Businesswoman smiling while using a tablet

What is an ISO 27001 audit?

An ISO 27001 audit is an independent assessment of your Information Security Management System (ISMS). Its purpose is to verify that your organisation has implemented the security controls, processes, and risk management practices required by the international standard, and that they’re working effectively in practice.

At its core, an ISO 27001 audit checks that your business is protecting the confidentiality, integrity, and availability of its information assets. It also examines whether the controls and processes you have in place are functioning effectively, rather than just simply being documented.

The audit process applies whether you’re pursuing ISO 27001 certification for the first time or maintaining it through your three-year cycle. There are two types of audits to understand: internal, which your own team runs, and external, conducted by an accredited certification body like Citation Group.

Smiling man in office setting

Types of ISO 27001 audits

ISO 27001 internal audit

Your own team runs internal audits, or you bring in a contracted internal auditor to assess how well your ISMS is working before an external auditor steps in. They should happen at least once a year and are one of the most important things you can do to stay on top of compliance. A well-run internal audit uncovers gaps, drives corrective actions, and keeps your information security posture honest between external assessments.

External audit

An independent certification body like Citation Group carries out external audits. These determine whether your organisation achieves, maintains, or renews ISO 27001 certification. External audits include the initial certification audit (Stage one and Stage two), annual surveillance audits, and a recertification audit every three years.

The ISO 27001 certification audit process

From initial certification through to recertification, here’s how the full audit process works.

Woman participating in online ISO training

Step 1: Documentation review (Stage 1)

Your external auditor reviews your ISMS documentation before the on-site assessment begins. Key documents reviewed include your ISMS scope, Information Security Policy, risk assessment and risk treatment plan, Statement of Applicability (SoA), asset inventory, access control policy, and incident response procedures.

Stage one typically takes one to two days. Your auditor is not checking whether everything is perfect. Instead, they’re confirming your ISMS is sufficiently documented and implemented to proceed to on-site assessment. Any significant gaps are flagged with clear guidance on what needs to be addressed before Stage two begins. The more thoroughly you’ve prepared your documentation before Stage one, the smoother the path to certification.

Colleagues conducting a Gap Analysis

Step 2: On-site certification assessment (Stage 2)

Your auditor verifies that your ISMS is fully implemented and working in practice, not just documented. This involves examining your operational controls, risk register, risk treatment plan, physical security measures, and staff security training. Your auditor will collect evidence, interview the people responsible for each area of your ISMS, and assess whether it genuinely meets the requirements of ISO/IEC 27001.

The duration depends on the size and complexity of your organisation. Factors such as the number of employees in scope, locations, and information assets all influence how long the assessment takes. Audit findings are documented clearly. Minor non-conformances are resolved through agreed corrective actions; major ones must be addressed before certification is issued.

A tradesman giving quality customer service

Step 3: Certification

After successfully completing Stage one and Stage two, your organisation receives a Statement of Certification confirming compliance with ISO/IEC 27001. Certification is valid for three years, subject to passing annual surveillance audits.

This is the point where your investment in building a strong ISMS becomes formally recognised by customers, government bodies, procurement teams, and enterprise supply chains that require ISO 27001 certification as a condition of doing business.

Auditor surveying a warehouse

Step 4: Annual surveillance audits

Annual surveillance audits take place in years one and two of your certification cycle. They’re less extensive than your initial certification audit, but they’re a real and structured commitment. Your auditor will check that your ISMS continues to meet the standard, that any non-conformances from your previous audit have been resolved, and that your team is actively maintaining your risk register and risk treatment plan. They’re also looking for evidence that your team is genuinely improving its approach to information security.

Think of surveillance audits as your annual health check: not a formality, but the thing that keeps your certification meaningful.

Woman implementing suggested changes after completing Gap Analysis

Step 5: Recertification audit

At the end of your three-year cycle, a full recertification audit reassesses your entire ISMS, with a scope similar to your original Stage one and Stage two assessments. For most certified organisations, recertification is more straightforward than the initial certification process. Your documentation, internal audit processes, and risk management practices are already established, and your team has spent three years working within the standard.

That said, it’s a genuine assessment. Any significant changes to your environment, including new systems, an expanded audit scope, changes to how you handle sensitive data, or organisational restructuring, are all taken into account by your auditor. Passing recertification resets your three-year cycle and maintains your ISO 27001 certification status.

An auditor excited about improving local businesses

What information security evidence do auditors review?

Across every audit, your auditor is verifying one thing: is your ISMS working as intended? Key evidence reviewed includes:

  • ISMS documentation, including policies, procedures, and records that demonstrate your system is being maintained.
  • Risk assessment and risk treatment plan, including evidence of how information security risks are identified and managed.
  • Statement of Applicability, including the selected security controls and the reasoning behind them.
  • Operational and physical security controls protecting your information assets.
  • Management review records and internal audit findings.
  • Corrective actions, incident response records, and staff security training.
Get In Touch

How to prepare for your ISO 27001 audit

Good preparation makes a real difference to how smoothly your audit goes. The businesses that move through ISO 27001 auditing most efficiently are the ones that treat preparation as part of their ongoing compliance journey, not a last-minute scramble.

Magnifying glass icon

Run your internal audit first

Conduct a thorough internal audit before your external certification audit. This is the single most effective preparation step. Your internal audit process keeps your ISMS accountable between formal assessments and helps surface issues early, while there’s still time to address them. Aim to run internal audits at least annually, and ensure your auditor has the training and authority to review the full ISMS scope.

Checklist icon

Use an ISO 27001 audit checklist

An ISO 27001 audit checklist is one of the most practical tools available for tracking your readiness against each clause and control. Working through a checklist before your Stage one documentation review helps you collect evidence systematically, confirm your audit scope is clearly defined, and identify any gaps before your auditor does. Download our ISO 27001 Gap Analysis Checklist to get started.

Document icon

Get your ISMS documentation in order

Make sure all required ISMS documentation is complete, current, and easy to access. This includes your Information Security Policy, risk assessment and risk treatment documentation, SoA, asset inventory, access control policy, and incident response procedures. Gaps in documentation are among the most common causes of audit findings – and the easiest to prevent.

puzzle icon

Address gaps before Stage 1

If your internal audit or checklist review uncovers gaps, address them before your Stage 1 audit. Fewer findings at Stage 1 means a smoother path to certification and fewer corrective actions to resolve under time pressure.

People icon

Prepare your people

Your ISO 27001 auditor will speak with staff across the business, not just your compliance team. Make sure everyone who owns part of your ISMS understands their responsibilities and can speak clearly to how security practices work in their day-to-day roles. Investing in staff security training and clear ownership of internal processes pays off significantly at audit time.

business owner using efficient systems to manage her resources

Why ISO 27001 auditing matters

Regular ISO 27001 audits are not just about maintaining certification. They also help strengthen your organisation’s information security posture over time. For Australian businesses, that has direct commercial value. Many large organisations and government bodies require their suppliers to hold ISO 27001 certification, making a consistent audit process a competitive advantage in tenders, procurement, and enterprise supply chain requirements.

Audits also support ongoing regulatory compliance. If your business is subject to the Australian Privacy Act or frameworks like the ASD Essential Eight, a well-maintained ISMS with a consistent audit record demonstrates a credible, risk-based approach to privacy protection and cyber resilience. Not just at certification time, but continuously.

Get In Touch
Customer service representative ready to help

How Citation Group manages your ISO 27001 audit

Citation Group has spent over 30 years guiding Australian businesses through ISO certification. Our approach is experienced, structured, and straight-talking. We’re here to help you succeed, not catch you out.

  • Clear scoping upfront. No surprises about what’s in or out of scope.
  • Experienced ISO 27001 auditors who know the standard inside out.
  • Straightforward communication of any gaps at Stage one, with practical guidance on what to address.
  • A thorough Stage two on-site assessment, so you know exactly where your ISMS stands, not just what the paperwork says.
  • Clear, actionable audit findings and corrective action guidance.
  • Ongoing support across annual surveillance audits for the full three-year certification cycle.
Get In Touch

Trusted by over 3,300 Australian businesses to solve their compliance challenges

Citation Certification logo
Majestic Services Group

Loved working with the auditors for our ISO Accreditation. They provided me with valuable feedback and observations that will certainly enhance the business. I felt very well supported during this process as it was my first audit experience.

Catherine Trembath, Office Manager

Citation Certification logo
Coral Homes

Thank you for working with us to obtain ISO 45001 Certification. The process was thorough, structured and efficient and the system enhancements we have made to achieve certification will benefit our company greatly.

The breadth of experience and technical expertise you brought to the process was invaluable and really appreciated by all the senior leadership team involved.

Geoff Idzikowski, HSEQ Manager

Citation Certification logo
AutoNexus

The collaborative relationship we’ve developed with Citation Certification has turned into a true partnership where our business needs are holistically understood and supported.

John Hemingway, Regional HSE Manager

Citation Certification logo
Cushman and Wakefield

The auditor that was assigned to us was fantastic. He explained what was expected and required before the audit commenced. And even during the audit process, when things were being identified or uncovered, we could work quite dynamically. He was really accommodating and professional, and really quite pragmatic in the recommendations for improvement, which we’ve taken on board.

James Logan, Operations Risk and Compliance Manager

Citation Certification logo
Swyftx

Our most recent audit cycle was one of the most positive experiences we’ve had since certifying to ISO/IEC 27001:2022, and the relaxed nature allowed us to engage in discourse that was open and honest about gaps and our plans to fix them.

Daniel van Driel, Risk and Governance Lead

Access our latest news and insights

How AI is changing ISO Certification
Events

How AI is changing ISO Certification

ISO certification is how businesses prove their systems meet internationally recognised standards – opening doors...

July 9, 2026 11:00 am
Difficult employees, tough conversations & Fair Work risk
Events

Difficult employees, tough conversations & Fair Work risk

Managing underperformance and conduct issues is one of the highest-risk moments for any SME. Get...

July 1, 2026 11:00 am
Citation Legal celebrates inclusion in Best Law Firms – Australia
Citation Legal logo
Uncategorized

Citation Legal celebrates inclusion in Best Law Firms – Australia

Citation Legal recognised by Best Lawyers in the third edition of Best Law Firms –...

10 June, 2026
Appropriate workplace attire: the dress code question
Citation HR logo
Blogs

Appropriate workplace attire: the dress code question

The dress code question can be a bit of a grey area, but clear guidance...

9 June, 2026
6 FAQs every employer must know about personal/carer’s leave
Citation HR logo
Blogs

6 FAQs every employer must know about personal/carer’s leave

Did you know that the average Aussie worker takes approximately 9.7 days of personal leave...

9 June, 2026

Got burning questions? We’ve got answers.

An ISO 27001 audit is an independent assessment of your Information Security Management System (ISMS) to verify it meets the requirements of the ISO/IEC 27001 international standard. The audit evaluates your security controls, risk management processes, ISMS documentation, and whether your organisation genuinely protects its information assets in practice. Internal audits are conducted by your own team; external audits are performed by an accredited certification body and determine your certification status.

An ISO 27001 internal audit is run by your own organisation to assess ISMS effectiveness and identify improvements before an external auditor visits. External audits are conducted by an independent ISO 27001 certification body and include the initial certification audit (Stage one and Stage two), annual surveillance audits in years one and two, and a full recertification audit at the end of the three-year cycle. Both work together – internal audits keep your ISMS honest between external assessments.

An ISO 27001 auditor reviews your ISMS documentation, risk assessment and risk treatment plan, Statement of Applicability, operational and physical security controls, management review records, internal audit findings, corrective actions, incident response procedures, and staff security training records.

Your auditor will also speak with the people responsible for each area to verify your information security management system is working in practice, not just on paper.

Not passing an ISO 27001 audit doesn’t mean starting from scratch. It means there are gaps to address. Minor non-conformances are resolved through agreed corrective actions and don’t halt the process. Major non-conformances – where there’s a significant gap between your ISMS and the requirements of the standard – need to be resolved before certification is issued. But your certification body will give you clear guidance on exactly what needs to change.

Most businesses get there. The key is thorough preparation: a strong internal audit process before your external audit significantly reduces the likelihood of anything major being raised.

Annual surveillance audits are conducted in years one and two of your three-year ISO 27001 certification cycle. They verify that your ISMS continues to meet the standard and that ongoing ISO 27001 compliance is maintained. At the end of year three, a full recertification audit is required to renew your certification status.

Yes. ISO 27001 requires both internal audits and external audits as mandatory elements of a compliant ISMS. Internal audits must be conducted at planned intervals – at least once a year – to verify your ISMS is functioning as intended and to identify areas for improvement. External certification audits are required to achieve and maintain ISO 27001 certification, and include annual surveillance audits in years one and two of your three-year cycle, followed by a full recertification audit.

A regular, well-run audit process is what turns ISO 27001 from a one-time achievement into an ongoing business asset.

ISO 27001 certification in Australia is formal recognition that your organisation’s ISMS meets the requirements of the ISO/IEC 27001 international standard. Certification must be issued by a JAS-ANZ accredited certification body. JAS-ANZ is the government-appointed body that accredits certification bodies operating in Australia and New Zealand.

For Australian businesses, ISO 27001 certification is increasingly required for government procurement, recognised by enterprise supply chains, and relevant to compliance with the Australian Privacy Act and frameworks such as the ASD Essential Eight.

Certification is valid for three years and maintained through annual surveillance audits.

An ISO 27001 audit involves a structured review of your ISMS across documentation, ISO 27001 implementation, and ongoing effectiveness.

For the initial certification audit, this means a Stage 1 documentation review, where your auditor checks that your ISMS scope, risk assessment, Statement of Applicability, and core policies are complete. This is followed by a Stage 2 on-site assessment where your auditor verifies that security controls are implemented and working in practice.

Your auditor will examine evidence, interview staff, review your risk register and risk treatment plan, and assess how your organisation manages information security risks day to day.

Audit findings are documented, with non-conformances addressed through corrective actions before or after certification is issued, depending on their severity.

ISO 27001 certification cost in Australia typically depends on your organisation’s size, number of sites, and the complexity of your information security management system. Larger organisations with more complex ISMS requirements will generally pay more due to longer audit durations. Visit our ISO 27001 certification pricing page or contact us for more information.