushed into its Stage 1 audit, which only checks the mandatory components and confirms the client should move on to Stage 2, the audit proper. Despite the fact that the auditor had significant concerns about their readiness and made clear there was a substantial amount of work still to do, he waved them through to proceed to Stage 2. Perhaps this then gave them a false sense of security.
I was watching this with my jaw hanging open, as we’d only covered clauses 4 and 5 at this point in our programme.
Before Stage 2, I conducted their internal audit (quickly). My assessment was that they were around 60% of where they needed to be. I advised them clearly: they weren’t ready, and going into the audit at that point was a risk not worth taking. They made the decision to go ahead anyway.
You can see what’s coming, can’t you? Honestly, I was losing sleep.
The Stage 2 audit raised a significant number of major and minor nonconformities across multiple areas of the ISMS — governance, technical controls, documentation, and operational practice. None of the findings was surprising. They were exactly the kinds of gaps the internal audit had already surfaced.
The result was a delayed certificate, a follow-up audit, additional fees, and a remediation programme carried out under pressure — all of which could have been avoided with another six to eight weeks of preparation.
They did get where they wanted to be in the end, but there’s the ‘easy way’ and the ‘hard way’, and they took the third option.
I tell this story not to dwell on it, but because it illustrates something I see occasionally in this work: timeline pressure leads organisations to make decisions that cost them more in the long run. The internal audit exists precisely to prevent this outcome. When its findings are acted on, they do.
Why organisations end up here
Stage 2 failures almost always come down to one of three things.
The first is timeline pressure. A client contract, a tender deadline, or a board commitment creates pressure to push into audit before the ISMS is genuinely ready. The thinking is often “we’re close enough — the auditor will help us get over the line.” They won’t, and they shouldn’t.
The second is treating Stage 1 as a formality. Stage 1 exists to tell you whether you’re ready for Stage 2. If your Stage 1 auditor raises significant concerns and you proceed anyway, you’re taking a calculated risk that rarely pays off.
The third is an ISMS that looks complete on paper but hasn’t been embedded in practice. Documents exist, but nobody’s following them. Controls are listed in the SoA, but there’s no evidence of implementation. Auditors don’t just read your documentation — they interview staff, observe operations, and look for the reality behind the paperwork.
You really need to run your ISMS for about 3 months if you want to be sure it’s working and have enough to demonstrate to a UKAS auditor that you are ready.
How to avoid being in this position
The most reliable way to avoid a difficult Stage 2 is to treat your internal audit seriously — as a genuine dress rehearsal, conducted by someone who will give you an honest picture of where you actually are, not where you’d like to be.
Before you book a Stage 2 date, ask yourself:
- Has every major clause of the standard been addressed with documented evidence?
- Have management reviews been conducted formally, with minutes?
- Is the monitoring and measurement framework populated and consistent with your objectives?
- Have all in-scope suppliers been assessed?
- Has the internal audit been conducted by someone independent of the areas being audited?
If the honest answer to any of those is “not quite”, that’s the work to do before you book the audit — not after.
A note on working with a consultant
If you’re approaching Stage 2 and not sure whether you’re genuinely ready, that’s exactly the kind of conversation I have with clients. I’d rather tell you to hold off for six weeks than watch you go into an audit unprepared.
If you’d like an honest assessment of where you stand, book a free discovery call — no obligation, just a straightforward conversation.
I offer internal auditing as a service, too.
ISO 27001 Consultancy
Get ISO 27001 certified in 90 days.
I’ll coach you through every step.
Fully remote. Fixed fee. Working with SMEs across the UK, EU and USA.
✔ Audit-ready plan with structured checkpoints
✔ Full toolkit + templates included
✔ Expert support throughout
Cancel any time
Pro-rata refund on unused sessions
✔ Defined scope, SoA and risk treatment
✔ Plain-English — no jargon
✔ Trusted auditor recommendations
First-pass guarantee
If you don’t pass, I fix it for free
“..no-nonsense help in achieving our UKAS-accredited ISO 27001 certification…”
– Periculum Security Group (UK)
