Certification Audit
ISO 27001 Stage 2 Audit: The Certification Audit Explained
Stage 2 is the main certification audit where auditors verify your controls are implemented and operating effectively. This is where the certification decision is made. Typical cost: $5,000 - $60,000.
What Is a Stage 2 Audit?
The Stage 2 audit is the primary certification assessment. While Stage 1 checked whether your ISMS exists on paper, Stage 2 verifies that the system actually works in practice. Auditors interview staff, review evidence of control operation, observe processes, and test technical controls.
Stage 2 is typically conducted on-site (or partially on-site for hybrid arrangements). It results in the auditor's recommendation to the certification body regarding whether to issue the ISO 27001 certificate. The certification body then makes the final decision based on the auditor's report.
This is where the majority of audit cost sits. Stage 2 is typically 2-3 times longer than Stage 1 and requires significantly more auditor engagement with your team.
What Auditors Do During Stage 2
A typical Stage 2 audit follows this schedule. Larger organisations spend more time on department interviews and evidence review.
| Activity | Duration | What Happens |
|---|---|---|
| Opening meeting | 30-60 min | Auditor confirms scope, schedule, and logistics with ISMS team |
| Department interviews | 2-4 hours/dept | Auditor interviews staff across IT, HR, operations, legal to verify awareness and control operation |
| Evidence review | Throughout | Reviewing logs, access records, change management tickets, incident reports, training records |
| Technical verification | 2-4 hours | Checking firewall rules, access controls, backup procedures, encryption configurations |
| Physical security walkthrough | 1-2 hours | Server rooms, clean desk compliance, visitor management, physical access controls |
| Closing meeting | 60-90 min | Auditor presents findings, discusses nonconformities, outlines next steps |
Stage 2 Audit Cost by Company Size
Based on 2026 auditor day rates and IAF MD 5 mandatory minimums. Single-location organisations.
| Company Size | Auditor Days | Typical Cost |
|---|---|---|
| Micro (1-10) | 3 - 4 | $5,000 - $10,000 |
| Small (11-50) | 4 - 6 | $8,000 - $18,000 |
| Medium (51-250) | 5 - 8 | $12,000 - $30,000 |
| Large (251-1,000) | 8 - 12 | $20,000 - $45,000 |
| Enterprise (1,000+) | 10 - 15+ | $30,000 - $60,000 |
Top Annex A Control Areas Auditors Focus On
These areas receive the most scrutiny during Stage 2 and are the most common sources of nonconformities.
Access control (A.8.3-8.5)
User access provisioning, privilege management, access reviews. Auditors verify that joiners/movers/leavers processes work and that access reviews are conducted regularly.
Incident management (A.5.24-5.28)
Incident response plan tested and updated, incident log maintained, staff know how to report incidents. Auditors may ask to see the last 3 incident records.
Supplier management (A.5.19-5.22)
Supplier security assessments completed, contracts include security clauses, ongoing monitoring in place. A very common area for nonconformities.
Business continuity (A.5.29-5.30)
BCP documented and tested, disaster recovery tested within last 12 months, results reviewed. Untested plans are a frequent finding.
Cryptography (A.8.24)
Encryption policy exists, data at rest and in transit encrypted, key management procedures documented.
Logging and monitoring (A.8.15-8.16)
Security logs collected, reviewed regularly, alerting configured. Auditors check log review frequency and coverage.
Common Stage 2 Findings
Staff unaware of policies
Employees cannot describe the information security policy or their role in the ISMS when interviewed. This indicates a training gap.
No evidence of control operation
Policies exist on paper but there is no evidence they are followed. For example, an access review policy exists but no access review has been conducted.
Supplier assessments missing
Third-party risk assessments not conducted for key suppliers, or assessments are outdated. This is consistently one of the top 3 nonconformity areas.
Incident response untested
Incident response plan exists but has never been tested via tabletop exercise or simulation. Auditors expect evidence of at least one test per year.
Access reviews not conducted
User access reviews required by policy but no evidence of actual review cycles. Auditors check for documented review dates, approvers, and remediation actions.
Pass/Fail Outcomes
Recommended for Certification
Zero findings or minor observations only. Immediate recommendation to the CB for certificate issuance. Timeline: 2-4 weeks for certificate.
Minor Nonconformities
Most common outcome. 90-day window to implement corrective actions and submit evidence. No re-audit required; auditor reviews evidence remotely.
Major Nonconformities
Certification paused. Corrective action required plus partial or full re-audit. Adds $2,000-$10,000 in fees and 2-3 months delay. Occurs in ~5-10% of audits.
First-time pass rate (recommended for certification with at most minor NCs) is approximately 85-90% across the industry. Thorough preparation through audit preparation and internal audits significantly improves your odds.
Frequently Asked Questions
What percentage of companies pass the ISO 27001 Stage 2 audit first time?
Industry estimates suggest 85-90% of organisations pass Stage 2 on the first attempt, meaning they receive a recommendation for certification (possibly with minor nonconformities requiring corrective action). Complete failure requiring a full re-audit is rare, occurring in roughly 5-10% of cases, usually due to fundamental implementation gaps.
What happens if you get a major nonconformity in Stage 2?
A major nonconformity pauses the certification decision. You must implement corrective action and provide evidence to the auditor. Depending on the severity, the auditor may accept documented evidence (similar to a minor NC) or require a partial re-audit of the affected area. A re-audit typically adds $2,000-$10,000 in additional audit fees and delays certification by 2-3 months.
How many days is a Stage 2 audit?
Stage 2 duration is determined by IAF MD 5 mandatory minimums based on employee count. For small organisations (11-50 employees), expect 4-6 auditor days. Medium (51-250): 5-8 days. Large (251-1,000): 8-12 days. Enterprise (1,000+): 10-15+ days. Multi-site organisations require additional days per location.
Can the Stage 2 audit be done remotely?
Partially. Most certification bodies allow a portion of Stage 2 to be conducted remotely (typically 30-50%), but require on-site presence for physical security verification, staff interviews, and technical checks. Fully remote Stage 2 audits are accepted by some CBs for organisations with no physical office (e.g. fully remote SaaS companies), but this varies by CB policy.