Stage 1 is the audit most organisations misunderstand. Teams either over-prepare, treating it like the full certification assessment, or under-prepare, assuming it is a paperwork formality. It is neither. Stage 1 is a readiness review: the certification body is deciding whether your Information Security Management System is sufficiently designed and established for a full Stage 2 assessment to be worthwhile. Understanding what the auditor is there to do is most of the preparation.

The shape of the audit

Stage 1 typically runs one to two days depending on the size and complexity of your scope, and may be conducted on site, remotely by video with screen-shared documents, or as a hybrid of the two. The output is a report with findings and a recommendation: proceed to Stage 2, or address specific gaps first. Most certification bodies schedule Stage 2 between four and twelve weeks later, which is the window in which Stage 1 findings must be closed.

What the auditor is there to check

At Stage 1 the auditor is not testing whether your controls work in practice. That is Stage 2. At Stage 1 they are confirming three things: that your ISMS documentation exists and hangs together, that you understand your own system, and that there are no gaps so fundamental that Stage 2 would be a waste of everyone's time. Expect them to review:

The findings that catch organisations out

Across the Stage 1 audits we have prepared clients for, the same issues recur. Documentation written for the auditor rather than the business, full of language nobody internally recognises. Risk assessments performed once, eighteen months ago, with no review since. An internal audit conducted by the person who built the ISMS, which fails the impartiality requirement of clause 9.2. Management review minutes that show attendance but no decisions. None of these mean your security is poor. All of them signal an ISMS that exists on paper rather than in operation, and auditors are practised at telling the difference.

How to prepare, practically

  1. Run the readiness check yourself first. Walk the mandatory documentation as the auditor will: scope to policy to risk assessment to SoA to evidence of operation. Every break in that chain is a question you will be asked.
  2. Close the internal audit and management review loop. If either has not happened, fix that before booking Stage 1, not after. Ensure the internal audit was impartial; using an external party for it is acceptable and common.
  3. Brief the people the auditor will meet. Stage 1 usually involves leadership and the ISMS owner. They should be able to explain the scope, the top risks, and how decisions get made, in their own words. Rehearsed scripts are obvious and counterproductive.
  4. Prepare your evidence logistics. Whether the audit is remote or on site, know where every document lives and who can produce it. Twenty minutes spent hunting for a risk register makes a worse impression than the register itself ever could.
  5. Treat findings as the product. Stage 1 findings are a gift: a precise list of what to fix before Stage 2, from the people who will conduct Stage 2. Organisations that argue with Stage 1 findings tend to have harder Stage 2 experiences.

Stage 1 to Stage 2: the gap that matters

The four to twelve week window between stages exists to close findings, and it goes quickly. The honest test before booking anything: if the auditor asked your operations team how the ISMS changed their work this quarter, would anyone have an answer? If yes, you are ready for the process. If not, a gap analysis before engaging a certification body costs far less than a failed assessment.

Preparing for certification?

We take organisations through the full ISO 27001 journey, from readiness to certification and beyond, and we stay for the surveillance audits that follow. See how we approach ISO 27001 certification, or start with a management system health check to find out exactly where you stand.