Stage 2 is where the ISMS is tested against real evidence. Most organisations underestimate what auditors are actually looking for. Stage 1 is a documentation review. Stage 2 is an operational audit. The distinction matters because what gets you through Stage 1 is not what gets you through Stage 2.

What Stage 2 actually tests

The Stage 2 auditor is verifying that the ISMS is implemented, effective, and embedded in the organisation's operations. That means evidence of the following:

Controls operating. Not just documented. The auditor will sample users, assets, access events, and vendor reviews. Each sample is tested against the control as designed.

Management engaged. Clause 9.3 management review minutes, decisions, and documented actions. Absence of recent management review is a common major nonconformity.

Internal audit completed. Internal audit covering all clauses and applicable Annex A controls, with findings logged and actions tracked.

Risk treatment current. Risk assessment updated within the last year, treatment plan reflecting current controls, residual risks accepted by a named owner.

Training evidenced. Awareness records, role-specific training for staff with security responsibilities, evidence of competence where required.

Stage 2 is not an exam. It is an operational check. Auditors sample what happens in practice, not what the policy says should happen.

The top reasons organisations fail

Policies signed but not operated. Risk treatment plan disconnected from actual controls. Internal audit either not done or done too narrowly. Management review held as a meeting but not documented as a Clause 9.3 output. Evidence stored in ten different systems with no clear chain from control to evidence.

What to do in the six weeks before the audit

Confirm that every control in your SoA has a named owner and a documented evidence source. Run a dry-run sample of five Annex A controls — if you cannot produce evidence in fifteen minutes, the auditor will not either, and they will note that. Review the last management review minutes and confirm they meet all nine inputs required by Clause 9.3.2. Close any open internal audit findings. Verify that corrective actions from Stage 1 are documented, approved, and implemented.

One final note on auditor behaviour

Auditors are not trying to fail the organisation. They are trying to verify that the ISMS works. Presenting evidence confidently, acknowledging weaknesses honestly, and showing a credible plan for any gap goes further than attempting to paper over problems. Experienced auditors spot paper over immediately.