ISO 27001 Audit Preparation

ISO 27001 certification always runs in two stages: Stage 1 (Documentation Review) and Stage 2 (Certification Audit). Treating them as isolated checks underestimates how they interact. Stage 1 examines conformity of your documentation with the standard; Stage 2 verifies that the documented ISMS is actually practised. This guide walks through the full checkpoints of both stages, the typical nonconformities, and how to prepare with two structured checklists (40-point Stage 1 and 60-point Stage 2). Both checklists are available as CC-BY-4.0 licensed PDFs.

Stage 1: Documentation Review (Readiness Audit)

The Stage 1 audit is a readiness check performed by the external auditor. It typically runs remotely or as a 1 to 2 day on-site engagement. The goal is not to collect findings, but to assess whether your ISMS is mature enough for Stage 2. The auditor reviews the full ISMS documentation, asks targeted questions about scope, risk methodology, and the implementation of the key management clauses, and identifies gaps that must be closed before Stage 2 begins.

Typical gap between Stage 1 and Stage 2: 4 to 8 weeks. That window gives you time to address any major findings and build additional evidence (such as a further management review cycle or internal audit). Choosing the window too short leaves no room for corrections; waiting too long forces you to re-pull evidence from an earlier period.

Stage 1 Checkpoints: Mandatory Documents

The auditor works through a fixed list of mandatory documents. Every ISO 27001 clause generates at least one document or piece of evidence. The following are the core documents that must be complete and current before Stage 1:

• •ISMS Scope Statement (Clause 4.3): Which departments, locations, systems, and processes are covered by your ISMS. Boundaries must be documented, including the interfaces to out-of-scope areas.
• •Risk Assessment Methodology (Clause 6.1.2): How you identify and evaluate risks. Criteria for likelihood, impact, and risk acceptance must be explicitly documented.
• •Statement of Applicability (Clause 6.1.3 d): All 93 Annex A controls with per-control justification. See our SoA guide.
• •Risk Treatment Plan: Which controls address which risks, with owners and deadlines.
• •Security Policy (Clause 5.2): Information security policy approved by top management, with a statement of commitment.
• •Internal Audit Plan (Clause 9.2): Multi-year audit plan, and at least one completed internal audit with report.
• •Management Review Minutes (Clause 9.3): At least one complete review cycle! Without management review minutes you will not pass to Stage 2.
• •Corrective Action Process (Clause 10.1): Documented procedure for corrective actions, with examples of closed nonconformities.
• •Evidence of Security Awareness Training (A.6.3): Training records for all employees, including onboarding evidence.

Stage 2: Certification Audit (On-Site)

The Stage 2 audit is the actual certification audit and takes place on site. Duration depends on headcount and scope: 3 to 8 days. A mid-sized organisation with 100 to 300 employees should expect 4 to 5 days. The auditor no longer checks documentation; they verify operational implementation through sampling, interviews, and technical verification.

Stage 2 Checkpoints: Operational Evidence

For Stage 2 you need not just documents, but proof that your ISMS is actually practised. The key evidence artifacts:

• •Asset Inventory (A.5.9): Complete inventory of all information assets with owner, classification, and last-review date.
• •Access Control Matrix (A.5.15 to A.5.18): Who has which access. The auditor samples entries and checks whether privileged accounts follow a clear need-to-know principle.
• •Supplier Register (A.5.19 to A.5.22): List of all critical suppliers with risk rating, DPA, and contractual security commitments.
• •Incident Log (A.5.24 to A.5.27): List of all security incidents with detection, response, and lessons learned. Even if you had no incidents, you still need the log and a documented escalation chain.
• •Backup Records (A.8.13): Evidence of successful backups and, critically, of at least one tested restore. A backup without a restore test is not a backup.
• •Change Management Records (A.8.32): History of change requests with risk assessment, approval, and rollback plan.
• •Vulnerability Scans (A.8.8): Ideally at least 6 months of scan history with documented remediation. A single scan directly before the audit is a red flag.
• •Penetration Test: Optional, but welcomed by TÜV and other certification bodies, particularly for internet-facing systems and web applications.
• •BCM / DR Test Results (A.5.30): Evidence of a performed business continuity or disaster recovery test with a protocol and lessons learned.
• •Audit Interviews: The auditor typically interviews the CISO, IT administrators, developers, HR, and procurement. Every role must be able to describe the processes relevant to them.

Typical Nonconformities and Remediation Deadlines

Audit findings fall into three categories. The category determines how much time you have for remediation.

With a major finding the certificate is not issued until the corrective action has been verified by the auditor, either by submitting additional evidence or by a follow-up audit. Minor findings are typically re-examined at the next surveillance audit.

Download: Audit Checklists (CC-BY-4.0)

For a structured preparation, two checklists are available as print-ready PDFs. Both are licensed under CC-BY-4.0 and can be used freely with attribution to Kopexa GmbH.

Tips for Audit Week

Even with the best preparation, audit week determines how the whole engagement plays out. The following principles come from field experience and save findings:

1. 1.Designate an Audit Host: Usually the CISO or ISMS manager. The audit host stays with the auditor throughout, facilitates interviews, brings in the right SMEs, and manages the room logistics.
2. 2.Pre-Audit Walk-Through: One week before the audit, go through the likely questions with every interviewee. Not to memorise answers, but to clear up uncertainties.
3. 3.Never Improvise: The sentence "we do this, we just never documented it" is a finding. If it is not documented, it does not exist for the auditor.
4. 4.The Auditor Is Right in the Hour: Arguing during the audit achieves nothing. Substantive objections go into the open-points list AFTER the audit. In the room: listen, document, clarify, do not debate.
5. 5.Prepare Interviewees: Staff should know the auditor is asking about their processes, not the verbatim policy text. Honest, concrete answers beat rehearsed phrases.

Frequently Asked Questions

Related Resources