ISO 27001 Stage 1 Audit: What to Expect & How to Prepare

The ISO 27001 Stage 1 audit, also known as a documentation review, is the first step in the certification process. This initial assessment typically lasts one to two days (or longer for larger organizations) and is designed to evaluate whether your Information Security Management System (ISMS) is adequately prepared for the Stage 2 audit, which focuses on implementation and effectiveness.

Remote-First Audits

Streamlined Communication

Expert Auditors

What is the Purpose of the Stage 1 Audit?

The primary goal of the Stage 1 audit is to verify that your ISMS documentation, policies, and procedures are properly designed and align with ISO 27001 requirements. The auditor assesses whether your organization has a solid foundation in place before proceeding to full certification, ensuring that essential elements such as risk assessments, control justifications, and compliance frameworks are properly structured.

Key Activities in the Stage 1 Audit

During the audit, the auditor will focus on several key areas:

  • ISMS Documentation Review: Assessing policies, procedures, and other information security management documents to ensure completeness, accuracy, and compliance with ISO 27001 requirements.

  • Scope Definition: Confirming that the scope of your ISMS is well-defined, including what’s covered and excluded (Clause 4.3).

  • Risk Assessment & Risk Treatment: Reviewing your risk assessment methodology, criteria for conducting risk assessments, acceptable risk levels, and the assignment of risk owners (Clause 6.1.2).

  • Statement of Applicability (SoA): Ensuring the justification for inclusion or exclusion of controls is documented and that controls align with your risk assessment (Clause 6.1.3).

  • Walkthroughs: The auditor may conduct walkthroughs of your organization’s operations and infrastructure to gain a better understanding of how your ISMS is structured.

  • Employee Competency & Training: Evaluating your training and awareness programs, including methods to measure their effectiveness (Clauses 7.2 & 7.3).

  • Legal and Regulatory Compliance: Reviewing your legal register for completeness, ensuring it includes all applicable laws and regulations (Clause 4.2).

  • Internal and External Communication Policies: Reviewing policies related to ISMS-related communication within and outside the organization (Clause 7.4).

  • Monitoring and Measurement: Checking whether appropriate monitoring, measurement, and evaluation criteria are defined (Clause 9.1).

  • Internal Audits & Management Review: Ensuring evidence of internal audits, auditor competency, and a documented management review process (Clauses 9.2 & 9.3).

  • Non-Conformities & Corrective Actions: Confirming that your organization has a process for handling non-conformities and implementing corrective actions (Clause 10.2).

Tempo’s audit processes are built with your tech-stack in mind - with auditors trained-up with the tools you use

Boost your company’s reputation and trust

Outcome of the Stage 1 Audit

After completing the Stage 1 audit, you will receive a Stage 1 Audit Report from Tempo Audits, typically within one week. This report will include:

  1. Recommendation for Stage 2 Audit: If your ISMS is deemed ready, you will be recommended to proceed to Stage 2.

  2. Areas of Concern: Any minor or major areas of concern identified by the auditor, which could lead to non-conformities in Stage 2 if not addressed.

  3. Actionable Feedback: Guidance on resolving any weaknesses before the Stage 2 audit.

If your ISMS is not yet ready to proceed, the auditor will explain why and provide guidance on necessary improvements. This may require scheduling a follow-up Stage 1 audit or resolving highlighted issues before setting a date for Stage 2. Tempo Audits will work with you to reschedule as needed.

Next Steps for a Successful ISO 27001 Certification

The Stage 1 audit is a crucial checkpoint in your ISO 27001 certification journey. By ensuring that your ISMS documentation, risk assessments, and compliance frameworks are in order, you can confidently proceed to Stage 2 with minimal delays. This audit also helps identify gaps early, ensuring a smoother certification process while strengthening your overall information security posture.

Get a Quote

Book a call below, and we’ll provide a quote without any forms being filled out.

Alternatively, if you have all the details, fill out this form here.