What is Stage 1 and Stage 2 Audit?

Stage 1 and Stage 2 are the two parts of an initial ISO/IEC 27001 certification audit. Stage 1 is a documentation and readiness review -- the auditor checks your ISMS documents (scope, policies, SoA, risk assessment) and readiness for Stage 2. Stage 2 is the main on-site or remote audit verifying that controls are actually implemented and effective.

Certification is a two-stage process performed by an accredited certification body. In Stage 1, the auditor reviews your mandatory documentation -- ISMS scope, policies, risk assessment, risk treatment plan, Statement of Applicability, internal audit, and management review records -- to confirm the ISMS is designed correctly and you are ready to proceed. They flag gaps before the more rigorous stage.

In Stage 2, the auditor gathers evidence that the controls described on paper are operating in practice: interviewing staff, sampling records, and testing whether what the documents claim actually happens. If the auditor finds nonconformities, you address them through corrective action before the certificate is issued.

Because Stage 1 is largely a documentation check, having a complete, consistent document set is the fastest way to pass it cleanly -- which is exactly what a well-structured template pack provides. The documents get you through the readiness review faster, but Stage 2 success depends on controls genuinely running and producing evidence; templates accelerate documentation, they do not substitute for an operating ISMS.

Related terms: Surveillance Audit · Statement of Applicability (SoA) · Internal Audit · Corrective Action

Frequently asked questions

What is the difference between a Stage 1 and Stage 2 audit?
Stage 1 is a documentation and readiness review that checks whether your ISMS is designed correctly and ready to be audited; Stage 2 is the full evidence-gathering audit that verifies the controls are actually implemented and effective.
How long is the gap between Stage 1 and Stage 2?
It varies, but typically a few weeks to a couple of months -- enough time to close any gaps the auditor identified in Stage 1. The certification body schedules Stage 2 once you confirm readiness.
What happens if the auditor finds nonconformities at Stage 2?
You address them through corrective action. Minor nonconformities usually require a documented plan, while major ones must be resolved (and sometimes re-verified) before the certificate can be issued.

Toolkits that cover Stage 1 and Stage 2 Audit

ISO/IEC 27001:2022

ISO 27001 Policy Pack — Core

16 editable ISO/IEC 27001:2022 policies plus the full 93-control Statement of Applicability — everything a small business needs to start its ISMS.

$5930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
ISO 27001:2022 + SOC 2

ISO 27001 + SOC 2 Dual Toolkit

47 documents covering both frameworks plus a control crosswalk, risk register, Statement of Applicability and TSC mapping — run one security program, pass two audits.

$14930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.