The initial certification audit for any ISO management system standard is conducted in two stages. Stage 1 is the documentation review and readiness assessment. Stage 2 is the full implementation audit. Many organisations focus their preparation energy on Stage 2, but getting Stage 1 right sets the tone for the entire certification journey. Here is a complete guide to preparing for your Stage 1 audit.
What the Stage 1 Audit Covers
The Stage 1 audit is defined in ISO/IEC 17021-1 (Clause 9.3.1.2) and serves several specific purposes:
- Review of management system documentation: The auditor examines your policies, procedures, and records to confirm they meet the requirements of the standard you are certifying against.
- Evaluation of site-specific conditions: Understanding your organisation's context, locations, and any special considerations for the Stage 2 audit.
- Assessment of readiness: Determining whether your management system is sufficiently implemented and mature for a Stage 2 audit to be productive.
- Audit planning: Gathering information to plan the Stage 2 audit, including resource allocation, focus areas, and logistics.
- Review of internal audits and management review: Confirming that at least one cycle of internal audit and management review has been completed.
Stage 1 is typically conducted partly or wholly off-site for smaller organisations, though a site visit is common and may be required depending on the complexity of your operations.
Required Documents
The specific documents you need depend on which standard you are certifying against, but the following are universally expected:
For All Standards
- Management system policy: Quality policy (9001), information security policy (27001), environmental policy (14001), etc.
- Scope statement: A clear definition of what your management system covers — which products, services, locations, and processes.
- Organisational context analysis: Documentation of internal and external issues, and the needs and expectations of interested parties (Clause 4).
- Roles, responsibilities, and authorities: Evidence that management system roles are defined and communicated.
- Objectives and plans: Measurable objectives with plans for achieving them.
- Internal audit programme and reports: Evidence of at least one complete internal audit cycle.
- Management review minutes: At least one management review covering the inputs specified by the standard.
- Procedure for corrective action: How nonconformities are identified, addressed, and tracked.
Additional for ISO 27001
- Information security risk assessment methodology: Documented criteria for assessing likelihood and impact.
- Risk assessment results: The actual risk register with identified risks, owners, and risk levels.
- Risk treatment plan: How you plan to address risks that exceed your risk acceptance criteria.
- Statement of Applicability (SoA): Which Annex A controls are applicable, which are excluded, and the justification for each.
Additional for ISO 9001
- Process maps or interaction diagrams: Showing how your key processes relate to each other.
- Customer feedback mechanism: How you monitor customer satisfaction.
- Criteria for evaluation of external providers: If you outsource processes that affect quality.
What Auditors Look For
During Stage 1, auditors are assessing readiness, not full compliance. They are looking for evidence that:
- The management system documentation is substantially complete and addresses all required clauses
- The scope is clearly defined and appropriate for the organisation
- Key processes have been identified and documented
- At least one cycle of internal audit and management review has been completed
- Top management is engaged and understands their role
- There are no fundamental gaps that would make a Stage 2 audit unproductive
The auditor is not yet looking for evidence of full implementation or effectiveness — that is what Stage 2 is for. Think of Stage 1 as confirming you have built the framework; Stage 2 confirms the framework is working.
Common Stage 1 Findings
Based on our experience, the most frequent issues identified at Stage 1 are:
- Incomplete context analysis: Organisations list internal issues but forget external ones, or identify interested parties without documenting their requirements.
- Scope too vague or too broad: The scope statement must be specific enough that anyone reading it understands exactly what is covered.
- Missing internal audit: Some organisations rush to Stage 1 before completing their first internal audit. The standard requires at least one cycle.
- Management review not covering required inputs: Each standard specifies what must be reviewed. Generic meeting minutes are not sufficient.
- For ISO 27001 — SoA not aligned with risk assessment: The controls in your SoA must be traceable to your risk assessment results. Auditors check this linkage.
- Objectives not measurable: Stating "improve quality" is not an objective. It must be measurable, with a target, timeline, and assigned responsibility.
Stage 1 vs Stage 2: The Key Difference
The distinction is straightforward:
- Stage 1 asks: "Have you designed a management system that meets the standard's requirements?"
- Stage 2 asks: "Is that management system actually implemented and working effectively?"
Stage 1 is typically shorter (often half a day to one day for smaller organisations) and focused on documentation. Stage 2 is longer and involves interviews with staff, observation of processes, and sampling of records.
The gap between Stage 1 and Stage 2 is usually 30 to 90 days. This window gives you time to address any findings from Stage 1 before the implementation audit.
Tips for Success
- Do not rush. Complete your internal audit and management review before scheduling Stage 1. These are non-negotiable prerequisites.
- Organise your documents. Make it easy for the auditor to find what they need. A document index or matrix mapping documents to clauses is invaluable.
- Be honest about gaps. If you know something is incomplete, say so. Auditors appreciate transparency, and Stage 1 is designed to identify gaps.
- Engage top management early. The auditor will likely want to speak with senior leadership. Make sure they understand the management system and their responsibilities.
- Treat Stage 1 findings as a gift. They tell you exactly what to fix before Stage 2. Address them promptly and thoroughly.
For a full overview of the certification process from application to certificate, visit our certification process page.