Our top tips for first time ISO 27001 Stage 2 audit success

If you’re going for ISO 27001 certification, your Stage 2 audit will be one of the big crunch points. You’ll need to show that your ISMS is more than just well-written documents and general good intentions. It needs to work as well in practice as it does on paper.

Over the years, we’ve helped many clients achieve first time Stage 2 audit success. And some of our ISO 27001 experts have been certification body auditors themselves, so we know the process very well from both sides. We’ve drawn on that to share our:

  • Stage 2 audit top tips
  • ISO 27001 starter-for-ten checklist

Be sure to cover off all the essentials

Your auditor will look at every part of your ISMS. They’ll focus in particular on its core components. If those aren’t up to scratch, they won’t recommend you for certification. So when you’re preparing for your audit, take particular care to cover off:

Risk management

For your infosec defenses to work, you need to understand what you’re protecting yourself from. So go through your risk management content and processes with a fine tooth comb.

Be sure you’ve:

  • Identified and recorded all possible risks in your risk register
  • Defined how you’ll respond to them in your risk treatment plan
  • Recorded which controls you’re applying in your statement of applicability

Asset management

Your ISMS looks inwards as well as outwards. Your auditor needs to see that you understand exactly what you’re protecting. So double-check that you’ve recorded and understood all of your information assets.

Bear in mind that your organisation’s information assets are more than just its IT software and hardware. The list can include everything from customer and supplier to contracts to intangibles like your brand and reputation. Make sure you’ve included it all!

Incident management

Your auditor’s checking that your ISMS works in practice. So they’ll need to see that you and your colleagues know exactly what to do when the worst happens and the – er – sugar hits the fan.

You’ll need to be absolutely confident that your incident management processes are up to scratch. That means pinning down:

  • When and how they’re triggered
  • Who does what, when, as a new incident happens
  • How you record and learn from your response to each incident, so you can:
    • Improve your ISMS
    • Make sure any repeats have less or even no impact

Properly bed in your ISMS

Your auditor needs to see that your ISMS works in practice. To make sure that’s the case, let it run for a bit. Give yourself a bit of time and space to build confidence in your ISMS before you show it to your auditor.

You’ll build confidence in two ways. In part, it’ll come naturally as you oversee your ISMS, see what works and correct what doesn’t. But you should also tick some more formal boxes. Make sure you’ve carried out:

  • One or more internal audits and management system reviews
  • Appropriate staff education and engagement activities

That second bullet is particularly important. An ISMS is only effective when people understand and comply with it. So make sure your people know:

  • What it’s for
  • Why it matters so much
  • Which policies and controls they need to follow
  • Exactly how to follow them

Make sure your ISMS makes real changes

Organisations create ISMSs because they’re not secure enough without them. Becoming secure means changing their approach to security. That creates a very simple way of checking to see if your ISMS is audit ready. Ask yourself:

Has anything actually changed?

An effective ISMS will create visible, practical changes in how your organisation works. Those changes will affect both its internal and external processes and relationships. They should be very obvious to you.

If your ISMS has created practical, positive, obvious changes then it’s one step closer to being audit ready. But if it’s just rebadged your existing security systems, you’ve probably got more work to do.

Don’t worry about lockdowns impacting your audit

Stage 2 audits have always been in-depth and on-site. That’s difficult in our modern, Covid-infected world. But don’t let it worry you.

Certification bodies are very clear that the audit process should continue as normal regardless of an organisation’s lockdown status. They’ll be happy to audit your organisation remotely and work with you to overcome any challenges.

Remote auditing makes it even more important to have a fully transparent, easily accessible, all-in-one-place ISMS, like (we feel we should mention) the one our platform could help you create. And if you’re already with us, that’s what you’ll already have.

Don’t stop once your Stage 2 audit’s done

‘Many organisations pass their audit, celebrate all their hard work and… basically forget all about their ISMS. Everyone goes back to their day job. Then, ten months or so later, there’s a big panic when they have to get ready for their first maintenance audit.

An ISMS isn’t a fire-and-forget system. To maintain ISO 27001 certification, it must:

  • Learn from any infosec incidents
  • Evolve as its parent organisation grows and changes
  • Take account of any new infosec threats and developments

We often say that maintaining your ISMS is as much of a challenge as getting it up and running. Make sure it’s a challenge you’re ready for!

Follow our starter-for-ten ISO 27001 checklist

We’ve given you some general tips on getting ready for your Stage 2 audit. We’re going to end with some specific guidance. This table’s a starter-for-ten guide to checking your ISMS against the ISO 27001 standard. It’ll help you focus as you think through each part of it.


ISO 27001 Ref & Description

Clause 10.1

Have all the findings from your Stage 1 Audit been logged, managed and tracked?

Have all major non-conformities been addressed to completion?

Are minor-non-conformities either closed or on-track according to their corrective action plan?

Clause 5

Are all scheduled processes operating in a timely manner to show adequate resourcing levels?

Clauses 6.1, 8.2 & 8.3

Is your risk register showing an accurate current picture of risk levels (i.e. you’re updating risks against change and risk treatment improvements)?

Clause 6.2

Are you achieving your information security objectives?

Clause 7.2

Are you closing any information security competence gaps?

Clause 7.3

Are you operating the information security awareness programme you’ve described?

Clause 9.1

Have you taken and assessed your ISMS performance measurements?

Clauses 9.2, 10.1 & 10.2

Have you completed at least two internal audits from the audit schedule?

Did you log, track and manage all your findings?

You don’t necessarily need to complete findings that require significant improvement, but you do need to show that action’s planned or is underway.

Clauses 9.3, 10.1 & 10.2

Has at least one formal ISMS Management Review taken place in accordance with the standard’s requirements?

Have you logged, tracked and managed all findings?

Annex A Controls

Can you show evidence that you’re operating each control and relevant process effectively?

Where you need to make improvements, can you show that you’re tracking and managing them?

A.16. Information Security Incident Management

Can you show that, when incidents take place, you’re logging, tracking, managing and responding to them over time?

Wrapping up… and good luck!

We’ve thought a lot about the Stage 2 audit because we’ve built our platform to help our customers through it. In fact, every customer that’s followed our Assured Results Method has passed achieved certification on their first attempt.

And you don’t have to start everything all over again. It’s easy to migrate your existing work onto our platform. You can move across whenever suits you, even if you’ve completed your Stage 1 audit or have actually achieved ISO 27001 certification.

And that’s that. If this blog post helps you through your Stage 2 audit, do let us know – we love hearing how organisations get on with it. All that remains is for us to wish you good luck! We’re sure that all your hard work will pay off.


Ready to see how we could help you to first time Stage 2 success?

Book a no-strings demo to see our platform in action. And we’re surprisingly affordable. You can get your quote here.