What is ISO 27001 Stage 1 audit? Requirements, checklist, what to expect & how to prepare

This guide explains ISO 27001 Stage 1 requirements, expectations, common pitfalls, and practical steps to prepare confidently for certification.

Key takeaways

  1. Stage 1 confirms that your ISMS is properly designed, documented, and ready before progressing confidently to full operational testing in Stage 2.

  2. Most Stage 1 delays stem from poor scoping, weak risk alignment, incomplete documentation, or missing non-negotiable ISMS foundation documents.

  3. A rigorous Stage 1 audit prevents costly Stage 2 surprises by identifying gaps early and providing clear, practical improvement guidance.

An ISO 27001 Stage 1 audit is your first real external checkpoint on the path to certification. It answers a simple but critical question: Is your Information Security Management System (ISMS) genuinely ready for Stage 2?

During this review, the auditor examines your policies, scope, risk assessment and treatment plans, internal audits, and management review records to understand how your system is designed and whether it aligns with the standard. Any gaps identified become a clear, practical action list to resolve before moving forward.

The audit usually takes one to two days (sometimes more for larger entities). This guide, prepared by Tempo Audits’ experienced auditors, explains what to expect and how to prepare with confidence.

Understanding ISO 27001

ISO 27001 was established by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It was created to provide a globally recognised framework for managing information security risks. 

The standard has been updated over time to reflect changes in technology, cyber threats, and business practices. ISO 27001 is used by organisations of all sizes to build trust with customers, meet regulatory expectations, and reduce the risk of data breaches.

ISO 27001 Stage 1 audit made hassle-free!

Working with Tempo Audits means a clear, supportive, remote-first, and well-structured Stage 1 audit. Our auditors guide you through the process, explain findings in plain language (just as this guide!), and help you prepare confidently for Stage 2. 

Get in touch to book your audit or ask a question today.

Who the ISO 27001 Stage 1 audit is for

  • SaaS companies - SaaS businesses handling customer data need strong security foundations. Stage 1 confirms your Information Security Management System (ISMS) is properly documented before full certification.

  • Startups - For startups, Stage 1 provides clarity. It checks that policies, risks, and controls are defined without the pressure of full implementation testing.

  • Enterprises - Larger organisations with complex systems use Stage 1 to ensure scope, documentation, and controls are clearly defined before Stage 2.

  • Companies becoming certified for the first time - If you’re new to ISO 27001, Stage 1 confirms readiness and highlights gaps early. (For companies transferring providers from another IAF-accredited certification body, you won’t need another Stage 1, since you’ll already have your certification.)

What are the ISO 27001 stage 1 audit requirements?

  • A clearly defined ISMS scope that reflects your actual business, systems, locations, and services.

  • Documented information security policies and objectives.

  • A structured risk assessment and risk treatment approach, with defined criteria and risk owners.

  • A completed Statement of Applicability* showing which Annex A controls* apply and why.

  • Evidence that roles, responsibilities, and competencies for information security are defined.

  • Basic evidence that the ISMS is operating, such as training, meetings, or early reviews.

  • A plan or evidence for internal audits and management review.

  • Processes for monitoring, corrective actions, and continual improvement.

The Stage 1 audit does not require perfection. It only confirms that your ISMS meets ISO 27001 requirements on paper and is ready to be tested properly during the Stage 2 audit.

*The Statement of Applicability explains which ISO 27001 controls apply to your organisation and clearly justifies why others do not.

*Annex A controls are a set of security measures in ISO 27001 (taken from ISO 27002, which defines them in more detail) which are used to manage and reduce information security risks.

ISO 27001 Stage 1 vs Stage 2 audit

ISO 27001 certification takes place in two distinct stages, each with a different objective. 

Understanding the difference helps you prepare properly and avoid surprises later in the process.

Stage 1 vs Stage 2 comparison table:

Aspect ISO 27001 Stage 1 audit ISO 27001 Stage 2 audit
Purpose Confirms readiness for certification Confirms effective implementation
Primary focus Documentation and ISMS design Operational effectiveness
What is assessed Scope, policies, risk assessment, Statement of Applicability, internal audit, management review Working controls, real evidence, staff behaviour, and technical configurations
Control testing Not always tested (although Tempo likes to, if we have sufficient time) Controls tested in detail
Evidence review High-level confirmation processes exist Extensive sampling of logs, tickets, reviews, and records
Interviews Mainly ISMS owner Mainly ISMS owner, although some staff will be interviewed throughout the audit
Technical deep dive Limited Detailed review of infrastructure and systems
Non-conformities Not issued - instead we issued “Areas of Concern” Formal non-conformities may be raised
Outcome Recommendation to proceed to Stage 2 Certification decision (after any issues are closed)

In simple terms, Stage 1 asks: “Have you designed an ISMS that could meet the standard?”

Stage 2 asks: “Is your ISMS actually working as intended?”

Stage 1 does not involve testing backup restorations, reviewing firewall rules in detail, sampling months of access reviews, or issuing non-conformities. Those activities always happen in Stage 2.

Key activities in the ISO 27001 Stage 1 audit

During the Stage 1 audit, the auditor focuses on a number of crucial activities as outlined below:

1. ISMS documentation review

The auditor reviews your information security policies, procedures, and supporting documents to confirm they meet ISO 27001 requirements and are complete, accurate, approved, and up to date. 

Version control and document approval dates are also checked to ensure documents are properly managed.

2. ISMS scope definition (Clause 4.3)

A critical audit activity is confirming that the scope of your ISMS is clearly defined. 

This includes what is included, what is excluded, and the boundaries of the system. Poor or unclear scoping is one of the most common Stage 1 issues.

3. Risk assessment and risk treatment (Clause 6.1.2)

Your risk assessment methodology is reviewed to ensure risks are identified consistently, assessed against defined criteria, assigned to risk owners, and evaluated against acceptable risk levels.

Risks are evaluated using clear rules, such as:

  • Likelihood of the risk happening

  • Impact on the organisation if it happens

  • Risk rating or score based on likelihood and impact

  • Acceptable risk levels set by management

4. Statement of Applicability (Clause 6.1.3)

The Statement of Applicability is checked to ensure controls are clearly included or excluded with valid justification, and that they align with your risk assessment and Annex A controls.

5. Alignment between key ISMS elements

The auditor looks for consistency between your risk register, Statement of Applicability, and selected Annex A controls. 

Misalignment here is a common reason for delays later in the certification process.

6. Evidence of ISMS operation

Although Stage 1 is document-focused, the auditor checks for basic evidence that the ISMS is operating, such as early risk reviews, training records, meetings, or monitoring activities.

7. Walkthroughs of operations and systems

The auditor may conduct walkthroughs to better understand how your organisation operates and how the ISMS is supported across systems, locations, and processes.

8. Employee competency and awareness (Clauses 7.2 and 7.3)

Training and awareness programmes are reviewed to confirm that relevant staff understand their information security responsibilities and that training effectiveness is considered.

9. Legal and regulatory compliance (Clause 4.2)

Your legal and regulatory register is reviewed to ensure it identifies applicable laws, regulations, and contractual obligations related to information security.

10. Internal and external communication (Clause 7.4)

The auditor reviews how ISMS-related communication is managed internally and externally, including responsibilities and communication methods.

11. Monitoring and measurement (Clause 9.1)

Defined monitoring, measurement, and evaluation criteria are reviewed to confirm that ISMS performance can be tracked and assessed.

12. Internal audits and management review (Clauses 9.2 and 9.3)

Evidence of internal audits, auditor competence, and management review activities is checked to confirm oversight and leadership involvement.

13. Non-conformities and corrective actions (Clause 10.2)

Finally, the auditor confirms that a documented process exists for identifying non-conformities and implementing corrective actions.

Together, the above activities help confirm whether your organisation is ready to proceed confidently to the Stage 2 audit.

Explanation for the clauses mentioned in the activities above

ISO/IEC 27001 is structured into numbered clauses that define what an organisation must do to build and maintain an Information Security Management System (ISMS). During an audit, auditors use these clauses as the formal reference points to assess compliance.

How to prepare for a Stage 1 audit (4-step process)

How to prepare for a Stage 1 audit (4-step process)

  1. Ensure team availability - Identify and make key team members available for the audit. This allows questions to be answered quickly and helps the auditor gain an accurate understanding of how information security is managed.

  2. Provide auditor access - Provide the auditor with access to your document repository or governance, risk, and compliance (GRC) platform. This gives them a clear, structured view of your policies, records, and evidence, allowing the review to be completed efficiently and with fewer follow-up requests.

  3. Conduct a pre-audit review - Carry out a pre-audit or mock review to check your Information Security Management System in advance. This helps you spot gaps or weaknesses early and gives you time to fix them before the formal audit begins.

  4. Organise documentation - All relevant documents and records are organised, approved, and easy to locate, ensuring the audit progresses smoothly and without unnecessary delays.

Related read - How to prepare for an ISO 27001 audit: A step-by-step guide

Non-negotiable documents checklist for Stage 1

If any of these are missing or incomplete, Stage 2 scheduling might be delayed, or Tempo might request evidence of implementation before the Stage 2.

Documentation quality issues that raise immediate concern

Certain documentation problems quickly signal that your Information Security Management System may not be ready for Stage 1.

Major red flags

  • Complete absence of key documents - Missing core items such as the risk assessment, Statement of Applicability, or information security policy.

  • Template policies without customisation - Generic content, placeholders left unchanged, or policies that clearly do not reflect your actual business.

  • Inconsistent or contradictory documents - Policies, procedures, and the Statement of Applicability saying different things.

  • Vague, generic wording - High-level statements with no specifics about your controls, systems, or responsibilities.

  • No ownership or approval records - Undated documents with no version control or clear accountability.

  • No clear link between risk and controls - Risks identified, but no obvious treatment or control alignment.

  • Unrealistic or outdated procedures - Processes nobody follows, references to old systems, or former employees.

  • Copy-paste from the ISO 27001 standard - Repeating the standard instead of showing how you implement it.

  • No reflection of business context - Documentation disproportionate to your size, structure, or environment.

What good ISO 27001 documentation looks like

  • Clear ownership and approval

  • Specific to your organisation

  • Consistent across documents

  • Maintained and up to date

  • Practical and actually followed

  • Clearly linked from risk → control → evidence

  • Written in language your team understands

  • Proportionate to your size and complexity

Common Stage 1 readiness gaps by company type

  • In early-stage SaaS companies, the main challenge is moving from informal, trust-based working to documented, repeatable processes. 

  • Scale-ups often struggle because processes that worked at 20 people break at 80, creating inconsistency across teams. 

  • Enterprises rarely lack documentation, but complexity becomes the issue - too many documents, unclear scope boundaries, and competing stakeholders can make the ISMS harder to manage than it needs to be.

Outcome of the Stage 1 audit

After the Stage 1 audit, you will receive a Stage 1 Audit Report. At Tempo we aim to have this with you within 1 - 2 days of the audit finishing, although at other Certification Bodies it might take a bit longer - perhaps one week or more. The report clearly outlines your position and next steps.

It includes:

  • Recommendation for Stage 2 – Confirmation of whether your Information Security Management System is ready to proceed.

  • Identified areas of concern – Issues that could become non-conformities if not addressed.

  • Actionable guidance – Clear steps to strengthen your system.

If you are not ready, the auditor will explain why and outline improvements. Our expert auditors at Tempo Audits will support you in planning the next steps.

How much does an ISO 27001 Stage 1 audit cost?

Certification bodies usually price ISO 27001 as a complete package covering Stage 1 and Stage 2, because both stages form part of the same certification journey. 

Stage 1 confirms your documentation is ready, and Stage 2 validates that your controls are working. Since you need both to achieve certification, they are rarely sold separately.

For UK tech companies, total certification (stage 1 and stage 2) costs typically start from £4,000 and upwards. The final price depends on several factors, including:

  • Company size (more employees usually means more audit time)

  • Scope and complexity (multiple locations or technical environments increase effort)

  • Documentation readiness (well-organised systems reduce audit time)

  • Certification body pricing structure

A reputable provider (check their accreditation to validate this - in the UK or across Europe, you might want UKAS accreditation, or another premium European accreditation, for example!) always offers a transparent quote based on employee numbers, scope, and timeline, clearly outlining the total cost and avoiding hidden fees.

7 common misconceptions about the ISO 27001 Stage 1 audit

  • “Someone in a suit will visit our office for the day.” No. Stage 1 audits are typically remote. We use video calls and shared access. No meeting rooms required. The suited auditor image is outdated.

  • “It’s going to be dry and bureaucratic.” It does not have to be. We keep it conversational and explain findings in plain English.

  • “We’ll be stuck in meetings all day.” Not necessarily. Much of it can be asynchronous if your documents are organised.

  • “Stage 1 is just a formality.” Not with us. Stage 1 is your opportunity to get genuine feedback before the high-stakes Stage 2 audit.

  • “We need everything perfect.” Not quite. Stage 1 is a documentation review - we're checking that you've built an ISMS on paper. It doesn't need to be perfect, but it does need to be substantially complete.

  • “The auditor will write our policies.” We cannot. We guide, you write.

  • “Stage 1 takes weeks to schedule.” Not with Tempo Audits!

The Tempo Audits difference: A modern approach to Stage 1

1. We move fast

Need a Stage 1 audit quickly? We can typically book you in with just a few days’ notice. No six-week lead times. No bureaucratic scheduling processes. 

If you are ready and we have auditor availability, we make it happen.

2. Rapid turnaround on reports

We aim to deliver your Stage 1 report within 1-2 days of the audit finishing, not weeks later. This allows you to address findings immediately and maintain momentum towards Stage 2. It also means we can schedule a shorter-gap between Stage 1 and Stage 2, and ultimately means you’ll receive your certification quicker.

3. Remote by default

Our Stage 1 audits are usually fully remote unless physical infrastructure needs inspection. Video calls and screen shares work effectively for documentation review.

4. Agile and asynchronous

If your evidence is clearly structured - Notion, Google Drive, or on a GRC platform - we can review documentation independently and schedule focused discussions. 

You are not tied up for entire days.

5. We understand tech companies

We are not a traditional certification body or audit firm. We understand SaaS, cloud infrastructure, DevOps workflows, and modern tech teams.

6. We actually want to find issues at Stage 1

This might sound counterintuitive, but we believe in a rigorous Stage 1 audit. Finding issues early - before Stage 2 - means we can flag them in advance and give you time to fix them properly, rather than scrambling during or after Stage 2. 

Some certification bodies treat Stage 1 as a light-touch box-ticking exercise. We do not. We would rather have an honest conversation now than surprise you with major findings later.

Move from Stage 1 to certification with confidence!

Once your Stage 1 audit confirms readiness, the next step is achieving UKAS-accredited ISO 27001 certification. Tempo Audits supports you through Stage 2 with clear guidance, experienced auditors, and a practical approach that avoids unnecessary complexity.

Speak to our team today to get started.

ISO 27001 Stage 1 audit FAQs

  • Preparation time depends on how mature your Information Security Management System is. Small startups often need 2 to 3 months (and sometimes if they’re very focused and can put the time in, as little as a month), while larger organisations may need more months to align documentation and records.

  • Sure. Stage 1 audits are commonly carried out remotely using secure video calls and document-sharing platforms, especially for technology and SaaS organisations.

  • The ISMS owner, risk or compliance lead, IT or security representatives, and anyone responsible for ISMS documentation should be available. It is also positive if a member of senior leadership attends the opening and closing meetings, although not always a requirement at Stage 1.

  • Not directly. Stage 1 highlights gaps. If those gaps are not fixed before Stage 2, they may lead to non-conformities later.

  • Auditor-led guidance focuses on what actually meets audit expectations. This helps you avoid unnecessary work and prepare more effectively for Stage 2.

  • No, you cannot technically fail Stage 1. The auditor decides whether you are ready for Stage 2. If not, you must address minor or major documentation and readiness gaps first.