Security compliance Measuring/certifying security programs ISO 27001 ISO 27701

What to expect during your ISO 27001 and/or ISO 27701 audit

The ISO 27001 and ISO 27701 certification processes can seem long and confusing. That’s because the standards are complex. Both require extensive documentation of policies, procedures, and risk assessments. And — because the regulatory environment is constantly evolving — it’s not a one-time effort, but an ongoing commitment to continuous improvement.

So, what do you need to know to feel more comfortable and confident as you prep for your ISO 27001 and/or ISO 27701 audit?

Here's a quick run-down of what you can expect during each stage of your audit.

Stage 1: Gap analysis and documentation review

The primary purpose of stage 1 is to assess the current state of your organization's information security management system (ISMS) and/or privacy information management system (PIMS) against the requirements of the ISO 27001 and ISO 27701 standards. Here's what typically happens during this stage:


Preparation includes selecting an audit team, reviewing existing documentation related to information security and privacy management, establishing audit objectives, outlining which areas and processes will be assessed, setting the date for the stage 1 audit, and deciding if it will be on-site or remote.

Gap analysis

After the audit team assesses the organization's current information security and privacy management practices, they’ll identify strengths and weaknesses, compliance gaps, and areas where improvements are needed to meet the ISO 27001 and ISO 27701 requirements. If any significant non-conformities (aka non-compliance with standard requirements) are discovered during the gap analysis, they’re flagged and documented for further action.

Documentation review

During this part of stage 1, the audit team reviews the organization's ISMS/PIMS documentation to evaluate its completeness and alignment with ISO 27001 and ISO 27701 requirements. This documentation review includes policies, procedures, risk assessments, and records of incidents and controls. Any gaps or deficiencies in the documentation are identified, and recommendations for improvements are made.

Audit report

The audit team prepares a report summarizing its findings, which typically includes an overview of the organization's readiness for stage 2 certification, a list of non-conformities (if any), and recommendations for corrective actions and improvements.

The organization receives the stage 1 audit report and reviews its findings and recommendations. If non-conformities or deficiencies are identified, the organization should develop and implement corrective actions to address these issues and improve its ISMS/PIMS in order to prepare for the stage 2 audit, which is the final step leading to certification.

Stage 2: Detailed audit of ISMS or PIMS implementation

Stage 2 of the ISO 27001 and ISO 27701 audit involves a detailed assessment of the implementation and effectiveness of your ISMS and/or PIMS based on the ISO 27001 and ISO 27701 standards. Here are the typical steps of the stage 2 audit:


The audit team conducts additional planning and preparation based on the findings from the stage 1 audit as well as the organization's readiness. As a result, a detailed audit plan is developed, specifying the audit scope, objectives, criteria, and methods.

On-site or remote audit

The stage 2 audit can be conducted on-site at the organization's premises or remotely, depending on the circumstances and agreements made during stage 1.

Documentation enhancement

The audit team thoroughly examines documentation and records related to information security and privacy management, including incident reports, risk assessments, and evidence of control implementation.

Interviews and evidence gathering

The audit team conducts interviews and discussions with relevant personnel across the organization to assess the implementation of ISMS/PIMS controls, policies, and procedures. In addition, the team may observe processes and practices in action to verify their compliance with the standards, using sampling to assess a representative portion of the organization's operations and activities.

Audit report

The audit team compiles a detailed stage 2 audit report summarizing their findings during the audit and provides a recommendation on whether the organization should be granted ISO 27001 and/or ISO 27701 certification.

Stage 3: Post-audit corrective actions and certification decision

While ISO 27001 and ISO 27701 don’t have a formal "stage 3" in their certification processes — as corrective actions and the certification decision are typically part of the Stage 2 audit and post-audit process — it's essential to understand how these issues are handled within the context of the audit process.

Corrective actions

If non-conformities are identified, the audit team documents these findings in their audit report. As a result, the organization is required to develop, implement, and provide evidence of corrective action plans, outlining how they intend to address and rectify the identified non-conformities, and then take them to the audit team for verification. 

Follow-up audit (if required)

After the organization has completed the corrective actions, the audit team or certification body may perform a verification or follow-up audit to ensure that the issues have been effectively resolved.

Certification decision

The certification decision is made by the certification body or registrar after reviewing the stage 2 audit findings and any evidence of corrective action implementation during the post-audit phase. If the organization demonstrates compliance with the standards and successfully addresses the non-conformities, it may be awarded ISO 27001 and/or ISO 27701 certification.

Certification issuance

If the certification decision is favorable, the organization receives an ISO 27001 and/or ISO 27701 certificate, signifying that it complies with the respective standards.

How Strike Graph can help 

Strike Graph’s all-in-one compliance platform can help your organization streamline your ISO 27001 and/or ISO 27701 certification process and help ensure you’re audit-ready. And, you’ll be able to leverage the work you’ve already done for your ISO 27001 and/or ISO 27701 certifications to easily achieve SOC 2, GDPR, PCI DSS, CCPA, or HIPAA compliance. After all, why should you do more work when you don’t have to?

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Are you ready to build trust through cybersecurity?