ISO 27001 audit process calculator
Estimate your certification timeline with Stage 1, Stage 2, and surveillance audit timing, corrective action windows, and multi-site sampling. Add internal preparation time for an end-to-end estimate. It is not legal advice.
Calculator
Start with three inputs, then adjust advanced options if needed.
Advanced options
Stage 1 to Stage 2 spacing: 6 to 8 weeks typical, and must be within 6 months.
Corrective action window: responses typically needed within 30 days, and objective evidence for major findings within 90 days (or certification can be delayed).
Stage 1 to certificate: 3 to 5 months
- ISMS scope and Statement of Applicability defined
- Internal audit completed
- Management review completed
- Core policies, risk assessment, and procedures in place
Internal prep (3 months) + audit process estimate.
Square root sampling: 1 site > at least 1. Example: 25 sites > at least 5 audited.
Rule of thumb: ceil(sqrt(sites)).
Over the 3-year cycle, all sites are normally visited at least once.
- Operating records tend to reduce audit rework.
- Low corrective-action risk keeps the range tighter.
- Single-site scope keeps sampling simple.
- Medium complexity widens audit effort modestly.
- Audit goal: Initial certification. Readiness: Operating (3+ months).
Methodology and sources
Summary of the baseline ranges and the sources behind them. Open to see the methodology details and links.
The baseline audit-process range is designed as a planning window, not a promise. It reflects typical Stage 1 to Stage 2 scheduling patterns, corrective-action timelines, and the reality that evidence closeout can delay certification.
When multi-site scope applies, the calculator uses the square root sampling rule to estimate the number of sites likely to be audited and slightly widens the range to reflect added audit effort.
High complexity and regulated data widen the range because certification bodies adjust audit effort for risk, scope, and evidence depth.
ISOQAR ISO 27001 audit process explained (Stage 1/Stage 2 timing, 6 months max gap, 6 to 8 weeks typical, system running 3+ months, square root sampling). ISOQAR audit process
NQA managing nonconformities timeframes (responses within 30 days, evidence for major within 90 days). NQA nonconformities guidance
Secureframe ISO 27001 certification timeline phases and 3-year validity (high-level timeline blocks). Secureframe timeline
ISMS.online audit cycle phases and Stage 1 vs Stage 2 context. ISMS.online audit cycle
AuditBoard ISO 27001 audit overview and certification cycle background (optional supporting context). AuditBoard overview
How this calculator works
Baseline audit flow (certification body)
ISO 27001 certification audits typically run in two stages. Stage 1 is a documentation and readiness review. Stage 2 is the in-depth assessment of whether your ISMS is implemented and effective.
Stage 1 to Stage 2 timing
Many organisations schedule Stage 2 about 6 to 8 weeks after Stage 1, and Stage 1 and Stage 2 should be no more than 6 months apart (otherwise Stage 1 may need repeating).
Why corrective actions affect your timeline
A common delay is closing nonconformities after the audit. Example certification body policy: responses are typically required within 30 days, and objective evidence for major findings within 90 days, or certification can be delayed.
Multi-site sampling
If your certification scope includes multiple sites, certification bodies often sample sites using a square root rule (example: 25 sites > at least 5 audited in an initial audit).
What this tool estimates
This calculator provides a planning range for the audit process (Stage 1, Stage 2 spacing, corrective action windows) and lets you add your internal preparation time to get an end-to-end estimate.
How AI Gap Analysis reduces ISO 27001 audit cost risk
Audits slow down when evidence is hard to verify: missing records, unclear traceability, or controls that exist but are not documented consistently.
AI Gap Analysis turns your current ISMS docs into an audit-ready evidence pack:
- Clause-by-clause gaps (what is missing)
- Evidence map with citations and page links (what proves it)
- A remediation list you can assign to owners
Generate my ISO 27001 evidence map
Upload your policies, risk assessment, SoA, and core procedures. Get a clause-by-clause gap list and evidence links.
FAQ
What is an ISO 27001 audit?
An ISO 27001 audit is an assessment of your Information Security Management System (ISMS) against ISO 27001 requirements. For certification, it is typically performed in two stages by a certification body.
What is the ISO 27001 audit process (Stage 1 vs Stage 2)?
Stage 1 is a documentation and readiness review. Stage 2 is the in-depth assessment of implementation and effectiveness, and it is the last step before certification.
How long between Stage 1 and Stage 2 audits?
A common schedule is Stage 2 about 6 to 8 weeks after Stage 1. Stage 1 and Stage 2 should be no more than 6 months apart, or Stage 1 may need to be repeated.
Do we need an internal audit before ISO 27001 certification?
Practically, yes. Stage 1 checks readiness, and auditors commonly expect evidence that internal audits and management reviews have happened as part of operating the ISMS.
How long do we have to close ISO 27001 audit nonconformities?
Example certification body policy: responses within 30 days, and objective evidence for major nonconformities within 90 days, or certification can be delayed.
How often are ISO 27001 surveillance audits?
Certification is typically maintained through surveillance audits in the cycle after initial certification, and then recertification at the end of the term (commonly a 3-year cycle).
How many sites will be audited for ISO 27001?
For multi-site scopes, certification bodies may sample sites using a square root rule (example: 25 sites > at least 5 audited in an initial audit), and over the cycle all sites are normally visited at least once.