ISO 27001 Audit: What to Expect and How to Prepare

An ISO 27001 audit is an independent assessment of your Information Security Management System (ISMS) to verify that it meets the requirements of the ISO/IEC 27001:2022 standard. It gives your customers, partners, and regulators credible assurance that you manage information security risks effectively, through a structured system that can be independently verified.

ISO 27001:2022 is the current version of the standard. As of October 2025, certificates issued against the 2013 version are no longer valid. All current certifications assess against ISO 27001:2022, which restructured Annex A controls from 114 to 93 and introduced 11 new controls addressing areas including threat intelligence, cloud security, and data masking.

Certification audits in the UK are carried out by certification bodies accredited by the United Kingdom Accreditation Service (UKAS). It’s important to note that only certificates from UKAS-accredited bodies are universally recognised by regulators, customers, and procurement processes.

Using a non-UKAS body for your ISO certification risks having your certificate rejected where it matters most.

If you’re preparing for your first ISO 27001 certification audit, you’re likely managing competing priorities, limited internal resource, and pressure from the board to get this done without delays or failed stages. This guide demystifies what auditing ISO 27001 actually involves, how internal and external audits differ, what auditors look for at each stage, and how to prepare with confidence.

Learn more about exactly what evidence auditors expect, where organisations most commonly fail, and how a managed approach can help you to achieve certification without costly surprises.

Key Takeaways

• ISO certification audits take place in two stages: Stage 1 reviews your documentation and ISMS design; Stage 2 tests implementation and effectiveness through evidence, interviews, and sampling.
• Internal audits are mandatory under Clause 9.2 of the standard and must be completed before your external certification audit.
• The most common causes of nonconformity are gaps in risk assessment and treatment, weak control implementation, unclear ownership, and missing audit trails.
• All ISO 27001 certification audits in the UK now assess against ISO 27001:2022. The 2013 standard was retired in October 2025.
• UKAS-accredited certification bodies are the only bodies whose certificates are universally recognised.
• ISO 27001 audit costs for a UKAS-accredited certification in the UK typically range from £3,000 to £15,000+ depending on your organisation’s size and complexity.
• Partnering with an experienced ISO 27001 consultancy provides audit readiness support, ongoing compliance evidence, and a managed approach that reduces audit risk.

What is an ISO 27001 Audit?

An ISO 27001 audit is a formal assessment of whether your ISMS conforms to the requirements of the standard and operates effectively to protect information confidentiality, integrity, and availability. In business terms, it’s the mechanism by which you prove to an independent third party that your information security isn’t just documented but actually working.

Auditing ISO 27001 covers your ISMS design, the 93 Annex A controls you’ve selected in your Statement of Applicability (SoA), your risk assessment and treatment processes, and the evidence that your controls operate as intended. It applies to any organisation that wants recognised, internationally credible assurance over how it manages information security risk.

What is the Difference Between Internal and External ISO 27001 Audits?

These serve distinct purposes and both are mandatory for certification.

An ISO 27001 internal audit is conducted by or on behalf of your organisation, under Clause 9.2 of the standard. It’s an impartial, planned assessment of whether your ISMS conforms to the standard’s requirements and to your own policies, carried out before the external assessment.

The internal auditor must be independent of the processes being audited, someone who wasn’t involved in building or operating the part of the ISMS they’re reviewing. This can be a trained internal employee from another function, or an external specialist engaged to carry out the internal audit programme on your behalf.

The external certification audit is conducted by a UKAS-accredited certification body. It determines whether you qualify for ISO 27001 certification and identifies any nonconformities you must address.

External audits include the initial two-stage certification process, annual surveillance audits, and a full recertification audit every three years.

Internal audits are about readiness and continuous improvement. External audits determine certification status. Both must be planned, documented, and reported to management.

Who Conducts ISO 27001 Audits?

External certification audits must be conducted by United Kingdom Accreditation Service (UKAS) accredited certification bodies. This accreditation, is what makes your certificate internationally credible and widely recognised by UK and international customers, regulators, and procurement teams.

Internal audits can be conducted by your own trained staff or by a specialist consultant engaged to run your internal audit programme. The key requirement is impartiality: the auditor cannot audit their own work.

If you need an ISO 27001 checklist to assess your current readiness, our team can provide practical audit preparation support tailored to your ISMS scope.

What to Expect in the ISO 27001 Audit Process

ISO 27001 audits are multistage. You’ll be asked to provide documentation, demonstrate how your controls operate, and provide evidence that your ISMS is genuinely embedded in your organisation’s processes.

Expect auditors to review documents, interview staff and control owners, sample records, and test your security processes in practice.

Pre-Audit Preparation and Documentation Review

Before your external audit is scheduled, you should have:

• a defined ISMS scope
• a current Statement of Applicability
• a complete risk assessment and risk treatment plan
• documented policies and procedures
• evidence of management commitment, awareness activities, and control operation

Many certification bodies request a readiness review to confirm your ISMS is sufficiently developed before confirming the audit date.

Your internal audit programme must have completed at least one full internal audit, and a management review must have been conducted covering the ISMS’s performance, risks, and improvement opportunities. These aren’t optional, they’re evidence requirements.

Stage 1 Audit: Scope, Objectives, and What’s Assessed

Stage 1 is a documentation focused assessment of your ISMS design. Auditors review your scope statement, risk methodology, risk assessment outputs, risk treatment plan, Statement of Applicability, mandatory policies, internal audit records, and management review outputs. They’ll also check that your ISMS addresses legal, regulatory, and contractual requirements relevant to your organisation.

The goal is to confirm your ISMS is designed correctly and ready for Stage 2. Stage 1 typically lasts one to two days. Findings may include observations or minor gaps you should address before Stage 2 proceeds. Some organisations use Stage 1 feedback to close remaining documentation gaps in the window between the two stages.

Stage 2 Audit: Depth, Evidence Requirements, and Common Findings

Stage 2 tests whether your controls and ISMS processes operate effectively in practice. Auditors interview staff members and control owners, observe processes, review incident and change records, sample logs and outputs, and verify that risks are being treated as your treatment plan describes.

Auditors look closely at access control, asset management, vulnerability and patch management, backup and recovery, supplier security, secure development practices, and your security monitoring and response capability. Stage 2 typically lasts two to five days, depending on the size and complexity of your organisation and ISMS scope.

Common findings that cause nonconformities at this stage include: incomplete or outdated risk registers, Statements of Applicability that don’t reflect reality, missing evidence of control operation, weak supplier due diligence, and corrective actions that haven’t been closed.

Post-Audit Outcomes: Reports, Nonconformities, and Certification

Following Stage 2, you’ll receive a report detailing the auditor’s findings. Nonconformities are categorised as major or minor. Major nonconformities must be addressed and verified by the auditor before certification is granted. Minor nonconformities allow you to progress, provided you implement corrective actions within an agreed timeframe and submit evidence of closure.

Once findings are resolved to the certification body’s satisfaction, your certificate is issued. Annual surveillance audits follow in years one and two, verifying ongoing compliance and improvement.

A full recertification audit every three years reassesses your ISMS and governs your continued certification status.

What Are ISO 27001 Internal Audits and Why Are They Mandatory?

ISO 27001 internal audits are a mandatory requirement under Clause 9.2 of the standard. The clause requires your organisation to plan, establish, implement, and maintain an audit programme that includes frequency, methods, responsibilities, and reporting.

Internal audits must be conducted at planned intervals, at minimum annually, and more frequently where risks are higher or systems are complex.

The purpose of the internal audit programme is to provide information on whether your ISMS conforms to your own requirements and to those of the standard, and whether it’s effectively implemented and maintained. It’s your primary self-checking mechanism before the external auditor arrives, and it’s a documented requirement that your certification body will look for as evidence of a functioning ISMS.

Get a broader view of what ongoing ISO 27001 compliance involves across the full certification lifecycle.

What Does an ISO 27001 Internal Audit Cover?

A well-structured internal audit reviews documentation and policies for accuracy and currency, tests whether processes are being followed in practice, assesses the operation of Annex A controls against your Statement of Applicability, reviews corrective actions from previous audits and incidents, and checks that your risk treatment plan is being implemented as described.

The internal audit report is a formal document. It must record the scope, objectives, and methodology of the audit, the individuals involved, findings and any nonconformities identified, and conclusions with actions required.

This report is presented to management and retained as evidence for your certification body.

Who Can Carry Out an ISO 27001 Internal Audit?

The internal auditor must be impartial and independent of the processes being audited. This means someone who wasn’t involved in building, implementing, or operating the area of the ISMS they’re reviewing.

For smaller organisations without suitable internal resource, the most common approach is to engage an external consultant to run the internal audit programme. This maintains impartiality, brings audit expertise, and avoids the risk of staff auditing their own work.

DigitalXRAID provides internal audit support as part of our managed ISO 27001 service, giving you a documented, evidence-ready internal audit without the internal resource burden.

Common Challenges During ISO 27001 Audits

Many organisations encounter the same obstacles in the audit process. Knowing what typically goes wrong lets you avoid the same traps, reduce audit risk, and move through certification with fewer delays.

Documentation Gaps and Control Misalignment

Policies that don’t reflect how your organisation actually operates are one of the most frequent causes of nonconformity. If your risk treatment plan is disconnected from your implemented controls, or your Statement of Applicability doesn’t match what you’ve actually done, you’ll struggle to pass Stage 2.

Lack of Evidence and Audit Trail

You may have controls in place, but without consistent evidence of their operation they won’t satisfy external audit requirements. Missing logs, incomplete change records, and ad-hoc supplier reviews leave auditors without proof.

In ISO 27001 auditing, if it isn’t recorded, it didn’t happen. A single missing evidence trail can result in a major nonconformity that pauses certification.

Unclear Ownership and Unprepared Teams

Audit interviews quickly reveal whether control owners understand their responsibilities. Unclear ownership, inconsistent awareness training, and staff who can’t describe their role in the ISMS all lead to nonconformities. Management reviews that don’t drive decisions or corrective actions are another common weakness auditors look out for.

Incomplete Internal Audit Programme

Arriving at your external certification audit without a completed internal audit, or with internal audit records that are too superficial to satisfy Clause 9.2, is a major nonconformity. Your internal audit must be planned, documented, and reported before Stage 1. It can’t be treated as a formality.

How to Prepare for an ISO 27001 Audit

To successfully audit ISO 27001, you need to run a formal gap analysis, complete your ISMS documentation, align your people and processes, and conduct your internal audit well before the external assessment. Treating audit preparation as a structured project with owners, deadlines, and evidence milestones significantly reduces the risk of nonconformities and failed stages.

Conduct a Gap Analysis or Internal Audit

Start with a formal gap analysis against ISO 27001:2022 and Annex A. Map your existing controls and processes to the standard’s requirements and identify where you fall short.

Build a corrective action plan with named owners and realistic deadlines, and prioritise risks that affect confidentiality, integrity, and availability of information.

Your internal audit should then test your ISMS against the standard’s requirements and generate the documented evidence your certification body will expect to see. Don’t leave the internal audit until the last moment, completing it early gives you time to close findings before Stage 1.

Review and Complete Your Documentation

Make sure your documentation is complete, current, and aligned to how you actually operate. Check your ISMS scope statement, risk methodology, risk assessment and treatment plan, Statement of Applicability, policies and procedures, internal audit records, and management review outputs.

Every document should have version control, a named owner, and a documented review schedule. Pay particular attention to your Statement of Applicability.

SoAs must accurately reflect which Annex A controls you’ve included, which you’ve excluded, and why. Auditors will cross-reference it against your risk treatment plan and what they observe in practice.

Align People, Processes, and Technology

Assign clear owners to each control and process. Provide targeted awareness training for control owners and staff in scope.

Validate that technical controls including logging, access management, patch management, and backups, are configured as your documentation describes, and produce evidence that can be sampled during Stage 2.

Auditors will ask control owners directly. If the person responsible can’t explain their control, that’s a finding.

Consider Partnering with a Managed ISO 27001 Provider

An experienced ISO 27001 consultancy accelerates your readiness, removes ambiguity, and ensures your controls are both effective and auditable. With a managed approach you get fully developed ISMS documentation, internal audit support, pre-audit workshops, and ongoing compliance management without the internal resource drain.

When you’re looking to audit ISO 27001 with confidence, a partner that also provides Managed SOC, vulnerability management, and penetration testing gives you the technical security evidence that Annex A controls require, and clear reporting that serves as reliable artefact for your auditors.

Understand how ISO 27001 and other leading security frameworks work together to protect your business against ransomware and other advanced threats: Read the guide.

How Much Does an ISO 27001 Audit Cost in the UK?

Audit costs are calculated by certification bodies based on the number of audit days required for your organisation’s size, following ISO 27006 guidelines, multiplied by the daily audit rate. For UKAS-accredited certification bodies, audit fees for initial certification (Stage 1 plus Stage 2) typically range from £3,000 to £15,000 for small to mid-sized UK organisations.

Larger enterprises with multiple sites or complex ISMS scopes can expect higher fees.

Annual surveillance audits typically cost around 50% of the initial audit fee. Recertification audits every three years are broadly comparable to the initial certification cost.

The main factors that affect your audit cost are your organisation size and number of employees in scope, number of locations or sites, complexity of your ISMS and the systems it covers, your choice of certification body (UKAS-accredited bodies charge more than non-accredited ones but provide universally recognised certificates), and your level of audit readiness (gaps and nonconformities extend audit time and increase cost).

Beyond audit fees, organisations should also budget for internal resource time, consultancy support if used, penetration testing and technical assurance, and any remediation work identified during Stage 1.

A managed ISO 27001 service combines these elements into a predictable programme with clear milestones.

Discover how ISO 27001 certification demonstrates to insurers that your organisation takes proactive steps to manage cyber risk, and what that means for your premiums: Read the guide

How DigitalXRAID Supports ISO 27001 Audit Success

DigitalXRAID combines deep ISO 27001 expertise with 24/7 security operations to give you confidence that your business is both protected and compliant, from initial scoping through to certification and beyond.

We have never had a major nonconformity from a customer’s certification audit, and we’ve never had one ourselves. Your certification journey is safe in the hands of our experts.

Managed ISO 27001 Certification

Our ISO 27001 Certification service guides you from discovery to certification and ongoing maintenance. DigitalXRAID consultants have supported hundreds of successful certifications, working closely with UKAS-accredited auditors to ensure ISMS and Annex A controls are ready for every stage of the audit.

We take the headache out of each stage. we fully develop your ISMS documentation, provide clear timelines, practical templates, and evidence packs structured for your auditors.

DigitalXRAID is itself ISO 27001 certified, so you benefit from proven internal practices alongside external expertise.

Internal Audit and Readiness Support

We work alongside your team on both internal and external audit cycles. From scoping and risk assessment through to internal audit, corrective action management, and pre-audit workshops, we bring structure and momentum to your ISO 27001 journey.

We partner only with high quality UKAS-accredited certification bodies, so your certificate is trusted and widely recognised.

Managed SOC and Continuous Compliance Monitoring

Our Managed SOC service provides real-time detection, response, and continuous evidence for Annex A controls covering monitoring, logging, incident response, and continual improvement. This means you’re not scrambling for evidence at audit time. It’s always available, current, and structured for sampling.

Continuous monitoring reduces risk and gives you actionable insight beyond the certificate.

Penetration Testing and Vulnerability Management

Technical assurance is a core expectation in ISO 27001 programmes. Our penetration testing services validate the effectiveness of your controls against realistic threats and support informed risk treatment decisions.

Our Vulnerability Management service ensures vulnerabilities are regularly identified, prioritised, and remediated with tracked evidence ready for your auditors.

Together, these services provide both the technical backbone of your ISMS and the reliable artefacts your certification body needs.

Real-World Client Outcomes

Ardens Healthcare Informatics

Ardens needed formal assurance over sensitive healthcare data and sought ISO 27001 certification to strengthen confidence with NHS partners. DigitalXRAID delivered a gap analysis, risk assessment, and structured implementation support.

Following a two-stage audit with a UKAS-accredited body, Ardens achieved certification at first assessment with no nonconformities. Subsequent recertifications have also been successful, including a recent audit with no opportunities for improvement identified.

The certification reduced the workload for the NHS Data Security Protection Toolkit and improved assurance across contracts.

Crowe UK LLP

Crowe UK wanted to formalise their strong but informal security practices and demonstrate ISO 27001 assurance to clients. DigitalXRAID conducted a gap analysis, designed a tailored ISMS, and supported implementation through to a UKAS-certified two-stage audit.

Crowe achieved certification at first assessment and now benefits from an ISMS aligned to business risk with ongoing support from our team.

Final Thoughts: Get Expert Support for Your ISO 27001 Audits

ISO 27001 certification is a strategic investment that strengthens your security resilience, builds market trust, and opens doors to contracts that require it. Understanding why ISO 27001 matters is the first step and with the right preparation and partner, you can achieve certification efficiently and maintain it with confidence.

If you want a clear plan, practical guidance, and evidence ready for Stage 1, Stage 2, and surveillance audits, our ISO 27001 Certification service is built to deliver exactly that. DigitalXRAID has achieved a zero major nonconformity record across every client audit we’ve supported — and we’d like to add yours to that list.

Get in touch with our team today to discuss your ISO 27001 audit readiness and certification journey.

FAQs About ISO 27001 Audits

How long does an ISO 27001 audit take?

Timelines vary by scope and complexity. Stage 1 typically lasts one to two days. Stage 2 takes two to five days for most mid-sized organisations. Plan additional time for corrective actions and evidence gathering between stages. Annual surveillance audits are usually one to two days. The overall certification process from initial scoping to certificate issuance typically takes six to twelve months.

What’s the difference between a Stage 1 and Stage 2 audit?

Stage 1 is a documentation and design review confirming your ISMS is ready for certification. Auditors check your scope, risk methodology, Statement of Applicability, policies, and evidence of internal audit and management review. Stage 2 tests implementation and effectiveness through interviews, record sampling, and process observation. Stage 2 determines certification and identifies any nonconformities you must address.

What are ISO 27001 internal audits and are they mandatory?

ISO 27001 internal audits are a mandatory requirement under Clause 9.2 of the standard. They’re impartial assessments of whether your ISMS conforms to ISO 27001:2022 requirements and your own policies, conducted at planned intervals by someone independent of the processes being reviewed. A completed internal audit, with documented findings and management reporting, must be in place before your external certification audit proceeds.

Can we fail an ISO 27001 audit?

If major nonconformities are found at Stage 2, certification is paused until you address them and the auditor verifies the fix. Minor nonconformities allow you to progress, provided corrective actions are implemented within an agreed timeframe and evidence of closure is submitted. A zero major nonconformity result is achievable with proper preparation, it’s the outcome DigitalXRAID has delivered for every client certification we’ve supported.

How often are ISO 27001 audits required?

After initial certification, annual surveillance audits verify ongoing compliance and improvement. A full recertification audit reassesses your ISMS every three years. Internal audits must occur at planned intervals throughout the year under Clause 9.2, at minimum annually. Many organisations run internal audits more frequently in areas of higher risk.

How much does an ISO 27001 audit cost in the UK?

For a UKAS-accredited certification body, combined Stage 1 and Stage 2 audit fees typically range from £3,000 to £15,000 for small to mid-sized organisations, depending on size, complexity, and the number of sites in scope. Annual surveillance audits usually cost around 50% of the initial audit fee. You should also budget for internal resource time, any consultancy support, technical assurance such as penetration testing, and remediation work. Get quotes from multiple UKAS-accredited bodies before committing.

Who needs to be involved in an ISO 27001 audit?

Expect involvement from your ISMS lead, risk owners, control owners, IT and security operations, HR, procurement, and legal. Senior leadership must participate in management review and be available to demonstrate commitment to information security. Auditors will ask control owners directly about their responsibilities, so preparation across the team matters.

What documents are required for an ISO 27001 audit?

Auditors expect your ISMS scope statement, risk assessment and treatment plan, Statement of Applicability, information security policies and procedures, internal audit records and management review outputs, and evidence of control operation. Every document should have version control, a named owner, and a documented review date.

What happens if nonconformities are found?

You’ll receive a report describing the nonconformity and its impact. For major issues, you must submit a corrective action plan, implement the fix, and provide evidence before certification is granted. For minor issues, corrective actions must be closed within an agreed timeframe and reviewed at your next surveillance audit. Your certification body will verify closure before confirming your certification status.

Is an internal audit mandatory before certification?

Yes. ISO 27001:2022 requires internal audits at planned intervals under Clause 9.2. A completed internal audit, with documented findings and a report presented to management, is a mandatory evidence requirement that your certification body will look for at Stage 1. It can’t be left until after the external assessment begins.

Do we need a consultant to pass the ISO 27001 audit?

You can achieve certification without a consultant, but many organisations benefit significantly from expert support. A managed approach accelerates readiness, removes ambiguity about what auditors expect, and reduces the risk of nonconformities and failed stages. A partner that combines ISO 27001 consultancy with Managed SOC, penetration testing, and vulnerability management gives you stronger evidence, better outcomes, and a more defensible ISMS over time.

What is the difference between auditing ISO 27001 and maintaining certification?

The initial certification audit establishes your compliance against ISO 27001:2022. Maintaining certification involves a programme of regular internal audits, annual surveillance audits by your certification body, and a full recertification audit every three years. Maintenance is ongoing, not a one-off event, your ISMS must demonstrate continual improvement throughout the three-year certification cycle.