ISO 27001
March 2026
Preparing for your ISO 27001 Stage 2 audit: What auditors actually look for
By Swapna De., Managing Director, AuditVantage® GmbH
Stage 2 is where the ISMS is tested against real evidence. Most organisations underestimate what auditors are actually looking for. Stage 1 is a documentation review. Stage 2 is an operational audit. The distinction matters because what gets you through Stage 1 is not what gets you through Stage 2.
What Stage 2 actually tests
The Stage 2 auditor is verifying that the ISMS is implemented, effective, and embedded in the organisation's operations. That means evidence of the following:
Controls operating. Not just documented. The auditor will sample users, assets, access events, and vendor reviews. Each sample is tested against the control as designed.
Management engaged. Clause 9.3 management review minutes, decisions, and documented actions. Absence of recent management review is a common major nonconformity.
Internal audit completed. Internal audit covering all clauses and applicable Annex A controls, with findings logged and actions tracked.
Risk treatment current. Risk assessment updated within the last year, treatment plan reflecting current controls, residual risks accepted by a named owner.
Training evidenced. Awareness records, role-specific training for staff with security responsibilities, evidence of competence where required.
Stage 2 is not an exam. It is an operational check. Auditors sample what happens in practice, not what the policy says should happen.
The top reasons organisations fail
Policies signed but not operated. Risk treatment plan disconnected from actual controls. Internal audit either not done or done too narrowly. Management review held as a meeting but not documented as a Clause 9.3 output. Evidence stored in ten different systems with no clear chain from control to evidence.
What to do in the six weeks before the audit
Confirm that every control in your SoA has a named owner and a documented evidence source. Run a dry-run sample of five Annex A controls, if you cannot produce evidence in fifteen minutes, the auditor will not either, and they will note that. Review the last management review minutes and confirm they meet all nine inputs required by Clause 9.3.2. Close any open internal audit findings. Verify that corrective actions from Stage 1 are documented, approved, and implemented.
One final note on auditor behaviour
Auditors are not trying to fail the organisation. They are trying to verify that the ISMS works. Presenting evidence confidently, acknowledging weaknesses honestly, and showing a credible plan for any gap goes further than attempting to paper over problems. Experienced auditors spot paper over immediately.
Frequently asked questions
Related questions on this topic, answered from the audit chair.
What is the difference between Stage 1 and Stage 2?+
Stage 1 is a documentation readiness review. The auditor checks that your management system documentation exists, is consistent, and addresses each clause and applicable Annex A control. Stage 2 is the implementation audit. The auditor tests whether the management system actually operates as documented through interviews, evidence sampling, and walk-throughs of your processes. Passing Stage 1 does not predict Stage 2 outcomes if implementation is weak.
How long does a Stage 2 audit take?+
Duration depends on certified scope, headcount within scope, number of sites, and complexity of operations. For a small or mid-sized organisation with a single site and a focused scope, two to four audit days is typical. Larger organisations, multi-site operations, and broader scopes increase the duration. The audit plan is agreed in advance with the certification body and aligned to accreditation rules on audit duration.
What most commonly causes a Stage 2 nonconformity?+
The most frequent patterns are weak risk-treatment evidence, Statement of Applicability entries that do not reflect actual risk decisions, internal audit programmes that did not meaningfully test the controls they claim to have audited, and management review minutes that record attendance but not decisions. Technical controls themselves rarely cause major nonconformities. Governance and process gaps do.
How do I close a major nonconformity?+
A major nonconformity requires a documented corrective action plan with root cause analysis, the specific corrective action taken, evidence that the action has been implemented, and verification that the underlying issue cannot recur. The certification body verifies closure, often through a focused follow-up audit. The certification decision is held pending closure. Time pressure on closure is real; deadlines are usually weeks, not months.
What evidence does the auditor expect to see?+
Documented evidence of how your controls actually operate. Policies are not evidence of operation; records are. The auditor will ask for samples: log entries, access reviews, training completion records, incident handling tickets, internal audit reports, management review minutes, supplier risk assessments. The records must show dates, owners, decisions, and follow-up. Evidence assembled in the week before the audit is visibly different from evidence accumulated through the year.
When does the recertification audit happen?+
At the end of the three-year certificate cycle. The recertification audit is broader than a surveillance audit and effectively re-validates the entire management system. It is the right moment to undertake a thorough internal audit beforehand. Recertification audits with significant findings can result in delayed or refused recertification, which means a gap in certified status while issues are remediated.