How to Prepare for Your First ISO 27001 Audit

An ISO 27001 certification audit is conducted in two stages by an accredited certification body:

Stage 1 (Documentation review): The auditor reviews your Information Security Management System (ISMS) documentation. They check that your scope is defined, your risk assessment methodology is documented, your Statement of Applicability (SoA) is complete, and your policies and procedures exist. This typically takes 1–2 days on-site.

Stage 2 (Implementation audit): The auditor verifies that your documented controls are actually implemented and effective. They interview staff, examine evidence, and test controls. This is where most organisations stumble. Duration depends on scope, typically 3–5 days.

Between Stage 1 and Stage 2, you have an opportunity to address any gaps identified. Use this time wisely.

Before your Stage 1 audit, ensure these documents are complete and approved:

ISMS scope statement: Clearly defines the boundaries of your information security management system. What is included and, equally important, what is excluded.

Information security policy: A board-approved policy that sets the direction for information security. Must be communicated to all employees.

Risk assessment methodology: How you identify, assess, and treat information security risks. Must be consistent and repeatable.

Risk treatment plan: How you are addressing identified risks. Maps to controls in Annex A.

Statement of Applicability (SoA): Lists all 93 Annex A controls (ISO 27001:2022), states which are applicable and which are not, and justifies exclusions.

Asset inventory: A complete list of information assets with owners and classifications.

Incident management procedure: How you detect, report, and respond to security incidents.

Business continuity plan: How you maintain critical services during disruptions.

Internal audit reports: Evidence that you have audited your own ISMS at least once before the certification audit.

Management review minutes: Evidence that senior management has reviewed the ISMS performance.

Based on published audit data and certification body reports, the most frequent ISO 27001 findings are:

1. Incomplete risk assessment: Risks are identified but not consistently assessed using the documented methodology. Ensure every risk has a likelihood, impact, and risk level calculated per your method.

2. Missing evidence of control effectiveness: Controls are documented but there is no evidence they work. If your policy says "access reviews are conducted quarterly," the auditor will ask to see the last four quarterly reviews.

3. Scope boundaries unclear: The SoA includes controls for systems outside the defined scope, or excludes controls for systems that are in scope.

4. Awareness and training gaps: Staff cannot articulate basic security policies. Conduct security awareness training and keep attendance records.

5. Supplier management: No evidence of security assessments for key suppliers. Even if you trust your suppliers, you need documented evidence of assessment.

6. Monitoring and measurement: No defined metrics for ISMS performance. The auditor expects to see KPIs and evidence of management review.

7. Internal audit insufficient: Internal audits were conducted by people who are not independent of the audited area, or findings were not formally tracked to closure.

The Stage 2 audit is an evidence-based exercise. For every control in your SoA, you should be able to produce evidence within minutes, not hours.

Organise evidence by Annex A control number. Create a shared folder structure (e.g., A.5.1, A.5.2, etc.) with current evidence for each control.

Automate evidence collection where possible. Platform-generated reports (access reviews, vulnerability scans, configuration baselines, patch status) are stronger evidence than manual spreadsheets.

Date your evidence. The auditor needs to see that controls are operating over time, not just at the point of audit. Three months of weekly scan reports is better than one scan run the day before.

Prepare your people. Identify who will be interviewed for each control area. Brief them on what the auditor is likely to ask. They should be able to explain their role in the ISMS without reading from a script.

Do a dry run. Conduct a pre-audit internal review 4–6 weeks before Stage 2. Address any gaps found.

ISO 27001 certification is valid for three years, subject to annual surveillance audits. These surveillance audits are shorter than the initial certification but still verify that your ISMS is maintained and improved.

Common mistakes after certification:

Relaxing standards: The ISMS must be a living system, not a project that ends with certification. Continue risk assessments, internal audits, and management reviews.

Ignoring changes: New systems, new suppliers, and organisational changes all affect your ISMS. Ensure your change management process captures security implications.

Failing to track improvements: The auditor will look for evidence of continual improvement. Track corrective actions, preventive measures, and opportunities for improvement.

Maintaining certification is easier than obtaining it — if you treat the ISMS as business-as-usual rather than a separate compliance exercise.