Sometimes you'll see ISO 27001 audits broken down into a 'Stage 1' and a 'Stage 2' audit. These stages mostly serve to demarcate the preparation for assessment from the assessment itself. Collaborative assessors will engage in the Stage 1 alongside you, and prod and poke at policies, procedures, and organisational understandings that may cause issues at Stage 2. **This is often also referred to as the 'dry run' - an opportunity to honestly and openly engage your assessor and find nonconformities to get ironed out ahead of Stage 2.** The Stage 1 audit evaluates the ISMS that has been built by the team, in anticipation of that formal and final audit before being a certified ISO 27001 ISMS. The Stage 2 Audit is the verification of effective implementation, and hopefully the final award of compliance. ## Stage 1 Focus Stage 1 serves as the final and most thorough gap analysis of the management system. It will likely focus on an active review of documentation, such as: - Policies and procedures - The risk assessment - The scope - Resource allocation documentation It's also very common to do a formal Internal Management Review as a component of Stage 1, kicking off the annual requirement to conduct one. These reviews are essentially a formalized fact finder for ensuring the effectiveness and performance of the management system. ## Stage 2 Focus With an external assessor on-site, stage 2 involves the assessment of all components of the ISMS, and is conducted using a combination of interviews, observations, and show-and-tells.