The assessments
The ISO 27001 audit process, start to finish
Certification is a two-stage audit by your certification body, then annual surveillance for the life of the certificate. We sit in these audits with clients for a living; this is what actually happens in the room.
Stage 1: the documentation review
The auditor reads your ISMS: scope, risk assessment, Statement of Applicability, mandatory documents and internal audit results. The output is a readiness verdict and a findings list. Treat Stage 1 as a diagnostic, not a formality; a clean Stage 1 makes Stage 2 boring, which is the goal.
Stage 2: the implementation audit
Weeks later, the auditor tests whether the system on paper is the system in practice: interviews across departments, evidence sampling, records of access reviews, incidents, supplier checks and training. Nonconformities are graded minor or major; majors block certification until fixed and verified.
Years two and three: surveillance
Annual, shorter audits sampling parts of the ISMS, always including internal audit, management review and corrective actions. Surveillance is where neglected systems get caught, and where well-run ones barely notice the visit.
Year three: recertification
A fuller reassessment before the certificate's three year cycle restarts. If the ISMS has been genuinely maintained, recertification is a heavier surveillance; if not, it is a rebuild under deadline.
Inside the room
What auditors actually ask for
Auditors are not hunting for perfection; they are testing whether the management system is real. The requests below come up in nearly every Stage 2 we support, and none of them can be produced convincingly in the week before the audit.
The one that catches organisations out most is the clause 9.2 internal audit: it must be done, be independent, and be done before Stage 2, and your certification body is not allowed to do it for you.
The standing request list
- Your scope document, risk assessment and Statement of Applicability, current and consistent with each other
- Evidence that controls run routinely: access reviews with dates, incident records, supplier assessments, training logs
- The clause 9.2 internal audit report and what you did about its findings
- Management review minutes showing leadership actually engages with the ISMS
- People who can answer questions without a minder: auditors interview staff, not just the project team
Quick answers
Audit questions, answered
How long is the gap between Stage 1 and Stage 2?
Typically a few weeks to a couple of months, agreed with your certification body. Long enough to close Stage 1 findings, short enough that the evidence stays current. We plan the gap deliberately rather than letting the CB's diary decide it.
What happens if the audit finds nonconformities?
Minor nonconformities are normal: you agree a corrective action plan and certification proceeds. Major nonconformities pause certification until the issue is fixed and verified, which usually means extra auditor time at extra cost. The readiness work exists to make majors a non-event.
Who carries out the certification audit?
A certification body, and for a certificate UK enterprise customers will accept, one accredited by UKAS. We are not a certification body: we prepare you, sit with you through the audit stages, and stay deliberately independent of whoever you choose to assess you.
How much does the audit cost?
It is priced in auditor days against ISO 27006 minimums: around £1,250 a day at 2026 UK rates, giving a floor of roughly £6,250 for the smallest organisations and rising with headcount. Full figures, including surveillance costs, are on the cost page.
Audit booked, or dreading booking it?
Walk into Stage 1 already knowing the verdict
Our readiness work runs the auditor's checks before the auditor does. A free 45 minute scoping call maps what yours will involve.