ISO 27001 Stage 1: what happens on the day, and what to have ready
The first of a practical series covering each certification audit event we support. Stage 1 is not a rehearsal for Stage 2. It is its own event with its own objectives, and success at Stage 1 sets up success at Stage 2. A walk-through of what the auditor is doing, what documentation to have ready, and where organisations most often trip.
Stage 1 is the audit event that reveals whether the ISMS is real or theoretical.
Stage 2 will test whether the controls actually work. Stage 1 tests whether they are designed, documented, and integrated well enough for that testing to be worth doing. If Stage 1 concludes that the answer is no, Stage 2 does not happen on the planned date. That single fact drives a lot of the anxiety around this event, and most of the anxiety is avoidable if the preparation is right.
This piece walks through what the Stage 1 auditor is actually doing, what documentation you need to have ready, and where most organisations trip. It is the first in a series covering each certification audit event we support, standard by standard. Future pieces will cover ISO 27001 Stage 2, ISO 22301, ISO 42001, ISO 27701, and ISO 9001 equivalents.
Key takeaways
- Stage 1 is a readiness evaluation, not a rehearsal for Stage 2. Treat it as its own audit event.
- The auditor spends most of Stage 1 in your documentation. Have the ISMS design documentation, risk assessment, Statement of Applicability, and internal audit outputs ready to walk through, not to hand over.
- The single most common Stage 1 issue is documentation that exists but cannot be found in the shape the auditor is looking for. Map your existing artefacts to the standard’s clauses before the audit, not during it.
- Areas of Concern raised at Stage 1 become nonconformities at Stage 2 if not addressed. The gap between the two stages is where that work happens.
- Success at Stage 1 is not “no findings.” It is a written recommendation to proceed to Stage 2 on the planned date.
What the Stage 1 auditor is actually doing
ISO/IEC 27001:2022 certification is a two-stage process. Stage 1’s formal objectives, set by the certification body’s accreditation obligations under ISO/IEC 17021-1, are:
- Review the documented information required by the standard, including the ISMS scope, the information security policy, the risk assessment methodology, the risk treatment plan, and the Statement of Applicability.
- Evaluate the organisation’s understanding of the standard’s requirements and the operational context of the ISMS.
- Confirm that the internal audit programme and management review process have been established and are operating.
- Identify any Areas of Concern that would prevent Stage 2 from proceeding, and agree an action plan with the client.
- Establish the plan for Stage 2, including scope, sampling, and any specific areas of focus.
The auditor is not testing operational effectiveness at Stage 1. That is Stage 2’s job. What they are testing is whether the management system, as documented, is coherent, complete, and applied. If the paperwork exists but describes a system nobody runs, Stage 1 catches that quickly.
What documentation to have ready
The mandatory documented information for ISO 27001:2022 is specified across clauses 4 to 10, plus Annex A. In practice, Stage 1 auditors ask for the following, in roughly this order:
- ISMS scope statement (Clause 4.3). One page or less. Names what is in and out of scope, with justification.
- Information security policy (Clause 5.2). Approved by top management, communicated, and reviewed.
- Information security roles and responsibilities (Clause 5.3). Named roles, not just committee references.
- Risk assessment methodology (Clause 6.1.2). How risks are identified, analysed, and evaluated. Repeatable.
- Risk register / risk assessment results (Clause 6.1.2). The output of applying the methodology.
- Risk treatment plan (Clause 6.1.3). What is being done about the risks, by whom, by when.
- Statement of Applicability (Clause 6.1.3). Every Annex A control, either applicable (with justification and implementation status) or excluded (with justification).
- Information security objectives (Clause 6.2). Measurable, not aspirational.
- Competence, awareness, and training records (Clauses 7.2 and 7.3).
- Internal audit programme and reports (Clause 9.2). See our note on Clause 9.2 internal audits for what an auditor looks for.
- Management review inputs and outputs (Clause 9.3). Minutes, decisions, actions, verified closure.
- Nonconformity and corrective action records (Clause 10.2). Findings from any source, tracked to closure with verification.
If any of these is missing, Stage 1 raises an Area of Concern at minimum. If several are missing, Stage 1 will conclude that the ISMS is not ready.
The naming mismatch trap
The single most common preventable Stage 1 finding is not that documentation does not exist. It is that documentation exists under a name the auditor cannot find.
The classic example: the auditor asks to see the Acceptable Use Policy. The organisation has covered acceptable use inside a broader Code of Conduct. The content is fine. The mapping is not. The auditor makes a note that they could not locate an Acceptable Use Policy. If it is not resolved before Stage 2, the Stage 2 auditor makes the same note and it becomes a nonconformity for missing documented information.
The fix is small and cheap: map your ISMS documentation to the standard’s clauses and Annex A controls before Stage 1. Where a single document covers multiple requirements, say so explicitly. Where the auditor’s language differs from your internal language, add a cross-reference. Aim for zero moments where the auditor cannot find something and the answer is “actually that is in another document under a different name.”
This is not about renaming your documents. It is about making sure the auditor can trace their checklist to your artefacts without your intervention.
What “passing” Stage 1 looks like
The Stage 1 output is a written report from the certification body. It typically contains:
- A recommendation to proceed to Stage 2 on the planned date, proceed to Stage 2 subject to specific actions, or defer Stage 2 pending significant work.
- A list of Areas of Concern or observations that must be addressed before Stage 2, together with any specific evidence required to demonstrate closure.
- The plan for Stage 2, including duration, sampling, and any areas the Stage 1 review identified as needing particular attention.
Success is the first outcome: a clean recommendation to proceed. The second outcome is normal and manageable if the AOCs are specific and closable inside the gap. The third outcome is uncommon for organisations that have done real preparation, and it usually indicates that the ISMS is genuinely not yet ready rather than a paperwork issue.
The gap between Stage 1 and Stage 2 is where the AOCs get closed. Use it. The Stage 2 auditor will explicitly check for closure of Stage 1 findings during their audit.
A practical pre-Stage 1 checklist
Two weeks before Stage 1, the following should be true:
- Every mandatory documented information item in the list above exists, is current, and is accessible to the auditor.
- The ISMS scope statement matches the reality of the organisation’s operations.
- The Statement of Applicability is complete for every Annex A control, with justification for included and excluded controls, and implementation status for included ones.
- At least one full internal audit cycle has been completed across the ISMS scope, with findings recorded and closed or being closed.
- At least one management review has taken place, with documented inputs and outputs including decisions and actions.
- A named person owns each area of the ISMS the auditor is likely to probe, and that person is available during the audit window.
- A single index or map of ISMS documentation exists, with cross-references to the standard’s clauses and to the Annex A controls, so the auditor never has to guess where something lives.
If any of the above is not true, address it before Stage 1. Almost none of it can be built during Stage 1 without producing exactly the kind of finding you are trying to avoid.
The Axlio Method at Stage 1
Stage 1 sits inside the Assure step of the Axlio Method. By this point in an implementation, Understand, Assess, Prioritise, and Implement have already happened. Stage 1 is the first independent test that the design is coherent and the implementation is real. If Stage 1 raises significant issues, that usually means one of the earlier steps was rushed, and the appropriate response is to loop back to the step that was rushed rather than to patch documentation for Stage 2.
Independence discipline applies here too. Where we deliver ISO 27001 implementations, we do not sit both sides of the audit. Certification is done by a separate accredited certification body. Our role is to make sure Stage 1 goes well, not to grade it.
Closing
Stage 1 done well is boring. The auditor asks for documented information; you produce it; they see how it fits together; they write a report recommending Stage 2. Nothing dramatic happens. That is the goal.
Stage 1 done poorly is where certification cycles slip by three to six months, budgets get spent on remediation nobody planned for, and the client’s confidence in the ISMS quietly erodes. Every one of those outcomes is avoidable with two weeks of focused preparation and a good documentation map.
For support preparing for a Stage 1 audit, or for a wider ISO 27001 or audit preparation engagement, get in touch. We work through the checklist above with clients as a matter of routine, and Stage 1 usually feels smaller than they were expecting by the time it arrives.
