Before the main operational audit, an ISO 27001 certification body conducts a Stage 1 audit: a review of your documentation to confirm the ISMS is properly designed and ready to be tested. It is less stressful than Stage 2 but no less important, because it sets the tone and surfaces the issues you must fix before the main event.
This guide explains exactly what the Stage 1 document review involves, what the auditor examines, how to prepare, and how to use it to smooth your path to iso 27001 certification.
What the Stage 1 audit is
Stage 1 is the first part of the two-stage certification audit. Its purpose is to review your ISMS documentation and confirm that the management system is designed in line with ISO 27001 and ready for the operational testing of Stage 2.
It is sometimes called the ‘documentation review’ or ‘readiness review’ because it focuses on design rather than operation. The auditor is checking the blueprint before inspecting the building.
Stage 1 can be conducted remotely or on site and is generally shorter than Stage 2.
Why it exists
The two-stage structure protects everyone’s time. There is no point testing whether controls operate if the ISMS is fundamentally mis-designed or key documents are missing. Stage 1 catches those problems first, so Stage 2 can focus on operation.
For you, Stage 1 is a valuable early warning: it tells you what to fix before the higher-stakes audit, turning potential Stage 2 failures into a manageable to-do list. It is a feature, not a hurdle.
This is why a clean Stage 1 sets a confident tone for the rest of certification.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
What the auditor reviews
The Stage 1 auditor examines your core ISMS documents: the scope statement, the information security policy, the risk assessment methodology and results, the risk treatment plan, and the Statement of Applicability. These define how your management system is meant to work.
They also look for evidence that the mandatory clause activities exist — that you have set objectives, conducted an internal audit, and held a management review. Essentially, they confirm the management system is complete on paper.
Each document should be current, approved, and version-controlled.
Checking the Statement of Applicability
The Statement of Applicability gets particular attention at Stage 1, because it ties the whole ISMS together. The auditor checks that it lists the Annex A controls, records inclusions and exclusions with justifications, and traces back to your risk assessment.
A clear, risk-linked SoA reassures the auditor that your controls are deliberate; a vague or disconnected one invites deeper scrutiny. Getting the SoA right is one of the highest-value preparations for Stage 1.
It is, in effect, the index the auditor uses to navigate your ISMS.
Confirming readiness for Stage 2
Beyond documents, Stage 1 assesses whether you are genuinely ready for Stage 2. The auditor considers whether the ISMS has been operating long enough to generate evidence, and whether the internal audit and management review have actually been done.
If you are clearly not ready — for instance, the ISMS has barely started operating — the auditor may advise delaying Stage 2 rather than setting you up to fail. This judgement is part of Stage 1’s value.
It ensures Stage 2 happens when you can actually pass it.
Stage 1 findings
Stage 1 typically produces findings — usually documentation gaps or areas needing clarification. These are normal and expected; the whole point of Stage 1 is to surface them. You address them in the interval before Stage 2.
Findings might include a scope that needs tightening, an SoA disconnected from the risk assessment, missing objectives, or an internal audit not yet conducted. None are disasters; all are fixable.
A short, clean Stage 1 findings list is a good sign of a well-prepared ISMS.
The gap before Stage 2
After Stage 1 there is usually a gap of a few weeks before Stage 2, giving you time to close the findings. Use it deliberately: fix the documentation gaps, ensure evidence is organised, and prepare the staff who will be interviewed in the operational audit.
The length of the gap depends on how much there is to fix and on scheduling. Entering Stage 2 with all Stage 1 findings resolved is the goal, and it makes the main audit markedly smoother.
Treat this interval as focused remediation time, not a pause.
How to prepare for Stage 1
Preparation is mostly about documentation. Ensure every mandatory document exists, is current, approved, and version-controlled, and that your SoA traces cleanly to your risk assessment. Confirm your internal audit and management review have genuinely happened and are recorded.
Organising documents so the auditor can find everything quickly speeds the review and signals a well-run ISMS. A readiness assessment beforehand will have already checked all of this.
Good document hygiene is the heart of Stage 1 preparation.
Common Stage 1 problems
Recurring Stage 1 problems include: an SoA that does not match the risk assessment; missing or unapproved policies; no documented internal audit or management review; a scope statement that is vague or inconsistent; and objectives that were never set.
Most stem from leaving documentation or the mandatory clause activities until too late. Addressing them is straightforward once identified, which is exactly why finding them at Stage 1 is helpful rather than alarming.
Anticipating these lets you check for them before the auditor does.
Stage 1 in surveillance and recertification
The formal two-stage structure applies to initial certification and recertification. Surveillance audits are lighter and do not repeat a full Stage 1, but they still check that your documentation remains current and consistent with operation.
So the discipline you build for Stage 1 — keeping documents current, approved, and aligned with the risk assessment — pays off across the whole certification cycle, not just at first certification.
Document hygiene is therefore an ongoing habit, not a one-time push.
Turning Stage 1 into an advantage
Smart organisations treat Stage 1 as free consulting: an accredited auditor telling you exactly what to fix before the decisive audit. Approached that way, even a findings-heavy Stage 1 is valuable, because every issue caught is one that will not derail Stage 2.
The best preparation — a thorough readiness assessment — means Stage 1 mostly confirms you are ready, with few surprises. ISpectra prepares clients so Stage 1 is a formality, with free VAPT and a multi-framework discount included.
Used well, Stage 1 de-risks the entire certification.
The bottom line
The Stage 1 audit is a documentation review confirming your ISMS is properly designed and ready for operational testing at Stage 2. The auditor examines your scope, policy, risk assessment, Statement of Applicability, objectives, internal audit, and management review.
Findings are normal and exist to be fixed in the interval before Stage 2. Prepare with thorough document hygiene and a readiness assessment, and Stage 1 becomes a confident gateway rather than a hurdle.
Treat it as early, expert feedback, address what it surfaces, and you set up Stage 2 — and your certificate — for success.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.