How an External Certification Audit Works: Stage 1 and Stage 2
From contract to certificate: how the two-stage certification audit (Stage 1 and Stage 2) works, what gets checked, and who makes the final decision.
In short
An external certification audit runs in two stages at an accredited certification body. Stage 1 reviews your documentation and audit readiness; Stage 2 is the on-site audit that tests how effectively the management system is actually lived. A separate body, independent of the audit team, then makes the certification decision, not the auditor.
Auf Deutsch lesen: deutsche Fassung
Anyone pursuing an ISO certification goes through a clearly defined, two-stage process at an accredited certification body. If you understand how it works, you walk in without surprises, and that is half the battle won.
Before you start: proposal and contract
You sign a contract with a certification body. The body plans the audit based on your scope, your headcount and the complexity of your operation, and from this it derives the number of audit days. One important point: a body that certifies you may not, for reasons of independence, also act as your consultant.
Stage 1: the readiness review
In the first stage, the auditor focuses primarily on your documentation and your fundamental audit readiness. Is there a policy, a defined scope, a risk assessment, the core procedures and, depending on the standard, evidence such as a Statement of Applicability? Stage 1 exists to surface gaps early, to plan the Stage 2 date and to avoid surprises later.
- Review of the documented information and the scope
- Assessment of whether an internal audit and a management review have been carried out
- Clarification of sites, key processes and open issues
- Outcome: readiness for Stage 2, or a list of gaps to close
Stage 2: the on-site audit
The second stage is about effectiveness: is what is written on paper actually lived in practice? On site (or remotely), the auditor gathers evidence through interviews, observation and examination of records. The entire standard is assessed, with a risk-based focus on the areas that matter most.
A typical flow: an opening meeting, an audit of leadership and of the core processes along the clauses of the standard, a continuous log of findings, and finally a closing meeting where the results are presented.
Findings, corrective actions, decision
You must respond to nonconformities with corrective actions and a root cause analysis; for major nonconformities, evidence is required before the certificate can be issued. The actual certification decision is then made by a body within the certification body that is independent of the audit team, not by the auditor.
A certificate is usually valid for three years, but only as long as the annual surveillance audits confirm that the system continues to be lived.
The role of preparation
This is exactly where the leverage lies. If you run an honest gap analysis and an internal audit "the way the certification body would" before the external audit, you already know your weak points. The external audit then becomes a confirmation rather than a risk.
Frequently asked questions
Why two stages?+
Stage 1 checks the documentation and readiness; Stage 2 checks the lived effectiveness on site. This way, gaps are identified early, before the actual audit takes place.
Who issues the certificate?+
An accredited certification body. The decision is made by an instance that is independent of the audit team, not by the auditor who was on site.
How long is a certificate valid?+
Usually three years, with annual surveillance audits and a recertification at the end of the cycle.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 26 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.