Siege Cyber's security awareness training experts based in Brisbane, Australia
Blog

ISO 27001 Audit: What to Expect at Stage 1 and Stage 2

For many Australian businesses, the ISO 27001 audit is the part of the certification journey they are most anxious about. That anxiety is usually caused by not knowing what to expect. This guide walks you through exactly what happens at Stage 1 and Stage 2, what auditors are looking for, what can go wrong, and how to walk in prepared rather than hoping for the best.

 

What Is ISO 27001 and Why Does the Audit Matter?

ISO 27001 is the internationally recognised standard for information security management. It requires an organisation to build and operate an Information Security Management System (ISMS) that identifies, manages, and continuously improves its approach to information security risk.

The audit is the formal verification process conducted by an accredited certification body. It is what stands between you and the certificate on the wall. Understanding how it works is not just useful background knowledge, it directly affects how you prepare and how likely you are to pass the first time.

ISO 27001 in Australia is increasingly expected by government agencies, enterprise procurement teams, and regulated sectors including financial services and healthcare. Businesses subject to APRA CPS 234 in particular will find that a mature, certified ISMS provides a strong foundation for demonstrating the governance obligations that APRA expects.

 

Supports Businesses in Achieving ISO 27001 with Vulnerability Management

The Two-Stage Certification Audit Structure

The certification audit is split into two distinct stages. They serve different purposes and assess different things. Most businesses treat them as one process and under-prepare for both.

 

Stage 1: The Documentation Review

Stage 1 is sometimes called the “readiness audit” or “desktop review”. The auditor’s job at this stage is not to assess whether your security controls work in practice. It is to assess whether your ISMS is designed correctly and whether you are ready to proceed to the more rigorous Stage 2.

At Stage 1, auditors will typically review:

  • Your ISMS scope document, assessing whether it is clearly defined and proportionate

  • Your information security policy and supporting policies

  • Your risk assessment methodology and current risk register

  • Your Statement of Applicability (SoA), including justifications for included and excluded controls

  • Evidence of completed internal audits and management reviews

  • Your security objectives and whether you have plans to achieve them

A Stage 1 audit does not result in certification. It results in a readiness assessment report. If the auditor identifies gaps or inconsistencies, these are classified as either major nonconformities (which must be resolved before Stage 2 can proceed) or minor nonconformities (which can be addressed during or after Stage 2 with an accepted corrective action plan).

Do not treat findings at Stage 1 as a failure. They are genuinely useful. Most organisations receive some observations at Stage 1, and the good ones use them to improve their ISMS before the clock starts ticking on Stage 2.

If you are unsure whether your ISMS documentation is ready for Stage 1, an internal readiness assessment will tell you quickly. Siege Cyber includes a gap analysis, risk assessment, policy development, and internal audit preparation in our CERTIFY package, specifically so that organisations arrive at Stage 1 in the strongest possible position. Learn more about our ISO 27001 services here.

Stage 2: The Certification Audit

Stage 2 is the main event. This is where the auditor verifies that your ISMS is not just documented correctly but is actually operating effectively in practice. It typically takes place two to eight weeks after Stage 1, giving your team time to address any Stage 1 findings.

The Stage 2 audit is conducted on-site or virtually, and it is more intensive than Stage 1. Auditors will:

  • Interview staff at various levels to assess whether they understand and apply your security policies

  • Review operational records including access logs, change management records, and incident reports

  • Test whether technical and administrative controls are implemented consistently, not just documented

  • Assess how identified risks are being treated and monitored over time

  • Review supplier and third-party risk management processes

  • Verify that internal audits and management reviews have been conducted and documented properly

The auditor is specifically looking for evidence that your ISMS is live and operational, not a collection of policies that nobody actually uses. This is the mistake that catches organisations off-guard most often. They have great documentation but cannot produce the operational evidence to back it up.

What Happens If You Get a Major Nonconformity at Stage 2?

A major nonconformity at Stage 2 means a required ISMS element is absent or has broken down completely. Certification cannot be granted until the issue is resolved and verified by the auditor, which usually means a follow-up audit and a delay of weeks or months. This is expensive and avoidable with proper preparation.

A minor nonconformity at Stage 2 does not prevent certification. You receive the certificate with an accepted corrective action plan and a deadline to resolve the issue.

Observations and opportunities for improvement require no action but are useful input for your ongoing ISMS improvement cycle.

 

The Most Common Reasons Australian Businesses Fail Their Audit

Having supported Australian organisations through ISO 27001 audits, the same issues come up repeatedly. They are rarely about the technology.

The most common findings include:

  • ISMS scope that is too broad or poorly defined, resulting in controls that cannot realistically be evidenced

  • Controls that are documented but not consistently applied in day-to-day operations

  • Risk assessments that are outdated or do not reflect the current threat environment

  • Incomplete supplier risk assessments, particularly where third parties have access to sensitive data

  • Internal audits that were not completed before the certification audit

  • Management reviews that happened but were not documented with sufficient rigour

  • Staff who are unable to describe their security responsibilities when interviewed

Most of these come down to the gap between what is written down and what actually happens. Closing that gap before the auditor arrives is the single most effective thing you can do to improve your chances.

 

Siege Cyber's security awareness training experts based in Brisbane, Australia

 

How Compliance Automation Can Support Your ISMS

One of the most common questions we get from businesses preparing for an ISO 27001 audit in Australia is whether tools like Vanta or Drata actually help. The honest answer is yes, meaningfully, but only if you use them properly.

These platforms automate evidence collection by integrating directly with your cloud infrastructure, identity provider, and core systems. They surface control gaps, monitor your security posture continuously, and make it significantly easier to produce the evidence an auditor needs at Stage 2. Siege Cyber is an official partner of both Vanta and Drata, and we regularly help organisations that have already invested in one of these platforms to bridge the gap between what the tool monitors and what still requires human expertise, including policy writing, risk assessment, and audit preparation.

 

After Certification: What Comes Next

Achieving certification is not the finish line. ISO 27001 certificates are valid for three years, but they require annual surveillance audits to remain in force. These are lighter-touch reviews that confirm your ISMS is still operating effectively. At the three-year mark, a full recertification audit is required.

This is why ongoing compliance maintenance matters as much as the initial certification effort. An ISMS that is actively maintained is significantly easier to recertify than one that has been left to gather dust.

 

How Siege Cyber Supports the Full ISO 27001 Journey

Our CERTIFY package is designed for Australian businesses that want to achieve ISO 27001 certification without the uncertainty of ad-hoc hourly consulting. For $4,750 per month on a 12-month subscription, the package includes:

  • Gap analysis and risk assessment

  • Customised policy development

  • Ongoing compliance support throughout the year

  • Incident response planning

  • Internal audit preparation and execution

  • Management Committee meeting facilitation

  • Quarterly external vulnerability scanning

Optional add-ons include penetration testing at a discounted rate for CERTIFY clients, secure cloud review, employee phishing testing, security awareness training, and vCISO advisory support.

You can view full pricing details here.

 

Ready to Prepare Properly for Your ISO 27001 Audit?

Whether you are just starting your ISO 27001 journey, preparing for an upcoming Stage 1 audit, or trying to understand why a previous attempt did not go as planned, Siege Cyber can help you build a clear, practical path to certification.

Visit siegecyber.com.au/services/iso-27001/ to learn more about how we support organisations through the full certification process, or email us at [email protected] to book a free consultation. We will get back to you within one business day.