Skip to main content

Stage 1 tested whether the ISMS was designed. Stage 2 tests whether it works.

The gap in effort between the two is larger than most organisations expect. Stage 1 evaluated documentation. Stage 2 samples records, interviews staff, walks physical sites, tests operational controls, and probes whether the system that exists on paper is the system that actually runs the business. The auditor spends three to seven days doing this, and what they conclude decides whether certification happens.

This piece walks through what happens across those days, what to have ready, and where organisations most often trip. It is the second piece in the Audit Day series, following ISO 27001 Stage 1.

Key takeaways

  • Stage 2 tests operational reality, not documentation. Controls that look complete on paper but are not being run will surface.
  • The auditor spends most of the audit gathering objective evidence through record sampling, staff interviews, and observation. Prepare people, not just files.
  • Nonconformities are graded. A minor NC is manageable through corrective action. A major NC blocks or complicates certification and often triggers a follow-up audit.
  • The single most common Stage 2 finding is a control that was closed at Stage 1 but has since drifted. Between Stage 1 and Stage 2, the ISMS has to keep running.
  • Success at Stage 2 is a written recommendation to the certification body for certification, with any nonconformities being ones the organisation can credibly close inside the follow-up window.

What the Stage 2 auditor is actually doing

Stage 2 follows a predictable structure over its three to seven days. The elements are:

Opening meeting. The auditor confirms the scope, the audit plan, the sampling approach, and any updates since Stage 1. This is where any closed Stage 1 Areas of Concern are verified. If a closed AOC has re-opened or was closed on paper only, it is raised again as a Stage 2 finding.

Evidence gathering. The bulk of the audit. The auditor moves through the ISMS scope, requesting evidence for each clause and each applicable Annex A control. Evidence takes three forms: documented records (change logs, access reviews, training completion, incident tickets), observation (physical walkthroughs, access to systems), and interviews with the people who run the controls.

Interviews. Anyone the auditor believes will give them a useful signal about how a control operates in practice. Top management gets asked about leadership commitment and resource decisions. The ISMS lead answers on programme structure. Operational staff answer on day-to-day execution. Ordinary users answer on awareness training. Interviews are usually short and conversational, but the auditor is triangulating what people say against what documents claim.

Closing meeting. The auditor presents findings before leaving site. Nonconformities are described, not softened. Observations and Opportunities for Improvement are noted separately. This is where you learn whether the recommendation is positive, positive with conditions, or negative.

Audit report. A draft report follows within a few days, with a final report shortly after. This is what the certification body’s certification committee uses to make the certification decision.

What Stage 2 tests that Stage 1 did not

Stage 2’s objective is to demonstrate that the ISMS is effective, not just complete. In practice, this means the auditor is looking for evidence of:

  • Consistent application. Controls that operate the same way in every relevant instance. Access reviews conducted quarterly should have four quarterly outputs, not three completed and one skipped.
  • Awareness in practice. Staff who can describe, in their own words, what to do in the situations the ISMS covers. Not who can recite policy titles, but who know the actions.
  • Change management holding up. Since Stage 1, real changes will have happened: new joiners, leavers, product changes, supplier changes. The ISMS should have absorbed them. If any of them are invisible to the ISMS records, the ISMS is not running.
  • Incident handling that works. Any incident since implementation should have followed the documented incident response process, produced the documented outputs, and fed back into the risk assessment or control design where relevant.
  • Supplier assurance in motion. The suppliers listed at Stage 1 should still be listed, still be assessed, and still be monitored. New suppliers since Stage 1 should have been onboarded through the documented process.
  • Corrective action closing to evidence. Any nonconformity from internal audits or previous events should be closed with evidence, not with a status of “closed” and no verification.

The auditor’s job during Stage 2 is to test each of these systematically. Yours is to demonstrate them.

The specific evidence auditors usually sample

At most Stage 2 audits, the following records are requested and reviewed against a sample of activity since ISMS implementation (or since the last surveillance for recertifications):

  • Access provisioning and de-provisioning for a sample of joiners, movers, and leavers.
  • Change records for a sample of infrastructure and application changes.
  • Incident tickets with post-incident reviews for a sample of security events.
  • Vulnerability scan outputs and patch application records for the period.
  • Backup completion records and at least one restore test.
  • Vendor onboarding and periodic review records for a sample of suppliers.
  • Awareness training completion for a sample of staff, including any deliverables staff produce as evidence of training understanding.
  • Risk assessment reviews, with evidence of when they were reviewed and what changed.
  • Management review minutes, decisions, and follow-up actions.
  • Internal audit reports since ISMS implementation, with findings tracked to closure.
  • Physical access logs and visitor management records for sampled dates.

If any category is missing entirely, that is not a sampling issue. That is a control that has not been operating.

The single most common Stage 2 pitfall

The organisation passes Stage 1 in April. Everyone breathes out. Stage 2 is in July.

Between April and July, the ISMS quietly drifts. Access reviews were skipped for a quarter because the person who ran them left. The risk register has not been reviewed since Stage 1. Two suppliers were added without being run through the assurance process. An incident happened and was resolved technically but never logged through the ISMS incident process. The internal audit programme has slipped by six weeks.

None of this is dramatic. All of it is normal for a management system without owners paying attention. And every one of these gaps becomes a Stage 2 finding.

The single most reliable Stage 2 preparation activity is not additional documentation. It is treating the Stage 1 to Stage 2 gap as a real operating period for the ISMS, not a preparation window. Run the controls. Complete the reviews. Log the incidents. Populate the records the way you will need them to be populated at the next surveillance audit as well. This is what “the ISMS is alive” means to a Stage 2 auditor.

Findings and what they mean

Stage 2 outputs three types of finding.

Opportunities for Improvement (OFIs). Not nonconformities. Suggestions the auditor considers useful. No mandatory corrective action, but repeated ignoring of OFIs across audit cycles tends to become the observation that “the organisation is not treating audit feedback as a source of improvement.”

Minor nonconformities. A single instance of noncompliance, or a control operating imperfectly in a way that does not compromise the ISMS as a whole. Corrective action plan required, typically within 30 to 90 days depending on the certification body. Certification usually proceeds while corrective action is underway.

Major nonconformities. A systemic failure (the same problem in multiple places), a required element entirely absent, evidence a control is ineffective in principle, unresolved minor NCs from previous audits, or a documented management system that clearly does not describe what the organisation does. Certification does not proceed until majors are closed and verified, which usually means a follow-up audit and additional cost.

The distinction matters. A single missing access review is a minor. Ten missing access reviews across departments is a major. A single unclosed corrective action from the previous audit is often a major on its own, because it signals that the improvement cycle is broken.

A practical pre-Stage 2 checklist

In the two to four weeks before Stage 2:

  • Verify that every Stage 1 Area of Concern is closed with evidence, not just marked closed.
  • Run a light internal audit against a sample of your Annex A controls to confirm they are still operating as designed.
  • Confirm your risk register, Statement of Applicability, and risk treatment plan have been updated to reflect anything that has changed since Stage 1.
  • Verify all supplier reviews scheduled to have occurred have occurred, with documented outcomes.
  • Confirm access review, vulnerability management, patching, and monitoring records are complete for the period since Stage 1.
  • Book time with the people the auditor is likely to interview (top management, HR, IT operations, DPO, procurement) so they are available and briefed on what to expect.
  • Review the Stage 2 audit plan the certification body sends and make sure every listed area has an owner who can present evidence.
  • Brief the reception, facilities, and any staff whose day the auditor will disrupt.

The Axlio Method at Stage 2

Stage 2 is a full test of the Assure step of the Axlio Method. By Stage 2, Understand, Assess, Prioritise, and Implement have all had their run. Assure is what Stage 2 tests. Improve is what happens with the findings.

If Stage 2 produces findings that surprise the organisation, the honest response is not to defend the finding but to identify which of the earlier steps was too thin. A missing supplier review usually points to Implement having been rushed. A pattern of missed access reviews points to ownership never being pinned down at the Prioritise step. Findings are diagnostic. Treat them as such.

Closing

Stage 2 done well is uneventful. The auditor asks; you produce; they see enough to conclude that the ISMS is real; findings are limited to genuine improvement opportunities and closable minors. The certification body issues the certificate. The organisation moves into its surveillance cycle.

Stage 2 done poorly is where certification cycles slip, budgets get spent on follow-up audits nobody planned for, and the client’s confidence in the ISMS quietly erodes. Every one of those outcomes is avoidable with a live ISMS between Stage 1 and Stage 2, a clean-up pass in the fortnight before the audit, and a set of prepared owners for each area the auditor will probe.

For support preparing for Stage 2, or for a wider ISO 27001 or audit preparation engagement, get in touch. We have run enough of these that we know exactly which of the checklist items above the client usually thinks are already done, and are not.

Common questions

Can you fail Stage 2?
In practice, yes. If the audit produces one or more major nonconformities that cannot be closed inside the certification body's follow-up window (usually 90 days), the audit does not result in certification and often requires a partial re-audit. Minor nonconformities are usually manageable inside the standard corrective action window and do not by themselves block certification, provided the corrective action is credible.
How long does Stage 2 take?
For an ISMS of moderate scope, three to five audit days is typical. Larger organisations, multi-site scopes, and integrated audits covering several standards run longer. The certification body will confirm the audit duration during Stage 1 planning. If the number surprises you, ask which control areas are driving it.
What is the difference between a minor and a major nonconformity?
A minor NC is a single instance where a control was not followed correctly, or a piece of evidence was missing, and the overall system is otherwise sound. A major NC is either a systemic failure (the same issue in multiple places), absence of a required element (a whole clause or control not implemented), evidence that a control is ineffective in principle, or unresolved minor NCs from a previous audit. Majors block or complicate certification. Minors are managed through corrective action inside the normal window.
Who will the auditor interview?
Anyone the auditor believes will give them the best evidence for a control's effectiveness. Typically that includes top management (leadership commitment), the ISMS manager or CISO, IT operations leads, HR (for onboarding and offboarding), procurement or vendor managers (for supplier assurance), the DPO or privacy lead where relevant, and a sample of ordinary staff to test awareness. The list is not fixed and the auditor may add or substitute based on what they find.
What happens after Stage 2?
The auditor issues a written report with any nonconformities and observations, and a recommendation to the certification body's certification committee. If the recommendation is positive and any minor NCs are addressed, the certificate is issued shortly after. If majors are open, a follow-up audit is scheduled to verify closure before the certificate can be issued.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk