ISO 27001 audits: What internal and external audits to prepare for (Stage 1, Stage 2, surveillance)
Photo: Unsplash
ISO 27001 certification is not a single exam—it is a series of internal and external audits that prove your ISMS works in practice. Understanding each audit type helps you schedule work, assign owners, and avoid surprises.
Related guides:
Key takeaways
- Internal audits are required by the standard and surface gaps before the certification body arrives.
- Stage 1 reviews ISMS design and documentation; Stage 2 tests operating effectiveness.
- Surveillance audits (typically annual) maintain certification between recertification cycles.
- Strong programs collect evidence continuously, not only in the month before Stage 2.
Types of ISO 27001 audits
| Audit | Who performs it | Primary purpose |
|---|---|---|
| Internal | Your organization (often independent internal auditor) | Verify ISMS conformance and improvement |
| Stage 1 | Accredited certification body | Readiness—scope, SoA, documentation |
| Stage 2 | Certification body | Certify—test controls in operation |
| Surveillance | Certification body | Ongoing assurance between recertification |
| Recertification | Certification body | Renew certificate (usually every 3 years) |
Internal audits
Internal audits evaluate whether your ISMS meets ISO 27001 and your own policies. Expect:
- Audit plan and criteria
- Interviews with process owners
- Sampling of evidence (access reviews, tickets, training)
- Nonconformities and corrective actions
Run internal audits before Stage 2 so you can close major gaps early.
Stage 1 (documentation review)
Stage 1 typically focuses on:
- ISMS scope and boundaries
- Risk assessment and treatment plan
- Statement of Applicability
- Key policies and management commitment
Outcome: readiness feedback and agreement to proceed to Stage 2 (or list of items to fix first).
Stage 2 (certification audit)
Stage 2 is deeper. Auditors test whether controls are implemented and effective, including:
- Walkthroughs and interviews
- Evidence for Annex A controls in scope
- Corrective action from Stage 1 or internal audits
Successful Stage 2 leads to ISO 27001 certification (subject to certification body decision).
Surveillance and recertification
After certification, expect annual surveillance audits (frequency may vary by body and contract). Surveillance samples parts of the ISMS—it is not a full Stage 2 every year, but slippage can escalate findings.
Recertification (commonly at year three) is a fuller review to renew the certificate.
How to prepare (checklist)
- Confirm scope and SoA are current.
- Complete internal audit and management review.
- Index evidence by control with owners and dates.
- Brief process owners on interviews.
- Track open nonconformities to closure.
See how much ISO 27001 costs for budgeting certification body fees.
Stay audit-ready with SecureSlate
SecureSlate automates control monitoring and evidence collection so internal, surveillance, and recertification audits draw from a living system—not a folder assembled at the last minute.
Disclaimer (legal note)
Audit practices vary by certification body and contract. This article is general guidance, not certification or legal advice.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Jun 1, 2026 · ISO 27001
5 benefits of ISO 27001 certification for your business (and when it pays off)
SecureSlate Team
Jun 1, 2026 · ISO 27001
Automated ISO 27001 vs. manual ISO 27001: How to select the right approach for you
SecureSlate Team
Jun 1, 2026 · ISO 27001
What are the benefits of compliance automation for ISO 27001? (2026 guide)
SecureSlate Team
