Many organisations approach ISO 27001 with the right intentions: policies are written, tools are in place, and security “exists” in daily operations. Yet, during an audit, those same organisations are often surprised by nonconformities that feel minor—or worse, unfair. The…