The ISO 27001 certification is a significant milestone in your organization’s journey toward robust information security management. The Stage I audit is the first formal step in this process. This article will guide you through what to expect during the Stage I audit and how to best prepare for it.
What to expect during the Stage I audit
The Stage 1 audit is often referred to as the "Document Review." During this stage, the auditor's primary focus is to assess whether your organization's Information Security Management System (ISMS) documentation meets the requirements of the ISO 27001 standard. This audit is typically conducted remotely and involves the following key activities:
Stage I – Documentation Review
The auditor will review the scope of your ISMS, the Statement of Applicability (SOA), your internal audit report, your information security policies, risk assessment procedures, manual evidences and other related documents .
They will check whether your policies, procedures, and controls are aligned with the requirements of ISO 27001.
Evaluation of readiness
The auditor will assess your organization's readiness for the Stage II audit by determining whether your ISMS is in place and operational.
They will provide you a final audit report with a list non-comformities or potential improvements needed before moving to Stage II.
💡 Note: The goal of the auditor is to find any noncomformities in your ISMS so you can fix them on time. They're trying to help you build a robust ISMS. It is common at this stage to have some noncomformities during your audit. Just make sure to reserve some time to fix them after the audit.
Stage II Planning
Address all non-conformities from the Stage I audit. Make sure to also fix your stage II audit date by this time.
The auditor will discuss and finalize the plan for the Stage II audit, including the timeline, scope, and specific areas to be audited.
How to prepare for the Stage I audit
Preparation is key to a successful audit. Follow these steps to ensure you are well-prepared:
Step 1: Gather and organize documentation
Ensure that all ISMS-related documents are up-to-date, complete, and easily accessible.
This includes policies, the SOA, your internal audit report, your information security policies, risk assessment procedures, and other related documents.
Step 2: Share the SOA with your auditor
Once you've worked on all controls in the SOA and the Frameworks page, make sure to share the SOA with the auditor at least one week before the audit.
Step 3: Prepare your team
Before the audit, the auditor will provide an agenda outlining the topics and controls to be discussed.
Make sure relevant team members know their roles and book the necessary time slots in their calendars. Ensure everyone understands what to expect and their responsibilities.
Step 4: Test your remote setup
Ensure that your technology infrastructure is ready for the remote audit. Test your video conferencing tools, document sharing platforms, and any other necessary software.
If your auditor needs access to Notion, GitHub/GitLab or other tools, ensure the right team members are available during those sessions.
Make sure that you have a stable internet connection and that your team members are comfortable with the remote communication tools.
Book a meeting room with no background noise to ensure a smooth audit.
Step 5: Be prepared to discuss your ISMS
Be ready to explain your ISMS's scope, objectives, and how it is implemented within your organization according to the ISO 27001 controls. You can use the Frameworks page as a cheat sheet to guide you through the evidence you need to show during the audit.
Practice discussing how your organization manages information security risks and how your controls mitigate these risks.
Audit Day Best Practices
Bring At Least Two People: One presents; one handles search and retrieval
Use CISO AI: Your virtual assistant can instantly help you find specific policy section or manual evidence during the audit
Prepare for Technical Areas, including:
Secure engineering practices
Code reviews and quality assurance
Risk-based vendor management
Common Auditor Expectations
What kind of questions can you expect?
Please show your Information Security Policy (Policy 2)
Where are roles and responsibilities defined?
Be ready to show and explain:
Clarifications on SoA exclusions
How policies are being executed (Stage 2)
Activity logs (e.g., training records, risk review schedules)
Process diagrams are optional. Auditors may request them as suggestions for improvement, not requirements.
Handling Non-Conformities (NCs)
Receiving NCs is a normal part of the audit process.
Internal Audit NCs:
Must be resolved before the external audit begins.
External Audit NCs:
Major NCs: You have up to 30 days post-audit to resolve them
Minor NCs: Address them before the next audit cycle
Audits typically yield 5–15 NCs
You will receive a detailed audit report summarizing each NC
We will support you in addressing NCs.
Remember, you're already on the road to achieving a globally recognized standard for information security, which is a significant achievement in itself. Stay positive, keep focused, and know that you have the skills and knowledge to navigate this process successfully. Everything will be fine!
Frequently Asked Questions (FAQs)
What’s the difference between Stage 1 and Stage 2 of the audit?
What’s the difference between Stage 1 and Stage 2 of the audit?
Stage 1 is a documentation review, while Stage 2 assesses the implementation of your information security management system (ISMS).
What should I do if I haven’t received the audit agenda?
What should I do if I haven’t received the audit agenda?
Reach out to your auditor immediately. The agenda is essential for organizing your evidence and ensuring you have the right team members available at the right time.
How should I prepare for specific clauses like C4–C8?
How should I prepare for specific clauses like C4–C8?
Review the Statement of Applicability
Check which policies are linked to these clauses in your Frameworks page
Familiarize yourself with where each policy lives in your documentation
What if we receive non-conformities?
What if we receive non-conformities?
It’s completely normal. Address internal audit NCs before the external audit. You’ll have up to 30 days to fix major NCs identified during the external audit, and minor NCs can be resolved by the next cycle.
What is CISO AI and how does it help?
What is CISO AI and how does it help?
CISO AI is your virtual audit buddy. It can instantly retrieve answers to auditor questions about specific policies, controls, or procedures during your audit session.