What is the ISO 27001 Stage 1 audit?

Stage 1 is the document review portion of the ISO 27001 certification audit. The certification body examines your ISMS documentation to confirm it is complete, internally consistent, and aligned with the requirements of ISO/IEC 27001:2022. Stage 1 is typically 1 to 3 days and occurs 2 to 8 weeks before Stage 2.

How long does Stage 1 take?

Typically 1 to 3 auditor-days for a small to mid-size B2B SaaS. A single-day remote Stage 1 is common for teams under 50 employees. Larger organizations or those with multiple sites in scope require 2 to 3 days.

What happens if I fail Stage 1?

Stage 1 findings are classified as major, minor, or observation. Major findings block progression to Stage 2 and must be remediated before Stage 2 is scheduled. Minor findings can often be remediated before or during Stage 2. Observations are advisory.

How long between Stage 1 and Stage 2?

Usually 2 to 8 weeks, depending on findings. Certification bodies typically require at least 2 weeks to give you time to address minor findings. Teams with no findings can schedule Stage 2 as early as the certification body's calendar allows.

Can Stage 1 be remote?

Yes. Since 2020, most certification bodies conduct Stage 1 remotely via video conference and document sharing. Stage 2 may include on-site elements depending on your certification body and risk profile.

ISO 27001 Stage 1 Audit: Complete Checklist and What Auditors Actually Check

11 min read

March 11, 2026 (1mo ago)

ISO 27001 Stage 1 Audit: Complete Checklist and What Auditors Actually Check

What a Stage 1 ISO 27001 audit covers, the documents auditors request, the most common findings, and a section-by-section checklist to arrive prepared.

ISO 27001Stage 1AuditChecklist

TL;DR

Stage 1 is a document review (1–3 days) that confirms your ISMS is ready for Stage 2 operational testing.

Auditors check 8 mandatory ISMS documents plus Annex A control evidence maps before approving Stage 2.

Major findings block Stage 2; minor findings can usually be closed before or during Stage 2.

Most teams fail their first ISO 27001 Stage 1 audit because they do not understand the auditor's purpose. Stage 1 is not a soft walkthrough. It is the gate that determines whether your ISMS is mature enough to survive Stage 2 operational testing. Auditors who clear an unready ISMS to Stage 2 will face client frustration when Stage 2 produces major findings that could have been caught earlier.

This guide covers exactly what auditors check in Stage 1, the documents you must have ready, the findings that block Stage 2, and a complete section-by-section checklist.

What Stage 1 Covers

ISO/IEC 27001:2022 Stage 1 is a documentation audit. The certification body's lead auditor reviews your ISMS documentation to verify three things:

Completeness. Every mandatory ISMS document required by clauses 4 through 10 exists and is approved.
Internal consistency. Your risk assessment, Statement of Applicability, risk treatment plan, and Annex A control implementation match each other.
Stage 2 readiness. Your ISMS has been operating long enough to produce evidence that Stage 2 will sample.

Stage 1 is not a full audit of control operation — that is Stage 2. The lead auditor will review some control evidence in Stage 1, but the primary question is: "Is this ISMS documented well enough that Stage 2 will be productive?"

For the broader context on how Stage 1 fits into certification, see our ISO 27001 certification guide.

The 8 Mandatory ISMS Documents

Every Stage 1 auditor will ask for these. Have them organized in a single index with owners, approval dates, and version numbers before the audit begins.

1. ISMS Scope (Clause 4.3). A written statement of what is included in your ISMS — business units, systems, physical locations, processes. Must address interfaces and dependencies with excluded elements.

2. Information Security Policy (Clause 5.2). Top-level policy signed by leadership, appropriate to the purpose of the organization, referencing objectives and commitment to continual improvement.

3. Risk Assessment Methodology (Clause 6.1.2). Your documented process for identifying risks, determining owners, assessing likelihood and impact, and accepting risks. See our ISO 27001 risk assessment guide for methodology detail.

4. Risk Assessment Results (Clause 6.1.2). The output of your methodology — a risk register with identified risks, owners, assessed likelihood and impact, and treatment decisions.

5. Risk Treatment Plan (Clause 6.1.3). For each risk requiring treatment, the specific actions, owners, and deadlines. References controls from Annex A.

6. Statement of Applicability (Clause 6.1.3). The SoA lists all 93 Annex A controls, indicates whether each is included or excluded, and provides justification. See our SoA writing guide for the full structure.

7. Information Security Objectives (Clause 6.2). Measurable objectives derived from the policy, with owners and timelines.

8. Evidence of Competence, Awareness, and Communication (Clauses 7.2, 7.3, 7.4). Training records, competence matrices, and communication logs demonstrating that relevant staff understand their ISMS responsibilities.

If any of these documents is missing, informal, unapproved, or stale, expect a major finding.

Annex A Evidence Auditors Sample in Stage 1

Beyond the mandatory ISMS documents, Stage 1 auditors sample Annex A control evidence to confirm that implementation has started. They do not test operating effectiveness deeply — that is Stage 2 — but they will look at the following high-signal areas.

A.5.1 Policies for information security. Is there a complete policy pack covering access control, cryptography, physical security, supplier relationships, change management, incident response, and backup?

A.5.15–A.5.18 Access control. Do access control procedures exist? Is there evidence that access reviews are scheduled (even if only one has occurred)?

A.6.3 Awareness, education, and training. Can you show training content and at least some completion records?

A.8.1 User endpoint devices. Is there an asset inventory? Are endpoints encrypted?

A.8.5 Secure authentication. Is MFA enforced? Can you produce configuration evidence?

A.8.25–A.8.32 Secure development. Are coding standards, code review requirements, and change management documented?

The Stage 1 auditor will typically sample 5 to 10 Annex A controls across the policy, operations, and technology themes.

Internal Audit and Management Review

Two clauses catch many first-time Stage 1 candidates:

Clause 9.2 Internal audit. You must have conducted at least one internal audit of your ISMS before Stage 1. The internal audit can be performed by an internal resource (if competent and independent of the audited areas) or an external consultant. Missing internal audit is a frequent major finding.

Clause 9.3 Management review. Leadership must have conducted at least one documented management review of the ISMS, covering the standard inputs: audit results, performance metrics, risk treatment status, and improvement opportunities.

A defensible minimum: one internal audit covering the full ISMS scope plus one management review meeting with minutes, both completed at least 30 days before Stage 1. Many teams try to compress these into the week before Stage 1 and auditors can tell.

Common Stage 1 Findings

After working with teams through dozens of Stage 1 audits, these are the findings we see most often.

ISMS scope is too vague. The scope statement uses generic language ("all information systems") without defining interfaces or dependencies. Fix: explicitly list in-scope products, business units, and physical locations; describe what connects them to excluded systems.

SoA justifications are thin. The SoA lists included controls but uses one-word justifications ("Required", "Applicable"). Fix: each included control needs a one-to-two sentence justification referencing specific risks or business requirements.

Risk assessment and SoA disagree. A risk identified in the register does not trace to a control in the SoA, or an included control in the SoA does not address any documented risk. Fix: trace every SoA inclusion to a risk and every risk to a treatment.

Policies are generic templates. The information security policy references procedures or teams that do not exist in your organization. Fix: customize every policy to actual company context. Auditors read policies; they notice template language.

No internal audit performed. Clause 9.2 requires internal audit before certification. Missing it is a major finding every time. Fix: complete one documented internal audit with findings and corrective actions at least 30 days before Stage 1.

Management review not conducted. Similar to internal audit — Clause 9.3 is mandatory and first-time candidates sometimes forget. Fix: hold a management review meeting with minutes covering all clause 9.3 inputs.

Objectives are not measurable. The information security objectives state intentions ("improve security posture") rather than measurable targets ("reduce mean time to patch critical vulnerabilities to under 14 days by Q4"). Fix: rewrite objectives with SMART criteria.

Section-by-Section Stage 1 Checklist

Use this as a final readiness review in the week before Stage 1.

Context of the Organization (Clause 4)

Internal and external issues identified and documented
Interested parties and their requirements documented
ISMS scope statement approved and current
ISMS scope includes interfaces and dependencies

Leadership (Clause 5)

Information security policy approved by top management
Roles, responsibilities, and authorities defined and communicated
Leadership has demonstrated commitment through resource allocation

Planning (Clause 6)

Risk assessment methodology documented
Risk register current with owners and treatment decisions
Statement of Applicability complete with justifications
Risk treatment plan with deadlines and owners
Information security objectives are measurable with owners

Support (Clause 7)

Resources allocated to ISMS
Competence requirements defined; training records available
Awareness program delivered to all in-scope personnel
Internal and external communication procedures documented
Documented information controlled (version control, approval, distribution)

Operation (Clause 8)

Risk assessment results current
Risk treatment implemented per plan

Performance Evaluation (Clause 9)

Monitoring, measurement, analysis, and evaluation procedures defined
Internal audit program planned; at least one audit completed
Management review conducted with documented inputs and outputs

Improvement (Clause 10)

Nonconformity and corrective action procedure exists
Continual improvement evidence (from internal audit findings, management review, etc.)

Annex A Controls (93 total in 2022 version)

Each included control has an owner
Implementation evidence is available for sampled controls
Excluded controls have documented justification in SoA

Preparing the Day Before

The day before Stage 1, do these three things:

Assemble an evidence index. A single document (or dashboard in your GRC platform) listing every ISMS artifact, its owner, its location, and its approval date. Auditors measure your operational maturity in the first 30 minutes by how quickly you can retrieve requested evidence.

Brief your ISMS committee. Whoever will be in the Stage 1 sessions should know the current status of the risk register, top treatment items, and any open internal audit findings. Auditors ask operational questions; they want to see that leadership understands the ISMS, not that someone reads from a policy document.

Prepare a correction log. Have a format ready to capture minor findings and observations in real time. Many teams lose points by reacting to findings defensively instead of documenting them and committing to remediation dates.

After Stage 1

The auditor will issue a Stage 1 report within 5 to 15 business days. The report will classify any findings as major, minor, or observation, and will confirm whether you are approved to proceed to Stage 2.

If you have minor findings, you have until Stage 2 to close them (or at least demonstrate a remediation plan). If you have major findings, Stage 2 is blocked until they are closed. For a clean Stage 1, Stage 2 can be scheduled as early as 2 weeks out, though 4 to 6 weeks is more common.

For teams that want a partner through Stage 1 and Stage 2 — including documentation preparation, internal audit, and auditor liaison — reach out to CertifyOps to discuss scope.

For the end-to-end ISO 27001 context, start with our ISO 27001 for B2B SaaS guide.