Preparing for a Stage 1 ISO 27001 audit can feel daunting—especially if it’s your first time going through the certification process. But in reality, Stage 1 is not about passing or failing. It’s about assessing your readiness and identifying gaps before the more rigorous Stage 2 audit.
Here’s a clear, practical look at what to expect and how to prepare.
What Is a Stage 1 Audit?
The Stage 1 audit (often called the “readiness review”) is an initial assessment conducted by a certification body. Its purpose is to evaluate whether your Information Security Management System (ISMS) is properly designed and documented in line with ISO 27001 requirements.
Think of it as a diagnostic check—not the final exam.
The Key Objectives of Stage 1
During this phase, auditors focus on three main areas:
1. ISMS Scope and Context
Auditors will review:
- The defined scope of your ISMS
- Internal and external issues affecting your organization
- Interested parties and their requirements
They want to confirm that your ISMS boundaries make sense and are clearly documented.
2. Documentation Review
Expect a thorough review of your core ISO 27001 documents, including:
- Information Security Policy
- Risk Assessment and Risk Treatment Methodology
- Statement of Applicability (SoA)
- Risk Register
- Documented procedures (as applicable)
At this stage, auditors are not deeply testing effectiveness—they’re checking that the right structures exist.
3. Readiness for Stage 2
The auditor will assess whether:
- Internal audits have been conducted
- A management review has taken place
- Key controls have been implemented (at least at a basic level)
If these elements are missing, you may be advised to delay Stage 2.
What Auditors Typically Look For
Here’s what they’re really trying to determine:
- Is your ISMS logically designed?
- Are risks being identified and treated systematically?
- Do your policies align with ISO 27001 requirements?
- Is there evidence of leadership involvement?
They’re not expecting perfection—but they are expecting coherence and intent.
Common Gaps Identified at Stage 1
Many organizations encounter similar issues, such as:
- Undefined or overly broad ISMS scope
- Missing or incomplete risk assessment methodology
- Weak or generic Statement of Applicability
- Lack of internal audit evidence
- No formal management review
These are normal and expected at this stage. The goal is to fix them before Stage 2.
Will You “Pass” or “Fail”?
Stage 1 does not result in certification. Instead, you’ll receive a report outlining:
- Observations (minor issues or suggestions)
- Nonconformities (areas that must be addressed before Stage 2)
As long as issues are resolved, you can proceed.
How to Prepare Effectively
To get the most value out of your Stage 1 audit:
Get Your Core Documents Ready
Ensure all required ISO 27001 documentation exists and is internally consistent.
Conduct an Internal Audit
This demonstrates that your ISMS is functioning and being reviewed.
Hold a Management Review
Even a simple documented meeting can satisfy this requirement.
Validate Your Risk Process
Make sure your risk assessment and treatment process is repeatable and evidence-based.
What Happens After Stage 1?
After the audit:
- You receive a report with findings
- You address any identified gaps
- You confirm readiness for Stage 2
Once those steps are complete, you move on to the certification audit.
Final Thoughts
Stage 1 is your opportunity to catch issues early—before they become certification blockers. Instead of treating it as a hurdle, use it as a valuable checkpoint to strengthen your ISMS.
If you approach it with preparation and clarity, Stage 1 can set you up for a smooth and successful Stage 2 audit.
Need Help with Your ISO 27001 Journey?
If you need support preparing for your Stage 1 audit or navigating your ISO 27001 certification journey, feel free to get in touch. I’m happy to help guide you through the process and set you up for success.