What Do ISO 27001 Auditors Actually Look For?

ISO 27001 auditors go well beyond checking your policy documents. Here's what experienced ISO 27001 auditors actually look for.

There’s a common misconception about ISO 27001 audits: that if your documentation is in order, you’ll pass.

Documentation matters…. but experienced auditors know that documentation is the easiest part to get right. What separates organisations that sail through their audit from those that collect nonconformities is whether the ISMS is actually operating — not just documented. It’s about evidence.

This guide explains how auditors think, what they look for beyond the documents, and where most organisations come unstuck.

The Auditor’s Mindset

An ISO 27001 auditor’s job is to form an independent opinion on whether your ISMS conforms to the standard and is effectively implemented, maintained, and continually improved.

That word — implemented — is doing a lot of work. It means auditors aren’t just checking whether you have a policy. They’re checking whether the policy is followed, whether the controls it describes actually exist in your systems, and whether staff know what they’re supposed to do.

Their primary tool for this is sampling. An auditor can’t review everything, so they take representative samples: a few user accounts to check access controls, a handful of incidents to see how they were managed, several suppliers to see whether they’ve been assessed. If the samples look good, they’ll typically gain confidence in the broader picture. If they don’t, they’ll dig deeper.

The three questions an auditor is always asking:

  1. Does the documentation say the right thing?
  2. Does practice match the documentation?
  3. Is there evidence that it actually happened?

The answer to the first question is usually yes, especially by Stage 2. The second and third are where things get interesting.

What They Always Check First

Before detailed testing begins, every auditor reviews the mandatory documentation that ISO 27001 requires to exist. This is the baseline:

  • ISMS scope document — is the boundary clearly defined and appropriate?
  • Information security policy — signed off by senior management, current, accessible to staff
  • Risk assessment and risk register — is there a documented methodology? Has it been applied and kept current?
  • Statement of Applicability — does it cover all 93 Annex A controls with justification for inclusions and exclusions?
  • Risk treatment plan — are the controls from the SoA linked to actual implementation?
  • Internal audit records — has an internal audit been conducted? Were findings raised and closed?
  • Management review minutes — has senior management reviewed the ISMS with the required inputs covered?

If any of these are missing or clearly inadequate, the auditor will raise a finding before going further. Most organisations that have prepared properly will have these in place. The audit gets more interesting once this layer is confirmed.

What ISO 27001 Auditors Check in Each Area

What ISO 27001 Auditors Check in Each Area

The questions they ask and the evidence they expect to see — by ISMS area

Area
What they look for
Evidence they ask to see
Risk Assessment
Clause 6.1.2
What they look for
Risk register is current — updated after significant changes
Named risk owners, not generic roles
Residual risk reflects controls actually in place
Treatment decisions documented and implemented
Evidence they ask to see
DocumentRisk register with dates, owners, and treatment status
RecordVersion history showing updates after changes
DocumentRisk treatment plan linked to SoA controls
🔒
Access Control
Controls 5.15–5.18
What they look for
No active accounts for former employees
Privileged access limited to those who need it
MFA enabled on key systems
Access reviews conducted periodically
Evidence they ask to see
ScreenshotUser account list vs HR leavers record
System configMFA enabled in M365 / Google Workspace admin
RecordAccess review log with sign-off date
🚨
Incident Management
Controls 5.24–5.28
What they look for
An incident log that reflects reality — not empty
Documented response for each recorded incident
Post-incident reviews for significant events
Lessons learned fed back into the ISMS
Evidence they ask to see
RecordIncident log with entries, dates, and outcomes
RecordPost-incident review for a significant event
DocumentIncident response procedure (and evidence it’s been followed)
🔎
Internal Audit
Clause 9.2
What they look for
Audit was conducted before Stage 2
Auditor was independent of areas audited
Findings are honest — not suspiciously all-green
Open findings have a documented closure plan
Evidence they ask to see
DocumentInternal audit report with findings and dates
RecordCorrective action log showing closure progress
DocumentAudit programme / schedule for the year
👥
Management Review
Clause 9.3
What they look for
Senior management present — not just IT team
All required inputs covered in the meeting
Decisions and outputs documented
Review reflects real ISMS status
Evidence they ask to see
RecordManagement review minutes with attendee list
DocumentAgenda showing required inputs were covered
RecordActions and decisions from the review
👥
Supplier Management
Controls 5.19–5.22
What they look for
A register of suppliers who access your data
Security assessments for significant suppliers
DPAs or equivalent agreements in place
Periodic review — not just onboarding
Evidence they ask to see
DocumentSupplier register with risk classification
RecordCompleted supplier assessment for 1–2 key suppliers
DocumentDPA or security clauses in supplier contracts
🎓
Training & Awareness
Control 6.3
What they look for
All staff have received awareness training
Training is relevant to actual risk areas
Evidence of understanding — not just completion
Records available for a sample of staff
Evidence they ask to see
RecordTraining completion log or LMS export
RecordPhishing simulation results (if conducted)
InterviewStaff able to describe risks and their responsibilities
Auditors use sampling — they won’t check everything. But if a sample looks poor, they dig deeper. Prepare evidence for each area before the audit, not on the day.

The Operational Evidence Layer

This is where most organisations are caught out. An auditor who finds good documentation will then ask: “Can you show me this working?”

Risk assessment

Your risk register isn’t just a document to produce at audit time. Auditors look for signs that it’s a living process:

  • When was it last updated?
  • Has it been reviewed after significant events — a new system, a supplier change, a security incident?
  • Are the risk owners real, named individuals with identifiable roles?
  • Do the residual risk levels reflect the controls actually in place?

A risk register untouched for 18 months, or containing generic risks copy-pasted from a template with no relation to your actual business, will attract scrutiny.

Access control

Access control is one of the most frequently tested areas — it’s both critical and often poorly managed in practice. Auditors commonly ask to see:

  • A list of current user accounts on a key system (email, finance, case management)
  • Evidence that accounts of former employees have been promptly disabled
  • Confirmation that admin and privileged access is appropriately restricted
  • MFA configuration in your admin console

A common finding: an active user account belonging to someone who left the organisation months ago. Most auditors will find this if they look, and it’s a significant lapse.

Incident management

Auditors know that every organisation has incidents. If you tell them you’ve had none in the past year, they become more sceptical, not less. The question isn’t whether incidents occurred — it’s whether they were properly managed.

They’ll want to see your incident log and walk through one or two entries:

  • Was the incident detected and recorded?
  • Was the response proportionate and documented?
  • Was there a post-incident review for significant events?
  • Were lessons learned fed back into the ISMS?

Internal audit

The internal audit is your own quality check before the external auditor arrives. External auditors look carefully at how you’ve conducted it:

  • Was the auditor independent of the areas they audited?
  • Was the scope adequate — did it cover all parts of the ISMS?
  • Were findings raised honestly, or is the report suspiciously all-green?
  • Are nonconformities and observations from the internal audit being actively closed?

An internal audit that is entirely clean, or that contains open findings with no closure progress, are both red flags.

Management review

Management review is where the ISMS receives senior leadership attention. Auditors aren’t looking for a beautifully formatted report — they’re looking for evidence of genuine engagement:

  • Were the right people present — not just the IT team?
  • Were the required inputs actually discussed: audit results, risk positions, incidents, objectives, changes?
  • Were decisions made and outputs documented?
  • Does the review reflect what’s really happening in the ISMS, or is it a rubber stamp?

A management review conducted entirely by the IT team, without director or senior management involvement, will typically attract a finding.

Supplier management

If your SoA includes Controls 5.19–5.22 (and it almost certainly should), auditors will test whether supplier management is actually happening:

  • Can you show a list of suppliers who process or access your information?
  • Have the significant ones been assessed for information security?
  • Are data processing agreements or equivalent in place?
  • Are assessments being reviewed periodically — not just at onboarding?

Good contracts without any actual security review of suppliers will be challenged.

Training and awareness

Control 6.3 requires information security awareness for all staff. Auditors will ask:

  • What training have staff received, and when?
  • How do you know it was understood — not just clicked through?
  • Were the topics relevant to your actual risk areas?
  • Can you show completion records for a sample of staff?

“We sent an email” is not training evidence. Completion records from a learning platform, phishing simulation results, or signed attendance sheets carry significantly more weight.

What Makes an Auditor Comfortable

Auditors are human. Certain things put them at ease and lead to a smoother audit.

Knowledgeable staff. When the person being interviewed can explain their own controls in plain English — not just recite policy text — it builds confidence that the ISMS is genuinely understood. Auditors quickly distinguish between someone who runs the process and someone who was briefed the day before.

Evidence that predates the audit. Records with version histories, timestamps, and email threads that clearly existed before the audit week are far more credible than records that appear freshly created. Auditors are experienced at identifying back-populated documentation.

Honest acknowledgment of gaps. Organisations that say “we know this area needs work and here’s our plan” are often better received than those insisting everything is perfect. Continual improvement is a core ISO 27001 principle. Pretending there’s nothing to improve is unconvincing.

A consistent story across people. If the ISMS lead says access reviews happen quarterly and the IT administrator has never heard of them, there’s a problem. Auditors deliberately cross-check answers between interviewees.

Common Nonconformities to Avoid

The findings that come up most often.

Major nonconformities (require closure before certificate can be issued):

  • Risk assessment not reviewed or updated after significant organisational changes
  • Internal audit not completed before Stage 2
  • Management review not covering the inputs required by the standard
  • Statement of Applicability not reflecting the controls actually implemented

Minor nonconformities (require a closure plan; certificate can be issued):

  • Leavers’ accounts not disabled promptly
  • Supplier security assessments not documented
  • Training records incomplete or absent for some staff
  • Policy documents not formally approved or inaccessible to staff
  • Incident log absent, sparse, or clearly not reflecting real events

Observations (not formal findings but worth addressing):

  • Risk register lacking ownership or detailed treatment rationale
  • Controls described in policies that aren’t technically enforced in systems
  • Manual processes that introduce unnecessary risk and would benefit from automation
Common ISO 27001 Audit Findings

Common ISO 27001 Audit Findings — and How to Avoid Them

The findings that come up most frequently, by severity

Major NC — certificate cannot be issued until closed
Minor NC — certificate issued; closure plan required
Observation — not a nonconformity; improvement recommended
Major nonconformities — certificate-blocking
Major NC Risk Assessment
Risk assessment not reviewed after significant changes
The risk register has not been updated following a new system deployment, key supplier change, or significant incident. It no longer reflects the current risk landscape.
Blocks certificate
How to avoid
Document a trigger policy: risk register must be reviewed after any significant organisational, system, or threat change — not just annually.
Major NC Internal Audit
Internal audit not completed before Stage 2
No internal audit has been conducted, or the audit was so limited in scope that it cannot be considered adequate evidence of self-assessment.
Blocks certificate
How to avoid
Schedule the internal audit at least 6–8 weeks before Stage 2. Allow time to raise findings and show some closure progress before the external auditor arrives.
Major NC Management Review
Management review missing required inputs
The review was conducted but did not cover the inputs required by Clause 9.3 — such as audit results, security objectives, or risk positions. Or senior management was not meaningfully involved.
Blocks certificate
How to avoid
Use a structured agenda that maps each agenda item to the Clause 9.3 inputs. Keep minutes that show each item was discussed and decisions were made.
Minor nonconformities — certificate issued, closure plan required
Minor NC Access Control
Active accounts for former employees
User accounts belonging to staff who have left the organisation are still enabled, giving potential access to systems or data.
Closure plan required
How to avoid
Formalise a same-day account deactivation step in your offboarding process. Run a quarterly access review cross-referencing active accounts against HR records.
Minor NC Supplier Management
No documented supplier security assessments
Key suppliers who process or access the organisation’s data have not been formally assessed for information security. Contracts exist but security is not reviewed.
Closure plan required
How to avoid
Maintain a supplier register, classify suppliers by risk, and complete a simple security assessment for your top 5–10 suppliers. Document the output.
Minor NC Training
Incomplete training records
Some staff have no record of completing information security awareness training, or training records cannot be produced for a sampled individual.
Closure plan required
How to avoid
Use a platform that generates completion records automatically. Before audit, run a gap report and ensure all staff have a training record for the current cycle.
Minor NC Documentation
Policies unsigned or inaccessible to staff
One or more required policies have not been formally approved, lack a sign-off date, or cannot be easily accessed by the staff they apply to.
Closure plan required
How to avoid
Ensure every policy has a version number, approval date, and named approver. Publish policies to a location all staff can access — intranet, shared drive, or ISMS platform.
Observations — not findings, but worth addressing
Observation Risk Register
Risk register lacks ownership and treatment detail
Risks are documented but treatments are vague, owners are generic roles rather than named individuals, or likelihood/impact rationale is absent.
Recommendation only
How to avoid
Assign a named owner to each risk. Link each treatment to a specific control in the SoA. Document the reasoning behind likelihood and impact scores.
Observation Technical Controls
Policy controls not technically enforced
The password policy states a minimum length of 12 characters, but systems allow shorter passwords. Or MFA is listed as required but not enabled on all specified systems.
Recommendation only
How to avoid
Verify that every technical control described in your policies is actually configured in your systems. Run a pre-audit check: policy says X, does the system enforce X?
The most effective way to avoid findings is to run your own pre-audit that mimics the external auditor — sample access lists, check system configs against policies, review your incident log, and interview a staff member or two about their security responsibilities.

Get Started

Free Templates

Free

The 14 mandatory documents. The starting point for any ISO 27001 project.

A great way to get started without the commitment.

Get the free toolkit →

Templates

Full Toolkit

£85

130+ documents; policies, risk register, audit pack, staff communications and everything else you need to build a working ISMS.

Buy now →

Do-It-Yourself

DIY Course

£285

The Do-It-Yourself course introduces the standard, its requirements, and then shows you how to implement it, stage by stage.

Includes the full toolkit & email consultancy.

View the course →

More support?

Coaching

~£3,500

I can guide you through the standard and help you tailor it to your business through a series of coaching workshops.

Includes the full toolkit, personal consultancy, and first-pass guarantee.

Explore coaching →

How to Prepare

The most effective preparation for Stage 2 is to conduct a thorough internal audit that genuinely mimics what the external auditor will do — including sampling records, interviewing staff, and checking that system configurations match your written policies.

Specifically before your audit:

  • Pull your user access lists and check them against HR records for recent leavers
  • Verify technical controls (MFA, password length, lockout policies) match what your policies state
  • Review your incident log and confirm it has been actively maintained
  • Check training records for gaps and resolve them before the audit date
  • Walk your risk register and confirm every entry is current, owned, and linked to a treatment decision

The goal is to find your own nonconformities before the auditor does, so you have time to close them. An organisation that goes into audit having already run this exercise is almost always better placed than one relying on its documentation alone.

Frequently Asked Questions

What is the difference between a Stage 1 and Stage 2 audit?

Stage 1 is a documentation review, typically conducted remotely. The auditor checks that your mandatory ISMS documents exist, are complete, and are sufficient to support Stage 2. They’re not testing whether your controls are operational — that comes next. If Stage 1 raises significant gaps, you’ll need to address them before Stage 2 proceeds. Stage 2 is the full operational audit. The auditor visits (or connects remotely), interviews staff, samples records, reviews system configurations, and forms their opinion on whether your ISMS is effectively implemented. A certificate is issued, or findings are raised, based on Stage 2.

What questions do auditors typically ask staff?

Auditors tend to ask open questions rather than yes/no ones. Common examples: “Can you walk me through what happens when a new member of staff joins?” “If you received a suspicious email, what would you do?” “How do you decide what data can be shared with a supplier?” “When did you last receive information security training and what did it cover?” The goal is to hear a natural, informed response — not a recited answer. If someone has to look up the policy to answer a basic question about their own job, that tells the auditor something.

How long does a Stage 2 audit take?

It depends on organisation size and scope. For a 10–30 person organisation, Stage 2 is typically one to two days. For a 50–100 person organisation, two to three days is common. Larger or more complex scopes take longer. Your certification body will confirm the audit duration when they issue the audit plan, which you should receive at least a week in advance. The audit plan will also tell you which areas and controls they intend to focus on — it’s worth reviewing it carefully and ensuring the right people are available.

What happens if we receive a nonconformity?

It depends on severity. A major nonconformity means the certificate cannot be issued until the finding is closed — you’ll need to demonstrate to the auditor’s satisfaction that the issue has been resolved, typically within 90 days. A minor nonconformity allows the certificate to be issued but requires a documented corrective action plan and evidence of closure, usually at the next surveillance audit. Receiving findings is not unusual — most first-time certifications involve at least a few minor nonconformities. What matters is that you respond to them seriously and close them properly.

Can we see the audit questions in advance?

You’ll receive an audit plan that outlines which clauses, controls, and business areas the auditor intends to cover on each day. You won’t receive a script of exact questions, but the audit plan gives you enough information to ensure the right people and evidence are ready. For a Stage 2 audit, reviewing the audit plan carefully and preparing a brief for each session — who will be present, what evidence they should have ready — is time well spent. Auditors expect you to prepare; it’s not gaming the process.

Related Guides

Previous post

ISO 27001 ROI: How to Measure the Value of Certification

NEXT post

ISO 27001 Myths Busted: 10 Things People Get Wrong

Photo of author

Written by

Alan Parker

Alan Parker is an ISO 27001 consultant who has helped dozens of UK small businesses achieve certification — often without a dedicated security team or a large budget. With over 30 years in IT governance and qualifications including ITIL v3 Expert, ITIL v4 Bridge, and PRINCE2 Practitioner, Alan writes in plain English for busy teams who need to get things done. Named IT Project Expert of the Year (2024, UK).

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG