ISO 27001 Audit: Process, Timeline and What Auditors Review

ISO 27001 Audit

The ISO 27001 audit is the moment of truth in the certification journey — the independent, evidence-based assessment that determines whether the ISMS an organization has built genuinely conforms with the requirements of ISO/IEC 27001:2022. Many organizations make the mistake of treating ISO 27001 audit preparation as a documentation exercise. In reality, Stage 2 auditors combine documentation review with personnel interviews, technical evidence examination, and process walkthroughs that test the operational reality of the ISMS — not just its documented intent.

According to ISMS.online, organizations that understand the full scope of the ISO 27001 audit process consistently achieve better Stage 2 outcomes than those that treat it primarily as a compliance paperwork exercise. The ISO/IEC 27001:2022 standard is explicit about what must be verified, and CertPro CPA LLC conducts rigorous, evidence-based audits that give certified organizations a credential that enterprise buyers, regulators, and procurement authorities accept without question.

Tl; DR:

Concern: Organizations preparing for their ISO 27001 audit frequently focus their preparation on documentation completeness — without understanding that Stage 2 auditors evaluate operational evidence, interview personnel at multiple levels, and test control effectiveness in ways that documentation review alone cannot satisfy.
Overview: The ISO 27001 audit is a two-stage independent assessment conducted by an accredited certification body. Stage 1 evaluates ISMS documentation design and readiness. Stage 2 evaluates ISMS implementation and operational control effectiveness. Together, they determine whether the organization’s ISMS conforms with ISO/IEC 27001:2022 requirements and merits certification.
Solution: Organizations that prepare for their ISO 27001 audit by building operational evidence across all applicable controls, briefing relevant personnel on their ISMS roles, and conducting a thorough pre-audit internal audit consistently achieve Stage 2 certification with fewer nonconformities and lower total cost. CertPro CPA LLC conducts rigorous, evidence-based ISO 27001 audits.

ISO 27001 Audit Process — Overview

Audit Phase Activity Typical Duration Output
Pre-audit Audit planning, programme agreement, document requests 2–4 weeks before Stage 1 Audit plan, document request list
Stage 1 Documentation review and design audit 1–2 days Stage 1 findings report
Remediation window Organization addresses Stage 1 findings 4–8 weeks Corrective actions completed
Stage 2 Implementation audit and evidence review 2–5 days Certification decision report
Certification Certificate issuance 1–2 weeks after Stage 2 ISO 27001 certificate
Surveillance 1 Year 1 ongoing conformance review 1–2 days Surveillance audit report
Surveillance 2 Year 2 ongoing conformance review 1–2 days Surveillance audit report
Recertification Year 3 full reassessment Stage 1 + Stage 2 Renewed certificate

ISO 27001 Stage 1 Audit — What Happens and What Auditors Review

The Stage 1 audit is a documentation review — typically one to two days for a mid-sized organization. Its purpose is to assess whether the ISMS is designed to meet the requirements of ISO/IEC 27001:2022 and whether the organization is ready to proceed to Stage 2.

  • ISMS scope statement and context documentation — justification quality, interfaces addressed
  • Information security policy — formal approval, communication evidence, content completeness
  • Risk assessment methodology and risk register — methodology documented before use, risk entries asset-specific, scoring consistent
  • Risk treatment plan — treatment decisions linked to risk register, controls referenced in SoA
  • Statement of Applicability — all 93 controls addressed, justifications specific, implementation status accurate
  • Key policies and procedures — selected sample reviewed for organization-specificity and approval status
  • Internal audit programme — documented, conducted at least once, findings recorded
  • Management review records — substantive inputs and documented decisions

For organizations that have built documentation using ISO 27001 policies and procedures guidance and a rigorous ISO 27001 gap analysis, Stage 1 typically produces only minor observations rather than significant findings.

ISO 27001 Stage 2 Audit — What Happens and What Auditors Review

  • Opening meeting: Senior management introduction and ISMS overview — auditors note whether senior management is present as genuine evidence of top management commitment
  • Personnel interviews: Auditors interview personnel at multiple organizational levels — not just the CISO or security team. They seek evidence that ISMS awareness extends throughout the organization
  • Evidence sampling: Systematic review of operational evidence across all applicable Annex A controls — audit logs, access records, training completion records, patch management reports, incident logs
  • Technical walkthroughs: Review of access control configurations, logging system outputs, vulnerability management records, and secure development practices
  • Process walkthroughs: Step-through of key ISMS processes — how an access request is processed, how an incident is reported and triaged, how a supplier is assessed
  • Closing meeting: Preliminary findings presented with nonconformity classification (major, minor, observation)

What ISO 27001 Auditors Review — Control Evidence by Domain

Control Domain Evidence Typically Reviewed in Stage 2
Access control User provisioning records, access review reports, privileged access logs, MFA enrollment records, access removal records for terminated personnel
Vulnerability management Vulnerability scan reports, patch management records with SLA tracking, remediation completion evidence, exception management records
Incident management Incident register, investigation reports, escalation records, post-incident review documentation, notification records
Security monitoring SIEM alert logs, security event review records, threat intelligence feeds, anomaly investigation records
Security awareness Training completion records, phishing simulation results, security awareness campaign evidence, role-specific training records
Business continuity BCP and DRP documentation, disaster recovery test records, RTO/RPO validation evidence, business impact analysis
Supplier management Supplier agreements with security clauses, supplier risk assessments, annual supplier review records, exit plan documentation
Secure development Code review records, SAST/DAST scan reports, penetration test reports, deployment approval records

Organizations using automated evidence collection platforms significantly reduce Stage 2 evidence production effort and present more organized, comprehensive audit evidence.

ISO 27001 Audit — Nonconformity Types and Outcomes

Major Nonconformity

A major nonconformity represents a significant failure to meet a mandatory requirement. Examples include: no documented risk assessment methodology, absent Statement of Applicability, no internal audit programme ever conducted, or a fundamental failure in a critical Annex A control. Major nonconformities prevent certificate issuance. The organization must resolve them and have resolution verified before the certificate can be issued — typically through a follow-up audit activity within three to six months.

Minor Nonconformity

A minor nonconformity represents a partial failure where the ISMS element exists but has deficiencies in documentation quality, implementation completeness, or evidence depth. Minor nonconformities must have accepted corrective action plans before certification but do not prevent certificate issuance.

Observation

An observation is a recommendation from the auditor where improvement would strengthen the ISMS but no formal nonconformity exists. Observations are not tracked formally but are noted for management review and ISMS improvement planning.

ISO 27001 External Audit vs Internal Audit — Key Differences

Dimension External Certification Audit Internal Audit
Conducted by Accredited certification body Organization (or contracted independent party)
Purpose Determine certification conformance Verify ISMS operating effectively — find and fix issues internally
Output Certification decision + audit report Internal audit report with corrective actions
Frequency Stage 1 + Stage 2 + annual surveillance At planned intervals — typically annually
Auditor status External accredited lead auditor Internal auditor — must be independent of area audited
Findings authority Determines certificate issuance Drives internal corrective action — not certificate decision

For more on the distinction between certification audits and surveillance audits, see difference between certification audit and surveillance audit. For building an effective internal audit function, see how to build an effective internal audit function and internal audit procedures.

Ready to Get ISO 27001 Certified?

CertPro CPA LLC is a licensed CPA firm delivering ISO 27001 certification audits. Work with credentialed auditors who understand your business environment.

Schedule your ISO 27001 certification discussion →

FAQ

What is an ISO 27001 audit?

An ISO 27001 audit is an independent assessment conducted by an accredited certification body to determine whether an organization’s ISMS conforms with the requirements of ISO/IEC 27001:2022. It consists of a Stage 1 documentation review and a Stage 2 implementation audit. Together, they determine whether the ISO 27001 certificate is awarded.

What does an ISO 27001 auditor look for?

ISO 27001 auditors assess ISMS design adequacy through documentation review, ISMS implementation effectiveness through operational evidence review, personnel awareness through interviews at multiple organizational levels, and control effectiveness through technical evidence examination and process walkthroughs.

How long does an ISO 27001 audit take?

Stage 1 typically takes one to two days for a mid-sized organization. Stage 2 typically takes two to five days. Annual surveillance audits are typically one to two days. Multi-site certifications require additional audit days proportionate to the number of in-scope locations.

What happens if you fail an ISO 27001 audit?

If major nonconformities are identified during Stage 2, the certificate is not issued until they are resolved and verified through a follow-up audit activity — typically within three to six months. Minor nonconformities must have accepted resolution plans but do not prevent certification. The certification body issues a formal findings report regardless of outcome.

How do I prepare for an ISO 27001 Stage 2 audit?

Key Stage 2 preparation activities include: implementing all applicable Annex A controls with operational evidence, building an organized evidence library, briefing personnel on their ISMS roles and responsibilities, conducting a pre-Stage 2 internal audit to identify remaining gaps, addressing all Stage 1 findings with documented corrective actions, and ensuring monitoring, logging, and access control records are current and complete.

What is the difference between ISO 27001 Stage 1 and Stage 2?

Stage 1 is a documentation review assessing ISMS design adequacy and Stage 2 readiness. Stage 2 is an implementation audit verifying that the ISMS is operationally deployed and producing evidence of control effectiveness. Stage 1 typically precedes Stage 2 by four to eight weeks, allowing the organization to address any documentation gaps before the implementation audit proceeds.

Schedule A Meeting