Skip to content
English
Go to sensiba.com
  • There are no suggestions because the search field is empty.

Preparing for your ISO 27001 Stage 2 Audit

The biggest question we get after the Stage 1 audit? What do I do now, and how do I know when we’re ready to start Stage 2?

The ISO 27001 certification process is divided into two stages: Stage 1 audit and Stage 2 audit. Following the completion of the Stage 1 audit, the organisation prepares for the more extensive Stage 2 audit

In this blog post, we'll look at how to effectively prepare for the ISO 27001 Stage 2 audit after completing the Stage 1 audit, and how you know when to get the auditors involved!

ISO 27001 Stage 1 Audit: Communication with Auditors

Before getting into Stage 2 preparation, reviewing the Stage 1 audit findings is critical. This preliminary evaluation focuses on an organisation’s Information Security Management System (ISMS) preparation for the full certification audit. At this level, auditors assess the ISMS documentation, including policies, procedures, and controls. It also helps the organisation understand the criteria of the standard and that the appropriate foundation has been prepared for the Stage 2 audit.

Understanding the ISO 27001 Stage 2 Audit

The primary objectives of the Stage 2 audit are to validate the organisation's compliance with ISO 27001 criteria, evaluate the effectiveness of controls, and recommend potential areas of improvement.

Unlike the Stage 1 audit, which focuses on documentation, the Stage 2 audit focuses on the implementation and effectiveness of the ISMS. The auditors determine if the organisation's practices are consistent with its policies and procedures.

To determine this, the audit includes management interviews with key stakeholders in the organisation’s ISMS, testing of the ISMS against the ISO 27001 requirements, and testing of all applicable Annex A controls. 

Gap Analysis and Corrective Actions from Stage 1

To strengthen your ISMS, your organisation needs to address the Areas of Concern identified in Stage 1. You might proceed to:

  • Conduct a thorough gap analysis to discover areas that require improvements
  • Determine the importance of these gaps and develop corrective action plans
  • Assign tasks to individuals or teams and establish realistic timeframes for completing essential modifications to the controls
  • Ensure that your corrective actions are designed for the risks and issues identified
Risk Management and Assessment

ISO 27001 depends on effective risk management and assessment. Stage 2 auditors will assess the thoroughness of your risk assessment approach. To assist with this, you would:

  • Review and update your risk assessment process as appropriate
  • Evaluate new risks and change your risk management strategies in accordance with the identified risks

Taking a proactive approach to risk management demonstrates your dedication to protecting information assets.

Implementation of Controls

Within the Stage 1 audit, you would have demonstrated your Statement of Applicability to the auditors, defining the controls that are, and are not, applicable to mitigate your organisations information security risks.

Now, with Stage 2 in mind, it’s time to go through and ensure that each of these controls have been implemented, with adequate evidence maintained for the audit.

Training and Awareness

Stage 2 of the audit determines how well your employees acknowledge and follow your information security policies and procedures. Since well-informed employees are critical to the success and compliance of your ISMS, it is important to:

  • Provide extensive information security training to your employees to demonstrate your commitment to information security
  • Develop awareness campaigns highlighting the significance of following security measures and reporting any incidents that occur

Internal Audit

Internal audits and assessments have already been reviewed during Stage 1 to provide insight into the effectiveness of the ISMS and to identify any gaps or non-conformities prior to certification. Internal audits act as key mechanisms for continuous improvement and early identification of issues.

As part of Stage 2, auditors will re-review the internal audit programme to assess its ongoing effectiveness and to confirm that any issues or areas of concern identified during Stage 1 have been appropriately addressed and remediated.

You should:

  • Ensure internal audits are rigorous, objective, performed regularly, and clearly documented
  • Demonstrate that any nonconformities or observations identified during Stage 1 have been appropriately addressed
  • Evidence that corrective actions have been implemented and are effective
  • Incorporate lessons learned into the ISMS through the defined corrective action process

ISMS Management Review

The ISMS management review has already been assessed during Stage 1 to evaluate whether top management is actively involved in reviewing the performance and effectiveness of the ISMS. This review is a key component in ensuring the ongoing suitability, adequacy, and alignment of the ISMS with organisational objectives.

As part of Stage 2, auditors will re-review the management review process to confirm that it is operating effectively and that any outputs, actions, or areas of concern identified during Stage 1 have been appropriately addressed.

You should:

  • Ensure management reviews are conducted at planned intervals and are clearly documented
  • Demonstrate that inputs required by ISO 27001 (e.g. audit results, nonconformities, risks, opportunities, and performance metrics) have been considered
  • Provide evidence that outputs from the Stage 1 management review (e.g. decisions, actions, improvement opportunities) have been addressed
  • Evidence that actions arising from management reviews are tracked, implemented, and effective
  • Ensure continual improvement is driven through management oversight and decision-making
So, am I ready for Stage 2?

The key thing to note is that no two organisations have the same timeline between Stage 1 and Stage 2 audits. The standard itself does not prescribe a specific timeframe either. The only requirement is that you have gone through one “cycle” of your ISMS, and you have implemented the applicable Annex A controls. 

In Summary…

You are ready for ISO 27001 Stage 2 if you have evidence of implementation of each function in the ISMS processes detailed above, and each of the Annex A controls you have deemed applicable.

Preparing for the audit requires thorough planning, careful attention to detail, and a proactive commitment to information security. Organisations must refine their ISMS, correct any identified gaps, and constantly improve their security practices based on the foundation set during the Stage 1 assessment.

The ISO 27001 Stage 2 audit provides a chance to demonstrate your organisation's commitment to information security as well as the ability to build and maintain effective controls. Organisations that adopt ISO 27001 standards and thrive in the Stage 2 audit not only earn certification but also build a security culture that protects their assets and deepens trust with customers.

 

Let us know if you have any questions on the above, and learn more about our ISO 27001 audits.