Back to ISO 27001

ISO 27001 audits: What internal and external audits to prepare for (Stage 1, Stage 2, surveillance)

Photo: Unsplash

ISO 27001 certification is not a single exam—it is a series of internal and external audits that prove your ISMS works in practice. Understanding each audit type helps you schedule work, assign owners, and avoid surprises.

Related guides:


Key takeaways

  • Internal audits are required by the standard and surface gaps before the certification body arrives.
  • Stage 1 reviews ISMS design and documentation; Stage 2 tests operating effectiveness.
  • Surveillance audits (typically annual) maintain certification between recertification cycles.
  • Strong programs collect evidence continuously, not only in the month before Stage 2.

Types of ISO 27001 audits

Audit Who performs it Primary purpose
Internal Your organization (often independent internal auditor) Verify ISMS conformance and improvement
Stage 1 Accredited certification body Readiness—scope, SoA, documentation
Stage 2 Certification body Certify—test controls in operation
Surveillance Certification body Ongoing assurance between recertification
Recertification Certification body Renew certificate (usually every 3 years)

Internal audits

Internal audits evaluate whether your ISMS meets ISO 27001 and your own policies. Expect:

  • Audit plan and criteria
  • Interviews with process owners
  • Sampling of evidence (access reviews, tickets, training)
  • Nonconformities and corrective actions

Run internal audits before Stage 2 so you can close major gaps early.


Stage 1 (documentation review)

Stage 1 typically focuses on:

  • ISMS scope and boundaries
  • Risk assessment and treatment plan
  • Statement of Applicability
  • Key policies and management commitment

Outcome: readiness feedback and agreement to proceed to Stage 2 (or list of items to fix first).


Stage 2 (certification audit)

Stage 2 is deeper. Auditors test whether controls are implemented and effective, including:

  • Walkthroughs and interviews
  • Evidence for Annex A controls in scope
  • Corrective action from Stage 1 or internal audits

Successful Stage 2 leads to ISO 27001 certification (subject to certification body decision).


Surveillance and recertification

After certification, expect annual surveillance audits (frequency may vary by body and contract). Surveillance samples parts of the ISMS—it is not a full Stage 2 every year, but slippage can escalate findings.

Recertification (commonly at year three) is a fuller review to renew the certificate.


How to prepare (checklist)

  1. Confirm scope and SoA are current.
  2. Complete internal audit and management review.
  3. Index evidence by control with owners and dates.
  4. Brief process owners on interviews.
  5. Track open nonconformities to closure.

See how much ISO 27001 costs for budgeting certification body fees.


Stay audit-ready with SecureSlate

SecureSlate automates control monitoring and evidence collection so internal, surveillance, and recertification audits draw from a living system—not a folder assembled at the last minute.

Get started for free


Disclaimer (legal note)

Audit practices vary by certification body and contract. This article is general guidance, not certification or legal advice.

Need compliance without the complexity?

SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.

No credit card required

Filed under:

Author: SecureSlate Team

4.9(409 reviews)

Keep reading

Jul 7, 2026 · TemplatesISO 27001

ISO 27001 Statement of Applicability Template: Free SoA Excel Download

Jul 5, 2026 · ISO 27001

ISO 27001 Consultant vs Compliance Automation Platform: Which Is Right for You?

Jul 5, 2026 · ISO 27001

ISO 27001 introduction: ISMS basics, certification, and first steps for 2026

View more posts
Jamie
Virtual Agent

Hi! I'm Jamie. Curious about your current compliance challenges and how automation might help your team?