One of the most common questions from organisations approaching ISO 27001 certification for the first time: what is the difference between the internal audit (Clause 9.2) and the external certification audit (Stage 1 and Stage 2)? They're often confused, and the confusion leads to poor preparation. This guide explains what each audit is, who conducts it, what they cover, and how a well-executed internal audit makes certification significantly more likely to succeed.
The two audit types: a comparison
| Dimension | ISO 27001 Internal Audit (Clause 9.2) | External Certification Audit (Stage 1 + Stage 2) |
|---|---|---|
| Who conducts it | Internal auditor (independent of activities audited) or contracted internal auditor | Accredited certification body (BSI, Bureau Veritas, TÜV SÜD, LRQA, etc.) |
| Purpose | Self-assessment — identify gaps, improve ISMS, demonstrate continual improvement | Third-party certification — issue ISO 27001 certificate if criteria met |
| Frequency | Planned intervals (typically annual; first audit 3–6 months before Stage 1) | Initial: Stage 1 + Stage 2 (once). Then annual surveillance audits + 3-year recertification |
| Scope | Full ISMS (Clauses 4–10 + key Annex A controls) or targeted (specific controls) | Stage 1: ISMS documentation + readiness. Stage 2: full evidence of implementation |
| Findings | Major/minor nonconformities + opportunities for improvement (OFIs) | Major/minor nonconformities; major NCs prevent certification until resolved |
| Output | Internal audit report; corrective action register | Stage 1: readiness report. Stage 2: certification decision (pass/conditional/fail) |
| Cost | Internal time or consultant fee (typically £500–£3,000) | Certification body fees (typically £5,000–£25,000 depending on size/scope) |
| Result if gaps found | Internal corrective actions; no external consequence | Certificate withheld until major NCs closed; certificate suspended for persistent issues |
What Stage 1 covers (and what it's really for)
The Stage 1 certification audit is primarily a document review. The certification body auditor is checking two things:
- Is the ISMS sufficiently documented to proceed to Stage 2?
- Is the organisation ready for Stage 2 (evidence review)?
In Stage 1, the auditor will review:
- ISMS scope statement (Clause 4.3) — is it clear, unambiguous, and appropriate?
- Information security policy (Clause 5.2) — management-approved, communicated?
- Risk assessment and risk register (Clause 6.1.2) — current, methodologically sound?
- Risk treatment plan (Clause 6.1.3) — all risks addressed, Annex A controls selected?
- Statement of Applicability (Clause 6.1.3(d)) — all 93 controls assessed, exclusions justified?
- Information security objectives (Clause 6.2) — SMART, measurable, documented?
- Internal audit programme and last audit report (Clause 9.2)
- Management review records (Clause 9.3)
- Mandatory documented information (Clause 7.5) — all mandatory documents present?
Stage 1 issues are typically documented as "Areas of Concern" (not formal nonconformities) that must be addressed before Stage 2 can proceed. If Stage 1 reveals major gaps (no risk assessment, no SoA, no management review), Stage 2 will be delayed until they are resolved.
What Stage 2 covers (and why it's harder)
Stage 2 tests whether the ISMS is actually implemented and operating effectively — not just documented. This is where most certification failures occur.
The Stage 2 auditor will:
- Interview personnel across different functions (HR, engineering, management, operations)
- Request evidence of control implementation — logs, screenshots, records, configurations
- Test sample populations (e.g., review 5 randomly selected access control approvals)
- Observe processes where applicable (change management workflow, incident response process)
- Cross-reference documented controls against actual implementation
The most common Stage 2 failures are controls that are documented but not implemented (policy says X, but evidence shows Y), and controls that are implemented but not documented (team does the right thing informally, but no records exist).
How the internal audit feeds Stage 1 and Stage 2
The certification body will ask to see your internal audit documentation during Stage 1. What they're looking for:
- Audit programme: planned frequency, scope, and methodology (Clause 9.2 requires a programme — not just individual audit instances)
- Audit report: findings from the most recent internal audit — honesty here is valued, not feared
- Corrective actions: what was found, root causes, remediation actions, and whether they're complete
- Independence evidence: that auditors didn't audit their own activities
A powerful pattern: the internal audit identifies 3 minor nonconformities → corrective actions are documented and completed → Stage 1 auditor sees closed corrective actions → this demonstrates a functioning, self-correcting ISMS. This is far better than an internal audit with zero findings, which raises the question: was the internal audit superficial?
The annual surveillance audit: what to expect after certification
After initial certification, your ISO 27001 certificate is valid for 3 years — but subject to annual surveillance audits. Surveillance audits are lighter than the initial Stage 2. The certification body will typically focus on:
- Were last year's nonconformities or observations closed?
- Has the ISMS continued to operate effectively?
- Were significant changes (new systems, acquisitions, incidents) risk-assessed and reflected in the ISMS?
- Are internal audits still being conducted?
- Are management reviews still being conducted?
Surveillance audits are roughly half the duration of Stage 2. They are not full re-audits — they're a sample-based check that the ISMS is being maintained. Companies that let the ISMS drift between surveillance audits (skip management reviews, stop updating the risk register, let training lapse) find surveillance audits uncomfortable.
How often to conduct internal audits
The standard says "planned intervals" — no specific frequency. The correct answer depends on your context:
- Pre-certification: One full-scope internal audit covering all Clauses 4–10 and key Annex A controls, 4–8 weeks before Stage 1
- Post-certification, maintenance: Annual full-scope internal audit covering all clauses; targeted control audits quarterly for high-risk areas
- After significant change: Targeted internal audit of affected systems/processes within 30–60 days of a significant change (new cloud environment, acquisition, major system change)
- After a security incident: Targeted audit of the affected controls and processes
Generate your ISO 27001 Internal Audit Checklist covering all mandatory ISMS clauses (4–10) and key Annex A controls. Pair it with the full ISO 27001 suite: Risk Assessment, Risk Treatment Plan, Statement of Applicability, and Gap Assessment.