Your security and compliance glossary

All the terms you need to know when you’re trying to get compliance audit ready, fast.

Show filters
Blogs
Events
Glossary
Guides and reports
Videos

Follow us

Linkedin iconFacebook icontwitter iconinstagram icon

What is the ISO 27001 Stage 1 Audit?

The ISO 27001 Stage 1 Audit is the first part of the two-stage external ISO certification process. The Stage 1 Audit consists of an extensive documentation review in which an external ISO 27001 auditor reviews an organization’s policies and procedures to ensure they meet the requirements of the ISO standard and the organization’s Information Security Management System (ISMS). After completing the Stage 1 audit, the auditor will provide feedback outlining whether the organization is ready to move to the Stage 2 audit

If the auditor determines the ISMS fails to meet the requirements of the ISO 27001 standard, the auditor will typically outline areas of concern—referred to as nonconformities—and will require corrective action or corrective action plans before proceeding to the Stage 2 audit.

An ISO 27001 certification is valid for three years; however, ISO requires surveillance audits be performed each year to ensure the ISMS and its implemented controls continue to operate effectively. Every 12 months during the three-year cycle, an organization’s ISMS must undergo an external audit, where an auditor will assess portions of the ISMS.

{{cta_withimage2="/cta-modules"}}

Related Terms

Additional resources you might like:

Compliance
Events
Agentic compliance in action with Vanta and Claude

Register to learn how Vanta's MCP Server brings your compliance program directly into Claude.

GRC
Blog
How to write a risk appetite statement in 5 steps

A risk appetite statement isn’t useful unless it drives decisions. Learn how to create one with clear thresholds that help align action with your risk appetite.

GRC
Blog
Risk appetite and risk tolerance: What’s the difference?

Learn what risk appetite and risk tolerance mean, how they differ and formalize them at scale.

Additional resources you might like:

Compliance
Events
Agentic compliance in action with Vanta and Claude

Register to learn how Vanta's MCP Server brings your compliance program directly into Claude.

GRC
Blog
How to write a risk appetite statement in 5 steps

A risk appetite statement isn’t useful unless it drives decisions. Learn how to create one with clear thresholds that help align action with your risk appetite.

GRC
Blog
Risk appetite and risk tolerance: What’s the difference?

Learn what risk appetite and risk tolerance mean, how they differ and formalize them at scale.

Comparisons and reviews
Video
Why enterprise leaders choose Vanta over Drata to prove and manage trust

Learn how Vanta is uniquely equipped to meet the needs of large, complex organizations.

Compliance
Blog
The 9 compliance risks hiding in your organization (and how to fix them)

Learn what compliance risk is and what its most common types are. Find out how to assess and manage your compliance risk and best practices to follow.

Comparisons and reviews
Blog
The best TPRM software for 2026

Discover the best third-party risk management software solutions for 2026.

Comparisons and reviews
Blog
Top 5 OneTrust alternatives

Check out top OneTrust alternatives for compliance and risk management.

Comparisons and reviews
Blog
Top 4 Secureframe alternatives

Explore features, limitations, and scalable compliance solutions.

Vendor Risk Management
Blog
GDPR, NIS 2, and DORA converge on one problem: Third-party risk

Discover how EU regulations, GDPR, NIS 2, and DORA, make third-party risk a direct, continuous business liability. Find out why most teams still lack visibility.

Get compliant and build trust—fast

Request a demo
G2 Badge Winter 2026 LeaderG2 Badge Winter 2026 Enterprise LeaderG2 Badge Milestone 'Users Love Us'