Stage 1: The First Test

Introduction

Stage 1 is your first formal encounter with your certification auditor. Think of it as a "pre-flight check" before the main certification audit (Stage 2). It's designed to answer one critical question:

"Is this organization ready for the Stage 2 certification audit?"

While Stage 1 is less intense than Stage 2, it's far from a formality. A poorly executed Stage 1 can:

Delay your certification timeline by months
Reveal major gaps that require extensive rework
Damage confidence in your ISMS
Increase costs through additional preparation time

Conversely, a successful Stage 1:

Builds confidence across the organization
Provides valuable feedback for final improvements
Creates a positive relationship with your auditor
Sets you up for smooth Stage 2 success

This lesson gives you everything you need to prepare for and excel at your Stage 1 audit.

What is Stage 1 Audit?

Primary Purpose

Stage 1 has four main objectives:

Document Review
- Verify that all required ISMS documentation exists
- Assess if documentation meets ISO 27001 requirements
- Confirm scope and boundaries are clearly defined
Understanding Your Context
- Review your organization's context and risk environment
- Understand your business, processes, and technology
- Assess if the scope is appropriate
Readiness Assessment
- Determine if you're ready for Stage 2
- Identify any major gaps that must be addressed
- Verify that the ISMS has been operational
Stage 2 Planning
- Plan the approach for Stage 2 audit
- Identify key processes and controls to examine
- Determine Stage 2 audit schedule and resource needs

Duration

Stage 1 duration varies based on organization size:

Organization Size	Typical Stage 1 Duration
1-5 employees	0.5 - 1 day
6-25 employees	1 - 1.5 days
26-65 employees	1.5 - 2 days
66-125 employees	2 - 2.5 days
126-275 employees	2.5 - 3 days
276-625 employees	3 - 4 days
625-1175 employees	4 - 5 days

Note: These are guidelines from IAF MD 5. Your certification body may adjust based on:

Complexity of operations
Number of locations
Technology environment
Industry regulatory requirements
Maturity of your ISMS

Location

Stage 1 can typically be conducted:

On-site at your main location
Remotely via video conference (increasingly common post-COVID)
Hybrid with some remote and some on-site activities

Remote Stage 1 Requirements:

Reliable video conferencing capability
Ability to share screens and documents electronically
Virtual access to key personnel
Document sharing platform or portal

Stage 1 Outcome

Stage 1 results in one of these outcomes:

1. Ready for Stage 2 ✓

All required documentation in place
ISMS has been operational long enough
No major gaps identified
Stage 2 can proceed as planned

2. Ready for Stage 2 with Minor Issues ⚠️

Documentation substantially complete
Some minor gaps or areas for improvement noted
Issues can be addressed before or during Stage 2
Stage 2 proceeds, but focus areas identified

3. Not Ready for Stage 2 ✗

Major documentation gaps
ISMS not operational long enough
Significant issues that must be addressed first
Stage 2 must be rescheduled (typically 1-3 months later)

Stage 1 Audit Process Timeline

Typical Stage 1 Day Schedule

For a 1-day Stage 1 Audit:

8:00 AM - 8:30 AM: Opening Meeting

Introductions and auditor credentials
Audit scope and objectives confirmation
Schedule review and logistics
Ground rules and communication

8:30 AM - 10:30 AM: Document Review Session 1

Core ISMS documents (Clauses 4-6)
Scope, policy, context analysis
Risk assessment and risk treatment plan

10:30 AM - 10:45 AM: Break

10:45 AM - 12:30 PM: Document Review Session 2

Supporting documentation (Clauses 7-8)
Policies and procedures
Statement of Applicability review

12:30 PM - 1:30 PM: Lunch Break

1:30 PM - 3:00 PM: Process Interviews

IT Manager/CISO
Key process owners
Understanding implementation status

3:00 PM - 3:15 PM: Break

3:15 PM - 4:15 PM: Site Tour (if on-site)

Physical security observations
Technology environment walkthrough
Operational process review

4:15 PM - 5:00 PM: Auditor Review Time

Auditor analyzes findings
Prepares closing meeting presentation
You can use this time to prepare questions

5:00 PM - 5:45 PM: Closing Meeting

Audit findings presentation
Discussion of gaps or concerns
Stage 2 readiness determination
Next steps and Stage 2 planning

5:45 PM - 6:00 PM: Administrative Closeout

Sign audit records
Confirm follow-up actions
Schedule Stage 2

Before the Audit: Preparation Checklist

4 Weeks Before Stage 1

Documentation Preparation:

Compile all ISMS documents in one location
Create a document index/register
Ensure all documents are current (latest versions)
Remove draft or obsolete documents
Organize documents by ISO 27001 clause
Prepare electronic copies if audit is remote

Evidence Gathering:

Collect evidence of ISMS operation:
- Risk assessment records (at least one cycle complete)
- Management review minutes (at least one completed)
- Internal audit report (at least one completed)
- Training records
- Incident records
- Access review records
- Backup test records
- Vulnerability scan results

Team Preparation:

Identify who will participate in the audit
Brief all participants on their roles
Schedule all participants' availability
Prepare process owners for interviews

Logistics:

Confirm audit date and time
Book meeting rooms (or video conference links)
Arrange for refreshments (if on-site)
Prepare guest Wi-Fi access
Test video conferencing technology (if remote)

2 Weeks Before Stage 1

Document Review:

Conduct final review of all documentation
Fix any obvious gaps or errors
Ensure document version control is clear
Create document cross-reference matrix

Mock Exercise:

Conduct internal mock Stage 1 review
Ask internal audit team to review documents
Practice explaining ISMS to outsider
Identify and fix any issues found

Stakeholder Preparation:

Brief executive management on Stage 1
Send calendar invites to all participants
Share Stage 1 agenda with team
Distribute auditor background information

1 Week Before Stage 1

Final Checks:

Confirm auditor arrival details
Reconfirm participant availability
Ensure all requested documents are accessible
Prepare the audit room/virtual meeting space

Document Pre-Submission:

Many certification bodies request documents in advance:

Submit requested documents by deadline
Organize in clear folder structure
Include document index
Ensure all links/references work

Team Final Brief:

Hold 30-minute team alignment meeting
Review audit schedule
Clarify everyone's roles
Address any last questions or concerns
Set expectations and confidence building

Day Before Stage 1

Final Preparation:

Set up audit room with required materials
Test all technology (especially for remote audits)
Print any needed documents
Prepare name cards/badges
Confirm catering/refreshments
Do a final document spot check

Mental Preparation:

Review your ISMS highlights and accomplishments
Get a good night's sleep
Remember: Stage 1 is about readiness, not perfection
Maintain confidence in your preparation

Opening Meeting: Setting the Tone

What Happens in the Opening Meeting

The opening meeting typically lasts 15-30 minutes and covers:

1. Introductions

Auditor introduces themselves and provides credentials
Your team introduces themselves and their roles
Establish who is the main point of contact

2. Audit Scope Confirmation

Auditor confirms the agreed scope
Any exclusions are discussed
Boundaries are clarified
You acknowledge and agree

3. Audit Plan Review

Auditor presents the day's schedule
Key activities are outlined
Document review approach is explained
Interview schedule is confirmed

4. Logistics and Ground Rules

Break times
Lunch arrangements
Access to facilities
How to handle questions during the audit
Confidentiality confirmation

5. Audit Approach Explanation

Sampling methodology
How findings will be classified
Opportunities for clarification
Closing meeting format

6. Questions and Concerns

Your opportunity to ask questions
Clarify any uncertainties
Raise any special considerations

Who Should Attend the Opening Meeting

From Your Organization:

ISMS Project Lead / Information Security Manager
IT Manager / CTO
Compliance Manager (if applicable)
Executive sponsor (CEO, COO, or delegate)
Anyone playing a key role during the audit day

Not Required:

All employees
Process owners (unless being interviewed)
External consultants (unless specifically involved)

Tips for a Successful Opening Meeting

Do:

✓ Arrive 5-10 minutes early
✓ Be professional and welcoming
✓ Take notes during the meeting
✓ Ask clarifying questions if needed
✓ Confirm you understand the schedule
✓ Express your readiness and confidence

Don't:

✗ Be defensive or nervous
✗ Over-explain or justify before questions are asked
✗ Promise things you can't deliver
✗ Argue about the audit approach
✗ Interrupt or dominate the conversation

Document Review: What Auditors Look For

The bulk of Stage 1 is document review. Here's what auditors examine for each ISO 27001 clause:

Clause 4: Context of the Organization

Documents Reviewed:

Context analysis documentation
Stakeholder analysis
ISMS scope statement
Scope boundaries documentation

What Auditors Check:

4.1 Understanding the Organization and Its Context

External issues documented (market, regulatory, technology)
Internal issues documented (culture, resources, capabilities)
Issues are relevant to ISMS purpose
Issues influence ISMS design decisions

4.2 Understanding Needs and Expectations of Interested Parties

Interested parties identified (customers, regulators, partners, etc.)
Their requirements and expectations documented
Legal and regulatory requirements included
Requirements influence ISMS scope and controls

4.3 Determining the Scope of the ISMS

Scope clearly defined
Boundaries specified (physical, organizational, technical)
References Clause 4.1 and 4.2 inputs
Exclusions (if any) are justified
Scope is appropriate for the organization

4.4 Information Security Management System

Evidence that ISMS has been established
ISMS processes defined
ISMS is maintained and continually improved
Process interactions are documented

Common Issues Found:

Scope too broad or too narrow
Context analysis is generic, not specific to organization
Interested parties list is incomplete
No clear connection between context and ISMS design

Sample Questions You Might Get:

"Why did you choose this scope? Why not include [X]?"
"How did you determine these interested parties?"
"Can you explain your decision to exclude [Y] from scope?"
"How often do you review your context and scope?"

Clause 5: Leadership

Documents Reviewed:

Information security policy
Management commitment evidence
Roles, responsibilities, and authorities documentation
Management review records

What Auditors Check:

5.1 Leadership and Commitment

Top management demonstrates commitment
Security policy approved by leadership
Resources allocated to ISMS
Evidence of management engagement

5.2 Policy

Information security policy exists
Policy is appropriate to organization's purpose
Includes commitment to continual improvement
Includes commitment to comply with requirements
Policy is documented and communicated
Policy is available to interested parties

5.3 Organizational Roles, Responsibilities and Authorities

Roles and responsibilities assigned and communicated
Authority to implement ISMS defined
Authority to report on ISMS performance defined
Someone accountable for ISMS conformance

Common Issues Found:

Generic policy not tailored to organization
Policy not signed/approved by top management
No evidence of policy communication
Roles and responsibilities unclear or unassigned
No one clearly accountable for ISMS

Sample Questions You Might Get:

"Who is ultimately accountable for the ISMS?"
"How does management demonstrate commitment?"
"How is the policy communicated to employees?"
"Who has authority to make ISMS decisions?"

Clause 6: Planning

Documents Reviewed:

Risk assessment methodology
Risk assessment results
Risk treatment plan
Statement of Applicability (SoA)
Information security objectives
Plans to achieve objectives

What Auditors Check:

6.1.1 General (Actions to Address Risks and Opportunities)

ISMS planning considers Clause 4 context
Planning addresses risks and opportunities
Plans integrated into ISMS processes

6.1.2 Information Security Risk Assessment

Risk assessment process defined and documented
Risk criteria established (acceptance, evaluation)
Risk assessment method is repeatable and consistent
Risk assessment has been conducted
Results are documented

6.1.3 Information Security Risk Treatment

Risk treatment plan exists
Risk owners identified
Controls selected to treat risks
Residual risks identified
Risk acceptance by risk owners documented

6.2 Information Security Objectives

Information security objectives established
Objectives documented
Objectives are measurable
Objectives monitored and updated
Plans to achieve objectives exist

6.3 Planning of Changes

Process for managing ISMS changes defined
Changes considered systematically

Common Issues Found:

Risk assessment never actually performed
Risk assessment too generic, not specific to organization
No risk owners assigned
Statement of Applicability incomplete or inconsistent with risk treatment
No evidence of risk acceptance
Objectives not measurable or monitored

Sample Questions You Might Get:

"Walk me through your risk assessment process"
"How did you determine these risk criteria?"
"Who are the risk owners?"
"How do you know if you're achieving your objectives?"
"How does your SoA relate to your risk treatment plan?"

Clause 7: Support

Documents Reviewed:

Resource allocation evidence
Competency requirements and training records
Awareness program materials
Communication plan
Document and record controls

What Auditors Check:

7.1 Resources

Resources needed for ISMS identified
Resources have been allocated

7.2 Competence

Competence requirements determined
Training provided where needed
Evidence of competence (training records, certifications)

7.3 Awareness

Awareness program exists
People aware of security policy
People aware of their contribution to ISMS
People aware of implications of non-conformity

7.4 Communication

Communication needs determined
What to communicate defined
When to communicate defined
Who communicates defined
Communication process exists

7.5 Documented Information

Required documented information exists
Documents controlled (creation, update, version)
Documents distributed appropriately
Records controlled and protected
External documents controlled

Common Issues Found:

No documented competency requirements
Training records missing or incomplete
No evidence of awareness program
Document control process not followed consistently
No external document control

Sample Questions You Might Get:

"How do you ensure people are competent in information security?"
"How do you make employees aware of the ISMS?"
"How do you control document versions?"
"Show me evidence that staff have been trained on the policy"

Clause 8: Operation

Documents Reviewed:

Operational planning documentation
Risk assessment and treatment execution
Control implementation evidence
Change management procedures
Vendor/supplier controls

What Auditors Check:

8.1 Operational Planning and Control

Processes planned, implemented, and controlled
Changes controlled
Outsourced processes controlled

8.2 Information Security Risk Assessment

Risk assessments performed at planned intervals
Evidence of assessments being conducted

8.3 Information Security Risk Treatment

Risk treatment plan implemented
Controls from Annex A implemented as planned

Common Issues Found:

Risk assessment and treatment conducted once but not repeated
Controls selected but not actually implemented
No evidence of operational processes running
Changes not controlled
Outsourced processes not managed

Sample Questions You Might Get:

"When was your last risk assessment?"
"How do you manage changes to the ISMS?"
"Show me evidence that [Control X] is actually operational"
"How do you manage third-party security?"

Clause 9: Performance Evaluation

Documents Reviewed:

Monitoring and measurement procedures
Performance metrics and results
Internal audit program and reports
Management review records

What Auditors Check:

9.1 Monitoring, Measurement, Analysis and Evaluation

What to monitor determined
Methods for monitoring defined
When to monitor determined
Who monitors defined
Results retained as evidence

9.2 Internal Audit

Internal audit program exists
Internal audits conducted at planned intervals
Audit criteria and scope defined
Auditors are objective and impartial
Results reported to management
Evidence of at least one complete internal audit

9.3 Management Review

Management reviews conducted at planned intervals
Reviews include required inputs (9.3.2)
Reviews produce required outputs (9.3.3)
Evidence of at least one management review
Results documented

Common Issues Found:

No internal audit conducted yet (Stage 1 blocker)
No management review conducted yet (Stage 1 blocker)
Internal audit not comprehensive
Management review just a formality, no real review
No evidence retained

Sample Questions You Might Get:

"When was your internal audit?"
"Who conducted it? How did you ensure objectivity?"
"When was your management review?"
"What decisions came out of the management review?"

Clause 10: Improvement

Documents Reviewed:

Nonconformity and corrective action records
Evidence of continual improvement
Process for managing nonconformities

What Auditors Check:

10.1 Nonconformity and Corrective Action

Process for handling nonconformities defined
Corrective actions taken when needed
Effectiveness of corrective actions evaluated
Evidence of the process in action

10.2 Continual Improvement

Evidence of continual improvement of ISMS

Common Issues Found:

Process defined but no evidence of use yet (acceptable at Stage 1)
No process for corrective actions
Corrective actions taken but effectiveness not evaluated

Sample Questions You Might Get:

"Have you identified any nonconformities yet?"
"How do you ensure corrective actions are effective?"
"What improvements have you made to the ISMS?"

Process Interviews: Who and What

Who Gets Interviewed at Stage 1

Typically Interviewed:

ISMS Project Lead / Information Security Manager (primary interview)
IT Manager / CTO (understanding technical environment)
Executive Sponsor (leadership commitment)
Internal Auditor (if different from above)

Possibly Interviewed:

Key process owners (HR, Operations, Development)
Compliance manager
Risk manager

Not Usually Interviewed at Stage 1:

General staff members
All process owners (that's Stage 2)
Customers or partners

Typical Stage 1 Interview Questions

For ISMS Project Lead:

"Walk me through how you developed the ISMS."
"How did you determine the scope?"
"Explain your risk assessment process."
"How have you ensured the ISMS is operational?"
"What challenges have you faced?"
"How ready do you feel for Stage 2?"

For IT Manager / CTO:

"Describe your technology environment."
"How are the technical controls implemented?"
"How do you manage changes to IT systems?"
"What security tools and technologies do you use?"
"How do you monitor security events?"

For Executive Sponsor:

"Why did you decide to pursue ISO 27001?"
"How do you demonstrate commitment to the ISMS?"
"What resources have you allocated?"
"How do you see information security fitting into business strategy?"

For Internal Auditor:

"How did you approach the internal audit?"
"What did you find?"
"How did you ensure objectivity?"
"What is your background in auditing?"

Tips for Interview Success

Do:

✓ Answer clearly and concisely
✓ Provide examples when helpful
✓ Admit if you don't know something
✓ Refer to documentation when appropriate
✓ Be honest about challenges and how you addressed them

Don't:

✗ Ramble or over-explain
✗ Make up answers
✗ Blame others for gaps
✗ Be defensive about decisions
✗ Volunteer problems that weren't asked about

Site Tour: What Auditors Observe

If your Stage 1 is on-site, the auditor will likely do a brief site tour.

What Auditors Look At

Physical Security:

Building access controls
Visitor management
Badge/access card systems
Security awareness signage
Clear desk/clear screen practices

Technology Environment:

Server room/data center security
Environmental controls
Equipment protection
Cable management
Network equipment security

Operational Practices:

How people actually work
Security practices in action
Compliance with policies
Security awareness in practice

Site Tour Checklist

Before the Tour:

Tidy up the office (professional appearance)
Ensure sensitive information isn't visible
Brief staff that auditor will be touring
Test access controls
Prepare to demonstrate key controls

During the Tour:

Have the right person lead (usually IT Manager)
Point out security controls proactively
Be ready to explain what auditor sees
Don't hide issues, but don't advertise problems either
Keep the tour focused and efficient (30-45 minutes)

Good Signs to Demonstrate:

Clean desks with no visible passwords
Locked server room with access logs
Security awareness posters
Visitor logs and badges
Locked filing cabinets for sensitive documents
Screen locks activating
Security cameras (if applicable)

Closing Meeting: Understanding the Results

What Happens in the Closing Meeting

The closing meeting (30-45 minutes) is where the auditor shares findings:

1. Overall Assessment

Summary of what was reviewed
General observations
Overall readiness for Stage 2

2. Findings Presentation

Any nonconformities identified
Observations and improvement opportunities
Areas of strength

3. Classification of Findings

Major Nonconformity:

A significant gap in ISMS documentation or implementation
Must be corrected before Stage 2 can proceed
Example: No risk assessment has been performed

Minor Nonconformity:

A partial or isolated gap
Should be corrected, but Stage 2 can proceed
Example: One procedure missing from SoA

Observation:

Not a nonconformity, but an improvement opportunity
No corrective action required
Example: "Consider adding metrics for [X] objective"

4. Stage 2 Readiness Decision

Ready to proceed
Ready with conditions (minor items to address)
Not ready (major items must be corrected first)

5. Stage 2 Planning

Proposed dates
Focus areas
Any special arrangements needed

6. Next Steps

Timeline for addressing findings
Evidence required
Communication plan

Who Should Attend the Closing Meeting

Required:

ISMS Project Lead
Executive Sponsor
Anyone who can make decisions about next steps

Optional:

IT Manager
Other key team members
Consultant (if involved)

How to Handle Findings

During the Closing Meeting:

If you understand and agree:

Acknowledge the finding
Thank the auditor for identifying it
Commit to addressing it
Ask for clarification on expectations if needed

If you don't understand:

Ask for clarification
Request specific examples
Seek to understand the requirement
Don't argue, seek to understand

If you disagree:

Listen fully first
Ask questions to understand the auditor's perspective
Provide additional context or evidence if relevant
If still in disagreement, note it for formal dispute process
Don't argue extensively in the meeting

Professional Response Examples:

"Thank you for identifying that gap. We'll address it before Stage 2."

"Can you help me understand specifically what's missing from [X]?"

"I appreciate that observation. We'll consider that improvement."

"We may have a different interpretation of that requirement. Can we discuss the specific clause?"

After the Closing Meeting

Immediate Actions (Same Day):

Debrief with your team
Document all findings and feedback
Prioritize action items
Update project timeline if needed

Next 1-2 Days:

Create action plan for all findings
Assign ownership for corrections
Set deadlines for completion
Communicate plan to stakeholders

Within 1 Week:

Begin addressing findings
Update documentation as needed
Gather evidence of corrections
Keep certification body informed of progress

After Stage 1: Critical Actions

Understanding the Stage 1 Report

Within 1-2 weeks, you'll receive a formal Stage 1 report containing:

Report Contents:

Audit scope and objectives
Audit team and participants
Documents reviewed
Interviews conducted
Findings (major NCRs, minor NCRs, observations)
Stage 2 readiness conclusion
Recommendations for Stage 2 preparation

Reviewing the Report:

Read it thoroughly
Ensure you understand all findings
Check that facts are accurate
Note any factual errors for correction
Understand timelines for responses

Addressing Findings

For Major Nonconformities (if any):

Root Cause Analysis
- Understand why the gap exists
- Don't just fix the symptom
Corrective Action
- Address the root cause
- Implement the correction
- Document what was done
Evidence Gathering
- Collect proof of correction
- Make evidence clear and accessible
Verification
- Have internal audit review
- Test that correction is effective
Submission
- Send evidence to certification body
- Request confirmation of acceptance
- Don't schedule Stage 2 until accepted

For Minor Nonconformities:

Plan Correction
- Determine what needs to be done
- Set realistic timeline
Implement
- Make the correction
- Document the action
Prepare Evidence
- Have evidence ready for Stage 2
- Make easy for auditor to find

For Observations:

Evaluate
- Decide if you'll address it
- Prioritize based on value
Implement if Valuable
- Make improvements that add value
- Don't just check boxes
Document
- Keep record of improvements made

Preparing for Stage 2

Timeline Considerations:

Minimum Time Between Stage 1 and Stage 2:

At least 28 days (per IAF MD 5)
Longer if you have major findings to correct
Typical: 4-8 weeks

Use This Time To:

Weeks 1-2 After Stage 1:

Address all Stage 1 findings
Complete any missing documentation
Strengthen areas of weakness identified
Build more operational evidence

Weeks 3-4 After Stage 1:

Conduct second internal audit (if possible)
Hold second management review (if possible)
Gather strong evidence of ISMS operation
Ensure all controls have evidence

Weeks 5-6 After Stage 1:

Conduct mock Stage 2 audit internally
Final documentation review
Team preparation and briefing
Logistics planning for Stage 2

Week 7 Before Stage 2:

Submit pre-audit documents to certification body
Confirm Stage 2 schedule
Final team preparation
Mental preparation and confidence building

Common Stage 1 Issues and How to Prevent Them

Issue 1: "Your ISMS hasn't been operational long enough"

The Problem: Auditor determines the ISMS is too new; insufficient evidence of operation.

ISO 27001 Requirement: The ISMS must have been operational for at least one complete cycle of:

Risk assessment
Internal audit
Management review

How to Prevent:

Don't schedule Stage 1 too early
Ensure at least 2-3 months of ISMS operation before Stage 1
Have clear evidence of:
- Completed risk assessment
- At least one internal audit covering all ISMS areas
- At least one management review
- Controls operating and generating evidence

Timeline Guidance:

Month 1-2: Build ISMS documentation
Month 3: Implement controls
Month 4: Internal audit
Month 5: Management review, gather evidence
Month 6: Stage 1 audit

Issue 2: "Your scope is not clearly defined"

The Problem: Auditor can't determine what's in and out of scope.

Why It Happens:

Vague scope statement
Unclear boundaries
Inconsistency between scope and other documents
Scope doesn't reflect actual operations

How to Prevent:

Define scope with specificity:
- ✓ "Development and support of XYZ SaaS platform for healthcare clients"
- ✗ "Information technology services"
Specify boundaries clearly:
- Physical locations
- Organizational units
- Technology systems
- Business processes
Ensure consistency across:
- Scope statement
- Certificate application
- Context documentation
- Risk assessment
- SoA

Issue 3: "Your risk assessment is not adequate"

The Problem: Risk assessment is too generic, incomplete, or not actually conducted.

Why It Happens:

Using a template without customization
Not actually assessing YOUR risks
Missing key assets or threats
No evidence of risk owner involvement
Risk treatment doesn't align with assessment

How to Prevent:

Conduct a real risk assessment of YOUR environment:
- Identify YOUR specific assets
- Assess YOUR actual threats and vulnerabilities
- Evaluate impact and likelihood based on YOUR context
Involve real risk owners
Document the process and results clearly
Ensure risk treatment plan flows from assessment
Make SoA consistent with risk treatment

Issue 4: "No evidence of internal audit or management review"

The Problem: Required internal audit or management review hasn't been completed.

Why It Happens:

Scheduling Stage 1 too early
Not understanding the requirements
Thinking these can be done later

How to Prevent:

Conduct internal audit before Stage 1:
- Cover all ISMS processes
- Include Clauses 4-10
- Document findings
- Take corrective actions
Hold management review before Stage 1:
- Include all required inputs (9.3.2)
- Document decisions and actions (9.3.3)
- Demonstrate real management engagement
These are absolute requirements for Stage 1 success

Issue 5: "Documentation doesn't match implementation"

The Problem: What's documented isn't what's actually happening.

Why It Happens:

Documentation created without understanding operations
Copying someone else's documents
Documentation not communicated to teams
Processes changed but documents not updated

How to Prevent:

Document what you DO, then do what you document
Involve process owners in documentation
Test procedures before finalizing
Walk through processes to verify documentation accuracy
Update documents to reflect actual practice

Issue 6: "Statement of Applicability is incomplete or inaccurate"

The Problem: SoA is missing controls, justifications are weak, or it doesn't match risk treatment.

Why It Happens:

Not understanding SoA purpose
Copying without thinking
Not connecting to risk assessment
Generic justifications

How to Prevent:

Include all 93 Annex A controls
For each control:
- State: Applicable or Not Applicable
- Provide genuine justification
- Reference risk treatment plan
- Explain implementation approach
Ensure consistency:
- SoA ↔ Risk Treatment Plan
- SoA ↔ Implemented Controls
- SoA ↔ Control Objectives

Issue 7: "Roles and responsibilities are unclear"

The Problem: Can't determine who is responsible for what in the ISMS.

Why It Happens:

Generic role descriptions
No names assigned
Overlapping or conflicting assignments
Key roles missing

How to Prevent:

Create clear RACI matrix for all ISMS activities
Assign real people to roles
Ensure no critical gaps
Document in organization chart or responsibility matrix
Communicate assignments to role holders
Get acknowledgment from assignees

Issue 8: "No evidence of ISMS operation"

The Problem: Documents exist but no proof that ISMS is actually working.

Why It Happens:

Documentation project only, no implementation
Evidence not collected
Controls implemented too recently
No operational records

How to Prevent:

Build evidence from day one of operation:
- Access reviews conducted → logs
- Backups tested → test records
- Training delivered → attendance records
- Incidents managed → incident logs
- Changes managed → change records
- Vendors assessed → assessment records
Organize evidence by control
Create evidence index for easy reference

Stage 1 Preparation Checklist

Use this comprehensive checklist in the final weeks before Stage 1:

4 Weeks Before Stage 1

ISMS Documentation Complete:

Core Documents:

ISMS Scope Statement (4.3)
Information Security Policy (5.2)
Risk Assessment Methodology (6.1.2)
Risk Assessment Results (6.1.2)
Risk Treatment Plan (6.1.3)
Statement of Applicability (6.1.3d)
Information Security Objectives (6.2)
Evidence of Competence (7.2)
Operational Planning and Control (8.1)
Risk Assessment Records (8.2)
Risk Treatment Results (8.3)
Monitoring and Measurement Results (9.1)
Internal Audit Program (9.2)
Internal Audit Results (9.2)
Management Review Results (9.3)
Nonconformities and Corrective Actions (10.1)

Supporting Documentation:

Context and Interested Parties Analysis (4.1, 4.2)
Roles, Responsibilities, and Authorities (5.3)
Communication Plan (7.4)
Document Control Procedure (7.5)
Required Annex A Policies (based on SoA)
Required Annex A Procedures (based on SoA)
Required Annex A Records (based on SoA)

Documentation Quality:

All documents have version control
All documents have approval signatures
All documents have review dates
All cross-references are accurate
Document register/index is current
No draft or obsolete documents in circulation

2 Weeks Before Stage 1

Evidence of Operation:

Clause 9 Requirements (Critical):

Internal audit completed (all ISMS areas covered)
Internal audit report finalized
Corrective actions from internal audit addressed
Management review held
Management review minutes documented
Management review decisions implemented

Control Evidence:

Risk assessment conducted (at least one complete cycle)
Training records for all staff
Access reviews conducted and documented
Backup testing evidence
Vulnerability scanning results
Incident records (even if no incidents, document that)
Change management records
Vendor assessment records

Team Readiness:

Key participants identified and briefed
Everyone knows their role in the audit
Interview preparation completed
Process owners can explain their processes
Team understands ISMS and can articulate it

1 Week Before Stage 1

Final Preparation:

All requested documents sent to auditor
Documents organized in logical structure
Document index provided
Audit schedule confirmed
Participants' calendars blocked
Meeting rooms/video links arranged
Technology tested (especially for remote audit)

Accessibility:

All evidence easily accessible
Filing system organized
Know where everything is
Can quickly find any requested document
Electronic files organized and named clearly

Site Preparation (if on-site audit):

Audit room prepared
Guest Wi-Fi access arranged
Refreshments planned
Parking/access instructions sent to auditor
Building security notified of visitor

Day Before Stage 1

Final Checks:

Review audit agenda one more time
Confirm all participants are ready
Technology test (for remote audit)
Print any needed materials
Set up audit room
Mental preparation

Last-Minute Review:

Quick review of key ISMS elements
Review of your organization's ISMS story
Review of scope and boundaries
Refresh on risk assessment results
Review internal audit and management review outcomes

Mindset for Stage 1 Success

Remember: This Is About Readiness, Not Perfection

Stage 1 is designed to:

Verify you have documentation
Confirm you're ready for Stage 2
Identify any major gaps
Plan Stage 2 approach

Stage 1 is NOT:

A detailed examination of effectiveness (that's Stage 2)
Looking for minor issues or opportunities (that's Stage 2)
Testing of controls (that's Stage 2)

Confidence Builders

You've Done the Work:

Your ISMS is documented
Your controls are implemented
Your team knows the ISMS
You're prepared

Stage 1 is Collaborative:

Auditors want you to succeed
This is a professional conversation
Questions are opportunities to demonstrate knowledge
Feedback helps you improve

You're Not Alone:

Thousands of organizations go through this
Your certification body has experience guiding you
Your team is prepared
You have support

If Something Goes Wrong

Minor Issue Found:

This is normal and expected
Easy to fix before Stage 2
Shows the process is working
Opportunity to improve

Major Issue Found:

Better to find it now than at Stage 2
Time to fix before Stage 2
Shows thoroughness of audit
Certification will be stronger as a result

Worst Case (Not Ready for Stage 2):

Rare if you've prepared properly
Gives you clear roadmap of what's needed
Delay is temporary
Final certification will be more credible

Summary: Keys to Stage 1 Success

1. Timing is Everything

Don't rush Stage 1 too early
Ensure ISMS operational for 2-3 months minimum
Complete internal audit and management review first

2. Documentation Must Be Complete

All required documents exist
Documents are specific to your organization
Version control is clear
Everything is accessible

3. Evidence is Critical

ISMS is not just documents, it's operational
Collect evidence from day one
Organize evidence logically
Make it easy for auditor to verify

4. Team Preparation Matters

Everyone knows their role
Key people can articulate ISMS
Confidence comes from preparation
Practice helps

5. Professional Engagement

Be welcoming and cooperative
Answer questions clearly
Don't be defensive
View auditor as partner, not adversary

6. Learn and Improve

Welcome feedback
Address findings promptly
Use Stage 1 to strengthen Stage 2 readiness
Continuous improvement starts here

Next Lesson: In Lesson 8.4, you'll get a comprehensive Stage 1 Readiness Worksheet to self-assess your preparation and ensure you're truly ready for this critical first audit.