ISO 270018 min readUpdated Jan 2026

ISO 27001 External Audits: What to Expect

External audits are the final step in achieving ISO 27001 certification. Understanding what auditors look for and how the process works helps you prepare effectively and approach audits with confidence.

Robin Coste

•

Co-founder

Robin is a co-founder of Bastion, bringing extensive experience in compliance automation and security strategy. Previously, he led compliance as a tech lead at Palantir. He helps startups navigate the complexities of SOC 2 and ISO 27001 certification.

SOC 2ISO 27001Compliance AutomationSecurity Strategy

Key Takeaways

Point	Summary
Two-stage process	Stage 1 (documentation review) + Stage 2 (implementation verification)
Typical duration	Stage 1: 1 day; Stage 2: 2-5 days (varies by organization size)
Auditor approach	Sampling-based—auditors verify representative evidence, not everything
Outcome options	Certification recommended, minor nonconformities, major nonconformities
After certification	Annual surveillance audits + recertification every 3 years

Quick Answer: ISO 27001 certification involves two audit stages. Stage 1 reviews your documentation for completeness. Stage 2 verifies your controls are actually implemented. Most organizations receive certification with minor findings that are easily addressed. Preparation is key—a thorough internal audit beforehand catches most issues.

The Two-Stage Audit Process

Why Two Stages?

The two-stage audit ensures organizations are genuinely ready before the full certification audit. It's designed to:

Confirm documentation is complete before detailed review
Identify major gaps that would prevent certification
Allow time to address issues between stages
Make Stage 2 more efficient and focused

Stage 1: Documentation Review

Purpose: Verify that your ISMS documentation is complete and you're ready for Stage 2.

What auditors review:

ISMS scope and context documentation
Information security policy
Risk assessment methodology and results
Statement of Applicability (SoA)
Risk treatment plan
Internal audit results
Management review records

Typical duration: 1 day for smaller organizations; 2-3 days for larger organizations.

Outcomes:

Ready for Stage 2 (with or without minor observations)
Not ready for Stage 2 (significant gaps identified)

Gap between Stage 1 and Stage 2: Typically 2-4 weeks, allowing time to address any issues identified.

Stage 2: Implementation Verification

Purpose: Verify that your documented controls are actually implemented and effective.

What auditors do:

Review evidence of control implementation
Conduct interviews with staff
Test controls through sampling
Verify processes match documentation
Assess effectiveness of the ISMS

Typical duration: 2-3 days for smaller organizations; 4-5 days for larger organizations.

Methods used:

Document review
Interviews with various roles
System demonstrations
Evidence sampling
Process observation

What Auditors Look For

Core ISMS Requirements

Clause	What Auditors Verify
4. Context	Scope defined, interested parties identified
5. Leadership	Management commitment, policy approved
6. Planning	Risk assessment complete, objectives set
7. Support	Resources, competence, awareness, communication
8. Operation	Controls implemented, processes followed
9. Evaluation	Monitoring, internal audit, management review
10. Improvement	Nonconformities addressed, continual improvement

Control Verification

Auditors verify Annex A controls through sampling:

Control Area	Example Evidence Reviewed
Access control	User access lists, privilege reviews, MFA configuration
Change management	Change tickets, approval records, testing evidence
Incident response	Incident records, response procedures, lessons learned
Security awareness	Training records, completion rates, content
Vendor management	Vendor assessments, contracts, monitoring records
Physical security	Access logs, visitor procedures, facility controls

Key Documents Auditors Request

Document	Purpose
Information security policy	Foundation of ISMS
Risk assessment	Understanding of threats and risks
Statement of Applicability	Control selection rationale
Risk treatment plan	How risks are being addressed
Internal audit report	Self-assessment results
Management review minutes	Leadership engagement evidence
Policies and procedures	Documented controls
Evidence of control operation	Proof controls are working

Audit Findings Explained

Types of Findings

Finding Type	Definition	Impact
Major Nonconformity	Significant failure to meet a requirement	Prevents certification until resolved
Minor Nonconformity	Isolated issue that doesn't undermine ISMS	Certification can proceed; must resolve by surveillance audit
Observation	Area for potential improvement	No action required; for consideration
Opportunity for Improvement	Suggestion for enhancement	No action required

Examples of Each

Major Nonconformity Examples:

No risk assessment conducted
Statement of Applicability missing
No internal audit performed
Management review not completed
Critical security control not implemented

Minor Nonconformity Examples:

Access review not completed for one quarter
Single policy document missing approval date
Training records incomplete for 2-3 employees
Evidence of one control partially missing

Observation Examples:

Risk assessment could include more detail
Security metrics could be more comprehensive
Documentation format could be standardized

Addressing Nonconformities

For Major Nonconformities:

Must be resolved before certification
Requires additional evidence submission
May require follow-up audit visit
Timeline: typically 4-12 weeks

For Minor Nonconformities:

Can receive certification with minor findings
Must resolve before next surveillance audit
Submit evidence of resolution
Timeline: typically within 90 days or by surveillance audit

Interview Expectations

Who Gets Interviewed

Role	Topics Covered
Management/Executive	Commitment, policy, resources, risk appetite
ISMS Owner/Manager	ISMS operation, risk assessment, controls
IT/Security	Technical controls, monitoring, incident response
HR	People controls, screening, training, termination
Operations	Business processes, change management
General staff	Awareness, policy understanding, procedures

Common Interview Questions

For Management:

How is information security prioritized?
What resources are allocated to security?
How are you kept informed about security status?

For Security/IT:

Walk me through your access provisioning process
How do you handle security incidents?
Show me evidence of recent vulnerability management

For Staff:

What would you do if you suspected a security incident?
What security training have you received?
How do you protect sensitive information?

Interview Tips

Answer honestly—auditors appreciate candor
If you don't know, say so and offer to find out
Demonstrate practical understanding, not just policy recitation
Have evidence ready to support your answers
Ask for clarification if questions are unclear

Audit Preparation Best Practices

Pre-Audit Checklist

Documentation:

All required documents complete and current
Version control and approval dates in place
Documents accessible and organized
Statement of Applicability accurate

Evidence:

Evidence collected for all applicable controls
Evidence covers the relevant time period
Evidence is organized and accessible
Gaps identified and addressed

People:

Key personnel available during audit
Staff briefed on audit process
Interview questions practiced
Roles and responsibilities clear

Technical:

Systems accessible for demonstration
Screen sharing/remote access working
Configuration evidence prepared
Security tools ready to demonstrate

Common Audit Pitfalls

Pitfall	How to Avoid
Missing evidence	Collect evidence before the audit
Outdated documentation	Review and update all docs beforehand
Staff unaware of policies	Conduct awareness training
No internal audit	Complete internal audit 4-6 weeks prior
Management review missing	Schedule review before audit
Technical issues	Test systems and access beforehand

After the Audit

Receiving Your Certificate

After successful Stage 2:

Auditor submits report to certification body
Technical review by certification body
Minor nonconformity evidence submitted (if any)
Certificate issued
Listed in certification body's registry

Timeline: Typically 2-4 weeks after Stage 2 (assuming no major nonconformities).

Surveillance Audits (Years 2-3)

Annual surveillance audits maintain certification:

Aspect	Surveillance Audit
Duration	1-2 days (50-70% of initial)
Focus	Changes since last audit, sample of controls
Scope	Partial ISMS coverage (different areas each year)
Outcome	Continued certification or findings

Recertification (Year 4)

Full recertification audit every three years:

Aspect	Recertification Audit
Duration	Similar to initial certification
Focus	Full ISMS coverage
Scope	Complete review of all requirements
Outcome	New 3-year certificate

Choosing a Certification Body

What to Consider

Factor	Consideration
Accreditation	Must be accredited by recognized body (UKAS, ANAB, etc.)
Experience	Familiarity with your industry and size
Availability	Timeline alignment with your needs
Cost	Competitive pricing for similar scope
Reputation	Customer references and reviews
Approach	Collaborative vs. adversarial style

Accreditation Bodies

Ensure your certification body is accredited by a recognized accreditation body:

UKAS (UK)
ANAB (US)
DAkkS (Germany)
COFRAC (France)
Other national accreditation bodies

Common Questions

Can audits be conducted remotely?

Yes. Remote audits have become common, especially for cloud-native organizations. Some certification bodies may prefer one on-site day for Stage 2, but fully remote audits are increasingly accepted.

How much notice do we get before audits?

You typically schedule audits 4-8 weeks in advance for initial certification. Surveillance audits are scheduled annually during your certification cycle.

What happens if we fail?

Major nonconformities prevent certification until resolved. You'll have the opportunity to address findings and submit evidence or undergo a follow-up audit. Failing outright is rare with proper preparation.

Can we change certification bodies?

Yes, through a "transfer audit." The new certification body reviews your existing certification and conducts an audit to take over. It adds some friction but is possible.

Working with Bastion

We help organizations prepare for and navigate external audits:

Support Area	What We Provide
Pre-audit review	Identify and address gaps before the audit
Evidence preparation	Organize documentation and evidence
Audit coordination	Schedule and manage auditor logistics
Interview preparation	Brief team members on audit expectations
Finding resolution	Help address any nonconformities
Ongoing support	Prepare for surveillance audits

Ready to prepare for your ISO 27001 audit? Talk to our team

Sources

ISO/IEC 27001:2022 - Requirements for ISMS
ISO/IEC 27006:2015 - Requirements for audit and certification bodies
International Accreditation Forum - Accreditation body information

← PreviousISO 27701: Privacy Information Management System (PIMS)Next →ISO 27001 Documentation Requirements

Back to ISO 27001 guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company