Comparison
ISO 27001 Stage 1 vs Stage 2 Audit: Cost, Duration, and Scope Compared
Stage 1 checks the design. Stage 2 checks the implementation. Together they form the complete ISO 27001 certification audit. Here is how they compare on every dimension that matters for budgeting and planning.
Side-by-Side Comparison
| Dimension | Stage 1 | Stage 2 |
|---|---|---|
| Purpose | Verify ISMS documentation is complete and designed correctly | Verify ISMS controls are implemented and operating effectively |
| What is reviewed | Policies, risk assessment, SoA, treatment plan, internal audit records, management review minutes | Live evidence: access logs, incident records, staff interviews, technical controls, physical security |
| Location | Mostly remote (document review + video calls) | Primarily on-site (30-50% can be remote for some CBs) |
| Typical duration | 1-5 auditor days | 3-15 auditor days (2-3x Stage 1) |
| Typical cost | $1,800 - $25,000 | $5,000 - $60,000 |
| Outcome | Stage 1 report with findings; confirms readiness for Stage 2 | Certification recommendation (or nonconformities requiring resolution) |
| Common findings | Incomplete SoA, missing management review, scope too vague | Staff unaware of policies, untested incident response, missing supplier assessments |
| Fail consequence | Stage 2 postponed until gaps closed (delays, not extra cost) | Minor NCs: 90-day corrective window. Major NCs: re-audit required ($2k-$10k extra) |
Typical Timeline Between Stages
The gap between Stage 1 and Stage 2 is typically 4-12 weeks. This period is used to address any findings from Stage 1, finalise control implementations, and ensure the team is ready for the on-site assessment.
2 - 4 weeks
Minimum gap (no significant Stage 1 findings)
4 - 12 weeks
Typical gap (minor findings to address)
3 - 6 months
Extended gap (major documentation gaps)
Cost Comparison by Company Size
Stage 2 is consistently 2-3x the cost of Stage 1 across all company sizes.
| Company Size | Stage 1 Cost | Stage 2 Cost | Ratio |
|---|---|---|---|
| Micro (1-10) | $1,800 - $3,500 | $5,000 - $10,000 | 2.5-3x |
| Small (11-50) | $3,000 - $6,000 | $8,000 - $18,000 | 2.5-3x |
| Medium (51-250) | $5,000 - $12,000 | $12,000 - $30,000 | 2-2.5x |
| Large (251-1,000) | $8,000 - $18,000 | $20,000 - $45,000 | 2-2.5x |
| Enterprise (1,000+) | $12,000 - $25,000 | $30,000 - $60,000 | 2-2.5x |
The Fundamental Difference
Stage 1: Design
Does the ISMS exist on paper? Are the policies complete? Is the risk assessment methodology sound? Is the Statement of Applicability properly justified? Stage 1 answers: "Is the system designed to meet ISO 27001?"
Stage 2: Effectiveness
Do the controls actually work? Do employees follow the policies? Is there evidence of ongoing operation? Are incidents detected and responded to? Stage 2 answers: "Does the system work in practice?"
Frequently Asked Questions
Is Stage 1 easier than Stage 2?
Yes, Stage 1 is generally considered easier because it is a documentation review rather than a live implementation check. However, Stage 1 can reveal fundamental design problems that are costly to fix. A thorough Stage 1 with few findings is a strong predictor of Stage 2 success.
Can you skip Stage 1?
No. Stage 1 is a mandatory part of the ISO 27001 certification process defined in ISO 17021. No accredited certification body can skip Stage 1. However, if you are transferring from another CB (already certified), the transfer audit may combine elements of Stage 1 and Stage 2.
Do you need the same auditor for Stage 1 and Stage 2?
Not necessarily, but it is common and often beneficial. Having the same auditor provides continuity; they are already familiar with your ISMS documentation and can focus Stage 2 on verification rather than re-learning your setup. If you request a different auditor, the CB will typically accommodate this.