Stage 2 is the moment of truth for an ISO 27001 implementation. The auditor arrives — physically or virtually — and tests not whether the ISMS is documented but whether it is real. Whether the controls are operational. Whether the staff understand their obligations. Whether the management reviews actually happened. Whether the risk register reflects the genuine threat landscape or was calibrated to produce an acceptable result.
The most common experience of well-prepared organizations at Stage 2 is that it feels less scary than anticipated. The auditor is not an adversary — they are an independent professional whose job is to verify, not to catch out. When the ISMS is genuinely operational and evidence is organized and accessible, Stage 2 proceeds as a structured conversation rather than an interrogation. When it is not — when controls were deployed for the audit, evidence is scattered, and staff cannot answer basic awareness questions — Stage 2 is uncomfortable for everyone involved.
This article covers the Stage 2 audit in full practitioner detail: how audit days are typically structured, what evidence the auditor will request and in what form, who will be interviewed and what they will be asked, the logistics of managing the audit effectively, and how to interpret and respond to the findings that come out of the closing meeting.
The Stage 2 Audit Structure
Stage 2 audits typically span 2–5 auditor days depending on the scope complexity and organization size. For a focused-scope first-cycle certification of a mid-sized Indonesian organization, 3 auditor days is most common. The structure follows a consistent pattern regardless of the CB: opening meeting, evidence collection by domain, staff interviews, finding compilation, and closing meeting.
The table below maps a typical 3-day Stage 2 structure to show what happens in each session. Actual sequencing varies by auditor — this is representative, not prescriptive:
| Day | Morning | Afternoon | End of day |
| Day 1 (of 3) | Opening meeting — auditor explains the audit plan, confirms scope, answers questions. ISMS Manager and CEO/Executive Sponsor should attend. Duration: 30–60 minutes. | Management interviews — auditor interviews CEO/Executive Sponsor on leadership commitment (Clause 5), risk appetite, and ISMS oversight. ISMS Manager interviewed on risk assessment, risk treatment plan, and management review. Clause 4, 5, 6 review continues. | Auditor reviews risk register, SoA, risk treatment plan in detail. Tests coherence between risk register risks and SoA control selections. May request additional documentation. |
| Day 2 (of 3) | Technical control testing — auditor or technical specialist tests Annex A technical controls (Domain 8). Covers: MFA configuration, vulnerability scan records, access control settings, logging and monitoring configuration, network security. Configuration exports and system screenshots requested. | Process control testing — access review records, incident log, change management records, supplier contracts and monitoring evidence. Staff interviews on operational security practices. May interview IT, HR, and finance staff. | Internal audit and corrective action review — auditor reviews internal audit reports, finding quality, corrective action register, and CAR closure evidence. Tests whether internal audit is genuine. |
| Day 3 (of 3) | People controls — awareness training completion records, competence evidence for ISMS roles, policy acknowledgment records. May interview 2–3 non-ISMS staff to test awareness levels. Physical security (if applicable). | Auditor compiles findings, reviews evidence collected, prepares closing presentation. Final clarifications may be requested during this period — the ISMS team should remain available. | Closing meeting — auditor presents findings, classifies each as major NC, minor NC, or observation. Explains the certification recommendation. Confirms the NC response process and timeline for certificate issuance. |
| THE OPENING MEETING | The opening meeting is more important than organizations typically appreciate. It establishes the working relationship for the entire audit. Use it to: confirm that all Stage 1 findings have been addressed (auditor should already have your closure responses), clarify any scope questions, and establish the communication protocol for the audit — how evidence will be shared, who is the primary contact, when daily wrap-ups will occur. An ISMS Manager who comes to the opening meeting with an organized audit day plan signals a professional, prepared organization. |
Evidence the Auditor Will Request
Stage 2 auditors request specific evidence for each control domain they test. Knowing what will be requested in advance allows you to organize evidence proactively rather than scrambling during the audit. The evidence requests below are organized by control domain — each represents what a thorough auditor would ask for during Stage 2:
| Access Control (A.5.15–5.18, A.8.2–8.5) |
|
| Vulnerability Management (A.8.8) |
|
| Incident Management (A.5.24–5.28) |
|
| Supplier Security (A.5.19–5.23) |
|
| Security Awareness (Clause 7.3, A.6.3) |
|
| Logging & Monitoring (A.8.15, A.8.16) |
|
| Governance (Clauses 5, 9.3, 9.2, 10) |
|
| Evidence organization principle: Every item in the evidence list above should be retrievable within 30 seconds. This sounds like a minor logistical point but it significantly affects the audit experience and outcome. An auditor who waits 20 minutes for a piece of evidence will form a view about the operational maturity of the ISMS. An auditor who receives clean, organized evidence promptly will form a different view. Organize evidence by Annex A domain in your GRC platform or document library before audit day — not the morning of the audit. |
Staff Interview Guide
Staff interviews are one of the most revealing elements of a Stage 2 audit. They test whether the ISMS exists only in documentation or whether it has been embedded into how the organization actually operates. Auditors are experienced at distinguishing genuine understanding from briefed recitation — they probe responses with follow-up questions that deviate from any prepared script.
The table below maps the typical auditor questions for each interview subject and provides preparation guidance. The goal is to prepare interviewees to answer from genuine understanding — not to script their responses:
| Interview subject | Typical auditor questions | Preparation guidance |
| CEO / Executive Sponsor |
| The CEO must demonstrate genuine engagement — not that they have been briefed, but that they understand and own the ISMS. Answers like 'I leave security to the CISO' signal Clause 5.1 leadership failure. Prepare the CEO to answer fluently on top risks, risk appetite, and management review outcomes. |
| ISMS Manager / CISO |
| The ISMS Manager should be the most prepared interviewee. They must demonstrate command of the methodology, honest awareness of implementation gaps, and a credible approach to ongoing management. Over-prepared, scripted responses raise suspicion — prepare for honest, fluent conversation rather than perfect recitation. |
| IT Manager / Head of Engineering |
| Technical interviewees should answer in operational specifics — not 'we have a process' but 'here is what happens step by step'. Prepare by reviewing the procedures that govern each of these areas and ensuring the IT Manager's description matches the documented procedure. |
| Non-IT Staff (Customer Service / Finance / HR) |
| Non-IT staff should answer from genuine understanding — not rehearsed scripts. The auditor's goal is to test whether awareness training has produced behavioral understanding, not just completion records. Brief staff on what these questions test, but do not give them scripted answers. |
| HR Representative |
| HR must demonstrate that the onboarding and offboarding security procedures are operational and understood, not just documented in an ISMS procedure that HR has not read. Brief HR on the specific SLAs (access revocation within 4 hours) and the process for new hire LMS enrollment. |
| The single most revealing interview question in a Stage 2 audit is asking the CEO what the organization's top three information security risks are. An executive who can answer fluently and specifically — 'credential compromise of our payment processing API is our highest-rated risk at score 20, followed by unauthorized data exfiltration and supplier security incidents' — demonstrates that leadership engagement with the ISMS is genuine. An executive who responds 'well, security is important, you'd need to ask the CISO about specifics' demonstrates the opposite. Prepare the CEO for this question specifically. |
Audit Day Logistics
The logistics of audit day matter more than many ISMS teams appreciate. Auditors form impressions continuously — a disorganized evidence retrieval process, a CEO who cannot be located for their scheduled interview, a shared folder with incorrect permissions — all contribute to an impression of an ISMS that is not operationally managed. The checklist below covers the logistics that most commonly affect audit day experience:
| Venue and Access Preparation |
☐ Quiet, private meeting room reserved for the full audit duration — with whiteboard/screen for document sharing ☐ System access arranged for the auditor: read-only access to ISMS document repository, demo access to GRC platform (e.g. Bitlion) ☐ VPN or remote access configured if auditor requires access to internal systems for evidence review ☐ Technology confirmed: video call link tested (if remote audit), screen sharing capability confirmed ☐ Visitor management organized if physical audit — visitor log, badge, escort policy |
| Evidence Library Readiness |
☐ Evidence organized by Annex A control domain in a structured folder or GRC platform — retrievable within 30 seconds per item ☐ All documents current: no expired policies, no stale access review records, no superseded SoA versions in the evidence library ☐ Key documents printed or available on a shared screen: Risk Register (current), SoA (current), Management Review Minutes, Audit Reports ☐ System evidence pre-exported: IAM user/MFA report, vulnerability scan reports, access review outputs, LMS completion report ☐ Incident log accessible and showing entries for the audit period |
| People Availability |
☐ CEO / Executive Sponsor available for minimum 1 hour on Day 1 (confirmed, with diary block) ☐ ISMS Manager available for the full audit duration (no competing meetings scheduled) ☐ IT Manager / Head of Engineering available Day 2 morning for technical controls review ☐ HR Representative available Day 3 morning ☐ 2–3 non-IT staff selected and notified they may be interviewed — briefed on what to expect, not scripted ☐ All interview subjects have received a briefing on what auditors typically ask (see Interview Guide, this article) |
| Audit Day Conduct |
☐ Designate a single point of contact for the auditor — ISMS Manager is the primary interface throughout the audit ☐ Brief all interviewees: answer questions honestly, provide evidence requested promptly, say 'I don't know, I'll find out' rather than guessing ☐ Evidence runner designated: a person responsible for retrieving documents and records the auditor requests during the audit ☐ Log all evidence provided to auditor — list of documents shared and system screenshots taken ☐ Keep a note of any questions the auditor asks that evidence could not immediately answer — follow up before closing meeting |
| Remote vs. in-person audits: Remote Stage 2 audits have become common since 2020 and are now accepted by most CBs for smaller scope certifications. Remote audits require more careful advance planning of evidence sharing (shared drives, screen sharing protocols) but otherwise follow the same structure. The key additional requirement for remote audits is ensuring that technical demonstration access (to SIEM, IAM systems, vulnerability scanners) is arranged and tested before audit day — discovering that VPN access is not configured on audit morning is an avoidable problem. |
Managing Difficult Audit Moments
Even well-prepared Stage 2 audits encounter difficult moments — evidence that cannot be immediately located, a question that reveals a gap, a staff interview that does not go as expected. How the ISMS team handles these moments matters as much as whether they occur.
When evidence cannot be immediately retrieved
'I need to locate that record — can I send it to you within the hour?' is an acceptable and professional response. 'We have that but I can't find it right now' followed by continued searching during the auditor's time is not. Designate an evidence runner before audit day. If a specific piece of evidence cannot be retrieved promptly, log it, continue with the next area, and follow up before the closing meeting. Auditors who receive prompt, organized follow-up treat it as evidence of professional management; auditors who receive incomplete or chaotic follow-up treat it as evidence of poor record management.
When a gap is discovered during the audit
If an auditor identifies a gap that the ISMS team had not identified — an access review that was not completed on schedule, a procedure that does not match actual practice — the professional response is to acknowledge it honestly. 'You are right — that review was missed and we should have caught it in our internal audit. Here is our corrective action plan.' This response is far more credible than defensiveness or rationalization. Auditors have seen every defensive response pattern — honesty and a corrective action plan is what they want.
When a staff interviewee struggles
Not every staff member will interview well under audit conditions — some people become anxious and forget things they genuinely know. If an interviewer gives an incorrect or incomplete answer, the ISMS Manager should resist the urge to correct them in real time (which signals briefing rather than genuine awareness). Instead, note the area for follow-up and address it directly with the auditor in the closing meeting: 'I noticed some uncertainty in the interview about our incident reporting process — I would like to provide additional evidence of staff awareness training in that area.'
| What not to do when the audit is going badly: The worst response to a difficult audit is to become increasingly defensive, to promise corrective actions that cannot be delivered, or — most damagingly — to provide false or misleading evidence. A CB that discovers misleading evidence during an audit will take a very different view of every other piece of evidence they have seen. Honesty about gaps, combined with a credible corrective action plan, is the only approach that preserves the long-term relationship with the CB and the integrity of the certification. |
The Closing Meeting and Audit Findings
The closing meeting is where the auditor presents their findings and makes their certification recommendation. It is the most consequential meeting of the audit process, and preparation makes a significant difference to how it is experienced and how effectively the organization can act on its outcomes.
| Closing meeting element | Guidance |
| Who should attend | ISMS Manager (mandatory). CEO / Executive Sponsor (strongly recommended — their presence signals the ISMS is genuinely a management system, not an IT project). IT Manager if technical findings are likely. Legal Counsel if regulatory findings are anticipated. |
| What the auditor will present | Summary of audit activities conducted. List of findings classified as major NC, minor NC, or observation. Certification recommendation. Explanation of next steps — NC response process, certificate issuance timeline. The auditor will typically present findings one by one and ask whether the auditee understands and agrees with each classification. |
| How to respond to findings | Listen carefully to each finding before responding. It is appropriate to ask clarifying questions about a finding — 'Can you help me understand the specific clause requirement that this finding relates to?' It is not appropriate to argue that a finding is wrong if the evidence supports it. Accept the finding and commit to addressing the root cause. If you genuinely believe a finding is based on a misunderstanding, raise it professionally with supporting rationale. |
| What not to do | Do not become defensive or argumentative about findings — it damages the relationship with the CB and signals to auditors that the organization does not welcome honest assessment. Do not promise corrective actions that cannot be delivered in the timeframe — it is better to request a longer response window than to commit to an unrealistic deadline and miss it. Do not attempt to explain away a finding by pointing to plans or intentions — auditors assess what exists, not what is planned. |
| Immediate post-closing actions | Request the formal Stage 2 audit report from the CB (typically issued within 5–10 business days). Begin corrective action planning for all findings immediately — do not wait for the formal report. Notify the executive sponsor of the audit outcome and the NC response timeline. Update the corrective action register with all findings from the closing meeting. |
Interpreting the Certification Recommendation
At the closing meeting, the auditor will make a certification recommendation — but it is the CB's technical review committee, not the auditor, that makes the final certification decision. The recommendation takes one of the following forms, with corresponding actions:
| Audit outcome scenario | CB recommendation | Recommended response | Certificate timeline | Perspective |
| Single minor NC found (e.g. one quarterly access review overdue) | Certification recommended — minor NC to be resolved before certificate issued or within 30–90 days per CB policy. | Provide corrective action plan within CB's specified timeframe. Execute the overdue review immediately. Submit evidence. CB confirms closure and issues certificate. | Certificate typically issued 2–6 weeks after NC closure confirmation. | Manageable. Very common outcome for first-cycle certifications. Do not be alarmed. |
| Multiple minor NCs found (3–6 isolated gaps across different areas) | Certification recommended — all minor NCs to be resolved within 30–90 days. CB may require formal response plan for each. | Develop a consolidated corrective action plan addressing all NCs. Address most critical first. Submit evidence for each closure. CB confirms all CARs are closed before certificate issuance. | Certificate issued 4–10 weeks after all NC closures confirmed, depending on CB process. | Still a normal outcome. Multiple minor NCs in a first-cycle audit reflect the reality of ISMS implementation — not a failed audit. |
| One major NC found (e.g. MFA not deployed for any accounts, no management review) | Certification not recommended until major NC is resolved. CB will require a follow-up audit or evidence submission to verify resolution. | Address the root cause, not just the symptom. For MFA: deploy for all accounts and submit IAM evidence. For management review: conduct a genuine review and submit minutes. CB verifies resolution — may require a follow-up visit or document submission. | Certificate cannot be issued until CB is satisfied the major NC is resolved. Typically adds 4–12 weeks to the timeline. | Serious but recoverable. Do not attempt to address major NCs superficially — the CB will probe the resolution as carefully as the original finding. |
| Multiple major NCs or systemic failures | Certification cannot be recommended. A repeat Stage 2 audit may be required after substantive remediation. | Accept the outcome and develop a comprehensive remediation plan. The ISMS has material gaps that require genuine corrective action — not documentation patches. Consider whether the implementation timeline was adequate. | Remediation may require 3–6 months before a repeat Stage 2 is appropriate. Timeline reset. | Rare in well-prepared implementations. If this outcome occurs, it signals the ISMS was not ready for Stage 2 — addressing the root cause of that readiness gap is more important than the fastest path back to audit. |
The most important perspective on Stage 2 outcomes is proportion. A certification audit that finds a handful of minor nonconformities has done its job — it has verified the ISMS independently and identified areas to improve. An audit that finds nothing has either encountered a genuinely mature ISMS or was not conducted rigorously enough to find what was there. The goal is not a zero-finding audit; the goal is an honest audit that produces a genuine certificate.
After the Closing Meeting: The Path to Certificate
Between the closing meeting and the formal certificate issuance, the organization must complete three activities in parallel: respond to findings, await the CB's technical review, and prepare for ongoing certification maintenance.
- Respond to all NCs: Submit corrective action plans and evidence of resolution within the CB's specified timeframe. Major NCs typically require a 30-day response; minor NCs may allow 60–90 days depending on the CB. Do not wait until the last day — submit evidence as it becomes available.
- CB technical review: The CB's technical reviewer (an internal review not involving the audit team) assesses the audit report and findings. This typically takes 2–4 weeks. The reviewer may request clarifications or additional evidence — respond promptly.
- Certificate preparation: Once all findings are resolved and the technical review is complete, the CB issues the certificate. The certificate will state the scope, the standard and version, the initial certification date, and the expiry date (3 years after initial certification). Verify that the scope statement on the certificate matches your ISMS scope statement exactly.
From closing meeting to certificate receipt, the typical timeline for an organization with only minor NCs is 4–8 weeks. Organizations with major NCs should expect 8–16 weeks depending on the complexity of remediation required.
| Bitlion post-audit support: Bitlion's platform tracks Stage 2 findings directly as corrective action records, linking each finding to the relevant control and clause in the ISMS. Evidence of NC resolution is uploaded against the corrective action record and submitted to the CB through the platform's supplier communication module. The timeline from finding to closure is tracked automatically, with notifications when response deadlines approach. |
The Certificate: What It Says and What It Means
The ISO 27001:2022 certificate, when issued, states: the organization's name, the certified scope (exactly as defined in the ISMS scope statement), the standard and version (ISO/IEC 27001:2022), the certification body's name and accreditation details, the initial certification date, the expiry date, and the certificate number. Verify all of these fields before distributing the certificate.
What the certificate means: it is a statement from an accredited, independent third party that, at the time of the audit, your ISMS met the requirements of ISO 27001:2022 within the certified scope. It is not a guarantee that no security incidents will occur. It is not a statement that every security control in the world is in place. It is a credible, internationally recognized attestation that your information security management approach is structured, documented, risk-driven, and independently verified.
Use the certificate appropriately — in client questionnaires, procurement responses, regulatory submissions, and marketing materials — with the scope statement context. A certificate that covers your core payment platform should not be cited as evidence that your entire organization meets ISO 27001 standards if the ISMS scope does not include the entire organization.