What ISO 27001 auditors actually check — and how to be ready

Pre-audit nerves are normal. Every experienced CISO has felt them, and every company going through its first certification will too. But most of that anxiety comes from uncertainty — what will the auditor actually ask, where will they start, what is the thing that can 'sink' the audit. The answer is clearer than it looks.

The certification audit has two stages. Stage 1 (documentation review, typically one to two days) — the auditor checks that you have all mandatory documentation, that it is consistent, and that the ISMS scope and SoA are logical. Stage 2 (on-site audit, two to five days depending on size) — the auditor interviews people, requests evidence that controls are working in practice, and traces a thread from risk to control to evidence.

What auditors most commonly find as major non-conformities: an out-of-date risk register (assessment from two years ago, company has changed three systems since then), an SoA that does not reflect the actual state of controls, absence of training and security awareness records (management knows, operational staff do not), a management review never held or lacking formal minutes, and corrective actions open for months with no progress.

What auditors do not penalise as non-conformities: perfect implementation of every technical control, flawless document formatting, a 100% score in all security tools. An audit is an audit of the management system, not a penetration test.

Preparation one week before the audit: go through the risk register and update everything that has changed, verify that training records exist for all employees, review open corrective actions and close what you can, and run an internal mock interview with key people — management, IT, HR — to check that they answer questions about policy consistently.

Our vCISO stays with the client throughout the entire audit process — from mock audit to the final certification interview. See the vCISO and ISO 27001 service page for details.