ISO 27001 is a management system standard: auditors look for a working Information Security Management System (ISMS) that is risk-driven, repeatable, measurable, and improving. The most common failures happen when organisations treat certification as a one-off project with paperwork, rather than as an operating model.
Below are the five mistakes that most often derail certification efforts—especially in the run-up to Stage 1 and Stage 2.
1) Treating ISO 27001 as a policy pack, not an operating system
What it looks like
- Lots of policies and templates, but no evidence of day-to-day use.
- Controls exist “on paper,” while teams keep working the old way.
- The ISMS is owned by one person (often security) with minimal engagement from operations, IT, HR, procurement, and the business.
Why auditors care
ISO 27001 requires an ISMS that is implemented and maintained. Auditors test whether processes are real: governance cadence, decisions, action tracking, incident handling, risk treatment progress, training completion, supplier oversight, etc.
How to avoid it
- Build a lightweight governance rhythm: ISMS working group, management review, internal audits, corrective actions review.
- Create “evidence by design”: minutes, action logs, registers, approval trails, training records, ticket extracts.
- Make ownership real: assign control owners and include ISMS responsibilities in objectives or performance expectations.
2) Weak risk assessment and risk treatment (generic, copy-paste, or not linked to controls)
What it looks like
- A risk register full of vague risks (“cyber attack,” “data breach”) with no context, assets, threats, vulnerabilities, or realistic scenarios.
- Risk ratings that feel arbitrary or inconsistent.
- A Statement of Applicability (SoA) that doesn’t trace back to risks, legal/regulatory obligations, or business requirements.
- Controls selected because “ISO says so,” not because they mitigate stated risks.
Why auditors care
Risk is the engine of ISO 27001. Auditors will test whether you:
- defined a risk methodology,
- used it consistently,
- selected controls rationally,
- and are actually executing the risk treatment plan.
How to avoid it
- Use a simple, consistent risk method (likelihood × impact) with clear criteria.
- Document risk scenarios tied to actual systems/processes (e.g., “privileged access misuse in Azure subscription X”).
- Ensure your SoA maps to: risks, obligations, and justification for inclusion/exclusion.
- Track risk treatment actions like a project plan: owners, dates, status, evidence.
3) Scoping mistakes (scope too broad, too vague, or not aligned to reality)
What it looks like
- A scope statement that includes everything (“the whole company globally”) when you only control part of it.
- Or the opposite: a scope that excludes key supporting functions (IT Ops, HR onboarding/offboarding, procurement) that obviously affect information security.
- Confusion about boundaries: what’s in scope vs out of scope, especially for cloud services, MSPs, shared platforms, and corporate shared services.
Why auditors care
Audit planning, sampling, and control testing all depend on scope. A bad scope creates unavoidable nonconformities because processes or assets that should be controlled aren’t governed by the ISMS.
How to avoid it
- Make scope specific and defensible: sites/locations, services, products, legal entities, and key systems.
- Define interfaces and dependencies (shared IT, group policies, outsourced SOC, etc.).
- Build an asset/service inventory that matches the scope and is actually used.
4) Underestimating “operational evidence” (especially access control, change, incidents, suppliers)
What it looks like
- Processes exist, but there’s no consistent evidence they’re followed:
- Access reviews not performed or not signed off.
- Joiner/mover/leaver workflow inconsistent.
- Change management tickets missing approvals/testing/rollback notes.
- Incidents handled informally with no post-incident review or lessons learned.
- Supplier security assessments missing, outdated, or not risk-based.
Why auditors care
At Stage 2, auditors sample actual records. A mature narrative with weak evidence usually fails.
How to avoid it
Focus on “high-yield” evidence areas auditors nearly always sample:
- Identity & access management: privileged access, quarterly reviews, MFA coverage, leaver process.
- Operational change: ticketing, approvals, segregation of duties, emergency change handling.
- Incident management: log, triage, root cause, corrective actions.
- Supplier management: due diligence, contracts/security clauses, ongoing review, risk ratings.
5) Poor internal audit and corrective action discipline (CARs treated as admin)
What it looks like
- Internal audit done late, rushed, or performed as a checklist with no meaningful findings.
- Findings logged but not corrected (or “closed” without proof).
- Root cause analysis is missing or superficial (“human error,” “lack of awareness”).
- Management review becomes a formality, not a decision-making forum.
Why auditors care
Internal audits and corrective actions are core mechanisms of continual improvement. If you cannot demonstrate these loops, it signals the ISMS won’t sustain after certification.
How to avoid it
- Plan internal audit early enough to fix issues before Stage 2.
- Treat findings as operational improvements with owners, deadlines, and verification evidence.
- Do proper root cause analysis (process gaps, unclear ownership, tooling limits, training issues).
- Use management review to record decisions: risk acceptance, resourcing, priorities, major changes.
Practical checklist (what to tighten in the final 6–8 weeks)
- Scope statement and boundaries are clear; asset/service inventory aligns to scope.
- Risk register is specific; risk treatment plan is actively tracked.
- SoA is accurate, justified, and mapped to risks/obligations.
- Evidence exists for: access reviews, leavers, change tickets, incidents, supplier reviews.
- Internal audit completed; corrective actions implemented and verified.
- Management review minutes show decisions, not just discussion.