Documentation Review
ISO 27001 Stage 1 Audit: What Happens, What It Costs, How to Pass
The Stage 1 audit is the documentation review that confirms your ISMS is designed correctly before the Stage 2 verifies it actually works. Typical cost: $1,800 - $25,000 depending on company size.
What Is a Stage 1 Audit?
The Stage 1 audit is the first of two external audit stages in the ISO 27001 certification process. Its purpose is to evaluate whether your Information Security Management System (ISMS) documentation is complete, appropriate, and designed to meet the requirements of ISO 27001:2022.
Think of Stage 1 as the "paper check". The auditor is not yet verifying that controls work in practice. They are verifying that the system exists on paper, that it is logically sound, and that it addresses the requirements of the standard. Stage 1 confirms your organisation is ready for the main certification audit (Stage 2).
Stage 1 is typically conducted remotely, which reduces cost by 20-30% compared to on-site visits. The auditor reviews documents shared via secure file transfer or your GRC platform, and conducts interviews with key personnel via video call.
What the Auditor Reviews in Stage 1
The specific documents and records that must be ready before Stage 1 begins.
| Document | What the Auditor Checks |
|---|---|
| ISMS scope statement | Defines what is covered by the certificate |
| Information security policy | Top-level policy signed by senior management |
| Risk assessment methodology | How you identify, analyse, and evaluate risks |
| Risk assessment results | The actual risk register with scores and owners |
| Statement of Applicability (SoA) | All 93 Annex A controls with justification for inclusion/exclusion |
| Risk treatment plan | How each unacceptable risk will be addressed |
| Internal audit programme | Schedule and records of internal audits conducted |
| Management review minutes | Evidence that senior management reviews the ISMS |
| Roles and responsibilities | Who does what in the ISMS, including information security officer |
Stage 1 Audit Cost by Company Size
Based on 2026 auditor day rates of $1,400-$2,000/day and IAF MD 5 mandatory minimum days.
| Company Size | Auditor Days | Typical Cost |
|---|---|---|
| Micro (1-10) | 1 - 1.5 | $1,800 - $3,500 |
| Small (11-50) | 1.5 - 2 | $3,000 - $6,000 |
| Medium (51-250) | 2 - 3 | $5,000 - $12,000 |
| Large (251-1,000) | 3 - 4 | $8,000 - $18,000 |
| Enterprise (1,000+) | 4 - 5+ | $12,000 - $25,000 |
Common Stage 1 Findings
The top issues auditors raise during Stage 1, based on practitioner experience and CB data.
Incomplete SoA justifications
Very commonControls excluded without documented rationale, or justifications that are generic rather than risk-based. Every exclusion needs a specific reason tied to your risk assessment.
Risk assessment not linked to controls
CommonThe risk register exists but does not map risks to specific Annex A controls. Auditors need to trace from risk to treatment to control selection.
Missing management review evidence
CommonNo minutes or records showing senior management reviewed ISMS performance. A brief agenda is not sufficient; specific decisions and actions must be documented.
Scope too vague
ModerateScope statement that says 'all IT systems' without defining boundaries, locations, departments, or exclusions. Auditors need precise, auditable scope.
Missing or outdated internal audit records
ModerateInternal audit not conducted, or records from more than 12 months ago. The internal audit must be recent and cover the planned scope.
What Happens After Stage 1
The auditor produces a Stage 1 report listing any findings. These typically fall into three categories: observations (suggestions for improvement), minor gaps (must be addressed but do not block Stage 2), and major gaps (must be resolved before Stage 2 can proceed).
Most organisations receive 3-8 findings from Stage 1. The typical gap between Stage 1 and Stage 2 is 4-12 weeks, giving you time to close any issues. If Stage 1 reveals fundamental problems (e.g. no risk assessment exists), the gap may extend to 3-6 months.
The Stage 1 auditor will also confirm the Stage 2 audit plan, including the dates, on-site requirements, and which departments and personnel will be interviewed.
Remote vs On-Site Stage 1
Remote Stage 1
- 20-30% cheaper (no travel expenses, reduced day rate)
- Faster scheduling (no travel coordination)
- Now the default at most CBs
- Documents shared via secure platform
- Interviews via video call
On-Site Stage 1
- Required by some CBs for larger organisations
- Allows auditor to assess physical security early
- Better for organisations with complex facilities
- Adds $500-$3,000 in travel expenses
- May reduce Stage 2 time (auditor already familiar)
Frequently Asked Questions
Can you fail the ISO 27001 Stage 1 audit?
Technically, Stage 1 does not result in a pass or fail decision. However, the auditor can identify major gaps that must be resolved before Stage 2 can proceed. If the documentation is fundamentally incomplete, the auditor will recommend postponing Stage 2 until the gaps are closed, which effectively delays certification and adds cost.
How long does a Stage 1 audit take?
Stage 1 typically takes 1-5 auditor days depending on organisation size. For a small company (under 50 employees), expect 1-2 days. For medium organisations (51-250), 2-3 days. For large organisations (251-1,000+), 3-5 days. These are IAF-mandated minimums and cannot be shortened.
Is the Stage 1 audit always done off-site?
Stage 1 is primarily a documentation review and can be conducted entirely remotely. Most certification bodies now offer remote Stage 1 as the default option. However, some CBs prefer a short on-site visit to assess physical security arrangements and meet key ISMS personnel, particularly for larger organisations.
How long between Stage 1 and Stage 2?
The typical gap is 4-12 weeks. This gives the organisation time to address any findings from Stage 1 before the Stage 2 audit begins. If no significant findings are raised, the gap can be as short as 2-4 weeks. However, if major documentation gaps exist, it could extend to 3-6 months.
How much does a Stage 1 audit cost?
Stage 1 audit costs range from $1,800 to $25,000 depending on company size and certification body. For a small company (11-50 employees), expect $3,000-$6,000. For medium organisations (51-250), $5,000-$12,000. Remote Stage 1 audits are typically 20-30% cheaper than on-site.