ISO 27001 Stage 2 Audit
Also known as the Certification audit, the ISO 27001 Stage 2 Audit is the second step of the two-step external ISO certification process. It follows after the ISO 27001 Stage 1 Audit is successfully completed. The Stage 2 Audit is a more in-depth step where the external ISO 27001 auditor performs tests to verify whether an organization’s Information Security Management System (ISMS) has been properly established or not. It focuses on testing whether the security controls have been implemented and are functioning appropriately. As a part of this step, the external auditor will also analyze the suitability of the organization’s security controls to decide if the controls are functioning correctly as stated in the ISO 27001 standard.
The ISO 27001 certification is valid for 3 years. However, the ISO standard states that organizations must monitor audits every year to verify if the ISMS and its imposed security controls are operating effectively. Thereby, every 12 months during the three-year cycle, the ISMS of an organization is open to external audit, where the auditor assesses its effectiveness.