Stage 2: The Final Battle

Stage 2 is your certification audit - the comprehensive assessment that determines whether you earn ISO 27001 certification. This is where auditors verify that your ISMS actually works as documented.

What is Stage 2 Audit?

Purpose: Verify that your ISMS is implemented, operating effectively, and achieving its intended outcomes

Scope:

All applicable ISO 27001 requirements
All applicable Annex A controls from your SoA
Evidence of ISMS operation over time
Effectiveness of controls
Continual improvement

Duration: Typically 60-80% of total audit days Location: Usually on-site (may include remote elements) Outcome: Certification decision (Approve/Minor NCs/Major NCs/Deny)

Timing Requirements

After Stage 1:

Minimum: 2 weeks (for document corrections)
Maximum: 6 months (per ISO 17021)
Typical: 4-8 weeks

Before Stage 2:

All Stage 1 nonconformities must be closed
ISMS must have been operating for sufficient time
Internal audit completed (if required)
Management review completed (if required)

Operating Period:

No fixed ISO requirement
Most CBs want 3-6 months of operation
Must have evidence of:
- Monitoring and measurement
- Internal audit (at least planned/started)
- Management review (at least one cycle)
- Incident handling (if incidents occurred)
- Some control effectiveness evidence

Stage 2 Audit Process

Day 0: Final Preparation (Week Before)

1. Confirm Logistics

Audit schedule
Participant availability
Meeting rooms
System access
Evidence availability

2. Prepare Evidence

Organize by ISO clause and Annex A control
Index all evidence
Test system access
Prepare demonstrations
Have backup evidence ready

3. Brief Your Team

Review audit schedule
Clarify each person's role
Practice answering questions
Set expectations
Establish communication protocol

4. Prepare Workspace

Clean, professional environment
Privacy for interviews
Reliable internet
Backup power
Quiet space

Day 1: Opening Meeting & Leadership Assessment

Opening Meeting (1-2 hours)

Auditor Activities:

Introduce audit team
Confirm scope and objectives
Review schedule (may adjust)
Explain audit methodology
Discuss findings classification
Set communication protocols
Address questions
Confirm Stage 1 NCs closed

Your Activities:

Introduce your team
Provide ISMS overview update since Stage 1
Highlight improvements
Confirm logistics
Ask clarifying questions
Take detailed notes

Pro Tip: This sets the tone. Be professional, confident, and cooperative.

Top Management Interview (1-2 hours)

This is CRITICAL. Auditor must interview top management per ISO 17021.

Questions Top Management Will Face:

About ISMS Understanding:

"What are your organization's main information security risks?"
"Why did you decide to pursue ISO 27001 certification?"
"What are the key objectives of your ISMS?"
"How does information security support your business strategy?"

About Commitment:

"What resources have you allocated to information security?"
"How do you ensure the ISMS remains adequate?"
"What's your role in the ISMS?"
"How often do you review ISMS performance?"

About Results:

"What key security improvements have been achieved?"
"Have there been any security incidents? How handled?"
"How do you know the ISMS is effective?"
"What security metrics do you track?"

About Continuous Improvement:

"What improvements to the ISMS have been made?"
"What future security investments are planned?"
"How do you stay informed about emerging threats?"

What Auditor is Assessing:

Genuine management commitment (not just lip service)
Understanding of key risks
Awareness of ISMS status
Resource provision
Evidence of leadership

Red Flags:

Management doesn't know their risks
ISMS seen as "IT's thing"
No awareness of ISMS performance
Can't answer basic questions
Lack of engagement

Preparation Tips:

Brief executives thoroughly
Provide talking points document
Share common questions
Conduct practice interview
Ensure they understand "their" ISMS

Process Observation Begins

Auditor Starts Sampling:

Reviewing documented procedures
Observing actual practices
Comparing documentation to reality
Testing controls
Interviewing process owners

Day 2-3: Detailed Control Assessment

Control Testing Methodology

For Each Applicable Control:

1. Review Documentation

Policy or procedure
Work instructions
Guidelines

2. Interview Process Owners

How is this control implemented?
Who is responsible?
What tools are used?
How is effectiveness measured?

3. Observe Actual Practice

Watch the control in action
Physical inspection
System demonstrations
Walkthroughs

4. Examine Evidence/Records

Logs
Reports
Tickets
Configurations
Test results

5. Test Samples

Select samples (users, systems, transactions)
Verify control application
Check consistency
Look for exceptions

Example: Testing A.8.5 Secure Authentication

Documentation Review:

Access control policy
Authentication standards
Password requirements

Interview (IT Manager):

"How do users authenticate?"
"What password requirements exist?"
"How is MFA implemented?"
"How are privileged accounts managed?"

Observation:

Watch user login process
See MFA in action
Review authentication logs

Evidence Examination:

MFA enrollment reports (100% coverage?)
Failed authentication logs
Password policy config screenshots
Account provisioning tickets

Sample Testing:

Select 10 random users - verify MFA enabled
Check 5 admin accounts - verify MFA + strong passwords
Review 20 authentication events - verify logging

Conformity Assessment: ☐ Fully Implemented ☐ Partially Implemented (Minor NC) ☐ Not Implemented (Major NC)

Typical Audit Trail

Day 2 Morning: Organizational Controls (Clause A.5)

Policies and procedures
Roles and responsibilities
Risk management process
Asset management
Access control
Supplier relationships

Day 2 Afternoon: People & Physical Controls (A.6 & A.7)

Employment screening
Terms of employment
Security awareness and training
Disciplinary process
Physical security (if applicable)
Equipment security

Day 3 Morning: Technology Controls (A.8)

User endpoint devices
Access rights management
Authentication
Cryptography
Configuration management
Vulnerability management
Malware protection
Logging and monitoring
Backup

Day 3 Afternoon: Development & Operations Controls (remaining)

Secure development (if applicable)
Supplier security
Incident management
Business continuity
Compliance

Key Documents Auditor Will Review

Mandatory Records:

Risk assessment results
Risk treatment plan
Statement of Applicability
ISMS objectives and monitoring
Evidence of competence
Monitoring and measurement results
Internal audit program and results
Management review results
Nonconformity and corrective action records

Operational Records (Samples):

Access logs
Change tickets
Incident tickets
Backup logs
Vulnerability scan results
Training completion records
Visitor logs (if applicable)
Equipment disposal records
Supplier assessment records

Configuration Evidence:

Firewall rule sets
Patch levels
Encryption settings
Password policies
User access lists
System configurations
Network diagrams

Day 3-4: ISMS Process Audit

Internal Audit Verification (Clause 9.2)

Auditor Checks:

Is there an audit program?
Was internal audit conducted?
Did it cover all ISMS areas?
Were competent auditors used?
Were findings documented?
Were corrective actions taken?
Was management informed?

Evidence Needed:

Internal audit plan/schedule
Internal audit reports
Nonconformity records from internal audit
Corrective action closure evidence
Auditor competence records

Common Findings:

Internal audit not conducted (Major NC if required)
Audit too shallow or incomplete
Auditor not independent
Findings not followed up
No evidence of corrective actions

Management Review Verification (Clause 9.3)

Auditor Checks:

Was management review conducted?
Did top management participate?
Were required inputs considered?
Were decisions made?
Was output documented?

Required Inputs (per 9.3.2):

Status of actions from previous reviews
Changes in external and internal issues
Feedback on information security performance
Feedback from interested parties
Risk assessment and treatment results
Opportunities for continual improvement

Required Outputs (per 9.3.3):

Decisions on improvement opportunities
Needs for changes to ISMS
Resource needs

Evidence Needed:

Management review meeting minutes
Attendance records
Presentations/reports to management
Decisions and action items
Follow-up on previous actions

Common Findings:

Management review not conducted (Major NC if required)
Top management didn't attend
Missing required inputs
No decisions or actions
Not documented adequately

Improvement Process (Clause 10)

Auditor Checks:

Nonconformity process defined?
Incidents handled appropriately?
Root causes analyzed?
Corrective actions effective?
Evidence of continual improvement?

What They'll Review:

Corrective action procedure
Nonconformity records (if any)
Incident records (if any)
Root cause analysis
Effectiveness verification

Note: Having zero incidents/nonconformities is okay IF:

ISMS is genuinely new
You have a process ready to handle them
You can demonstrate the process works (simulation/example)

Final Day: Wrap-up and Closing

Final Evidence Review (Morning)

Auditor:

Reviews remaining evidence
Clarifies unclear items
Verifies pending samples
Finalizes findings
Prepares report

You:

Provide any additional evidence requested
Answer final questions
Prepare for closing meeting
Assemble leadership for closing

Closing Meeting (2-3 hours)

This is CRUCIAL. Most important meeting of the entire audit.

Attendees Required:

Top management
ISMS Manager
Key process owners
Anyone who can authorize corrective actions

Auditor Presentation:

1. Audit Summary

Scope confirmation
Areas covered
People interviewed
Evidence reviewed

2. Positive Observations

Strengths identified
Good practices
Effective controls
Improvements since Stage 1

3. Opportunities for Improvement

Recommendations (not requirements)
Suggestions for enhancement
Best practices to consider

4. Nonconformities (The Critical Part)

Minor Nonconformities:

Isolated lapses
Partial implementation
Documentation gaps
Technical errors
Impact: Certification possible with correction plan

Major Nonconformities:

Systematic failures
Complete absence of requirements
Critical control failures
Serious effectiveness issues
Impact: Certification denied until corrected

No Nonconformities:

Rare but possible
Means certification recommended
Impact: Certificate issued

5. Certification Recommendation

Possible Outcomes:

A) Recommended for Certification

Zero NCs or only minor NCs
All requirements met
Minor NCs have acceptable correction plan

B) Conditional Recommendation

Minor NCs need correction before certificate issue
Correction plan accepted
Certificate issued after verification

C) Not Recommended - Additional Audit

Major NCs identified
Additional audit day(s) needed after correction
Adds cost and time

D) Not Recommended - Reaudit Required

Significant major NCs
Fundamental ISMS issues
Must substantially re-audit

6. Next Steps

NC correction timeline (typically 90 days)
Evidence submission process
Certificate issuance timeline
Surveillance audit schedule

Your Response:

Accept findings professionally
Ask clarifying questions
Dispute if genuinely incorrect (politely!)
Propose correction plans
Thank the auditor

After Stage 2

If Zero or Minor NCs Only

Timeline:

Week 1-2: Submit NC corrections

Root cause analysis
Corrective actions taken
Evidence of correction
Evidence of effectiveness (if possible)

Week 3-4: Auditor reviews corrections

Evaluates adequacy
May request additional evidence
Approves or requests revision

Week 5-6: Certificate issuance

CB issues certificate
Certificate valid 3 years
Surveillance audit scheduled (Year 1 & 2)
Recertification audit scheduled (Year 3)

Celebrate! You earned it!

If Major NCs

Must:

Conduct root cause analysis
Implement corrective actions
Gather evidence of correction
Demonstrate effectiveness
Submit evidence to CB

Then:

CB determines if additional audit needed
May be desk review if well-documented
May require on-site follow-up (costs extra)
May require re-audit if fundamental issues

Timeline: Can take 3-6 months

What Auditors Look For

Evidence of Actual Operation

Not Just Documentation:

Policies are great, but are they followed?
Procedures exist, but are they used?
Controls documented, but are they working?

They Want to See:

Dated records over time
Regular operational evidence
Consistency in application
People actually following processes
Controls integrated into operations

Red Flags:

Evidence all created last month
"We just started doing this"
Processes not known by staff
Documentation doesn't match practice
Controls obviously not embedded

Control Effectiveness

Not Just Implementation:

Control exists (good)
Control works as designed (better)
Control achieves intended outcome (best)

Example - Vulnerability Management:

Bad: "We have a vulnerability scanner"
Okay: "We scan monthly and have a patching process"
Good: "95% of critical vulnerabilities patched within 7 days, evidence shows declining vulnerability counts over time"

They'll Ask:

"How do you know this control is working?"
"Show me evidence of effectiveness"
"What metrics do you track?"
"Have there been any failures?"

Consistency

Across the Organization:

Same control applied consistently
Not working in one area but not another
Uniform understanding
Standard practices

Over Time:

Sustained operation
Not just prepared for audit
Regular cadence
Historical evidence

Integration into Business

Not a Separate "Compliance Thing":

Security integrated into operations
Staff understand why, not just what
Embedded in business processes
Part of culture

Good Signs:

People speak naturally about security
Security considerations in regular decisions
Proactive security behavior
Security seen as enabling business

Common Stage 2 Findings

Minor NCs - Typical Examples

Documentation Gaps:

"Internal audit report doesn't document all required elements"
"Management review minutes don't show all required inputs"
"A.8.8 vulnerability management procedure doesn't define timelines"

Implementation Gaps:

"3 of 25 sampled users don't have MFA enabled (A.5.17)"
"2 servers found without current malware protection (A.8.7)"
"Training completion rate is 85%, target is 95% (A.6.3)"

Process Gaps:

"Risk assessment conducted but not all assumptions documented"
"SoA shows A.8.13 implemented but no backup tests conducted"
"Corrective action procedure exists but no evidence of use"

Major NCs - Typical Examples

Systematic Failures:

"No access reviews conducted (A.5.18) - systematic failure across all systems"
"Logging not enabled on 80% of critical systems (A.8.15)"
"No evidence of management review conducted (Clause 9.3)"

Absence of Requirements:

"Internal audit not conducted (Clause 9.2)"
"No risk assessment for new cloud migration project (Clause 6.1.2)"
"Backup process exists but no backups tested in 12 months (A.8.13)"

Control Effectiveness Failures:

"MFA implemented but easily bypassed using alternative methods"
"Vulnerability scanning conducted but critical vulnerabilities not remediated (8+ months old)"
"Change management process documented but changes made outside process regularly"

Tips for Stage 2 Success

Before the Audit

1. Operate Your ISMS

Don't prepare "for the audit"
Run your ISMS normally
Let evidence accumulate naturally
Fix issues as they arise

2. Conduct Mock Audit

Internal or external
Identify gaps early
Practice interviews
Test evidence availability

3. Know Your Evidence

Where everything is located
How to access it quickly
Backup copies available
Index or evidence map

4. Prepare Demonstrations

Key systems
Critical controls
Technical implementations
Practice showing them

During the Audit

1. Be Honest

Don't hide issues
Don't exaggerate capabilities
Admit gaps if found
Show how you'll fix them

2. Stay Calm

Auditor finding issues is normal
It's not personal
Focus on facts
Professional demeanor

3. Listen Carefully

Take detailed notes
Ask clarifying questions
Understand the concern
Don't argue defensively

4. Provide Context

Explain your reasoning
Show what you've considered
Describe constraints
Demonstrate understanding

5. Don't Volunteer Problems

Answer questions asked
Provide requested evidence
Don't introduce new concerns
Stay focused

If Findings Arise

1. Understand the Finding

What requirement is not met?
What evidence is lacking?
Is it minor or major?
What would close it?

2. Verify Accuracy

Is the finding correct?
Politely challenge if wrong
Provide counter-evidence
Seek clarification

3. Accept Gracefully

If valid, acknowledge it
Don't make excuses
Focus on solutions
Propose correction plan

4. Immediate Correction (If Possible)

Some findings can be corrected during audit
Simple configuration changes
Missing documentation
Quick implementations
Ask if immediate correction acceptable

Certificate Issuance

If Successful

You'll Receive:

ISO 27001:2022 Certificate
Valid for 3 years from issue date
Includes your scope
Shows accreditation body logo
Certificate number

Certificate Shows:

Your organization name
Certificate scope
Issue date
Expiry date
CB and accreditation body logos
Certificate number
ISO 27001:2022 standard

You May:

Display certificate
Use "ISO 27001 Certified" in marketing
Use CB and accreditation logos per usage rules
List in CB's certified organization directory
Reference in proposals and contracts

You Must:

Maintain your ISMS
Prepare for surveillance audits (annual)
Report significant changes to CB
Not misuse or misrepresent certification

Surveillance Audits

Year 1 & Year 2:

Annual surveillance audits
Shorter duration (1-2 days typically)
Verify continued compliance
Check corrective actions
Review changes
Sample different areas than Stage 2

Year 3:

Recertification audit
Similar scope to Stage 2
Full reassessment
New 3-year certificate issued

Next Lesson: Prepare comprehensive evidence packages to support your audit responses.