Many organisations approach ISO 27001 with the right intentions: policies are written, tools are in place, and security “exists” in daily operations. Yet, during an audit, those same organisations are often surprised by nonconformities that feel minor—or worse, unfair.
The reality is simple: ISO 27001 audits are not about what you believe is secure, but about what you can prove, consistently and objectively.
This article focuses on what auditors actually ask for during ISO 27001 audits, why organisations struggle, and how to prepare evidence that stands up to scrutiny.
What ISO 27001 Audits Really Focus On
Auditors are not looking for perfect security. They are assessing whether your organisation operates a repeatable, governed Information Security Management System (ISMS) aligned with risk.
In practice, this means three things:
- Decisions are based on documented risk.
- Controls are implemented consistently.
- Evidence demonstrates that this happens over time.
Most audit findings arise when one of these elements is missing.
The Questions Auditors Always Ask
Risk Assessment and Treatment
Auditors will always start with risk.
They ask:
- How were information security risks identified?
- How were treatment decisions made?
- Why were some risks accepted?
They expect a clear methodology, a current risk register aligned to scope, and documented justification for treatment decisions.
Common issue: Risk registers exist but are outdated or disconnected from operational reality.
Scope and Boundaries
Auditors will challenge what is included and excluded from the ISMS.
They look for:
- A clear scope statement
- Logical boundaries
- Consistency between scope, assets, people, suppliers, and locations
Common issue: Overly broad scopes or exclusions that cannot be defended.
Policies in Use, Not Just Approved
Auditors do not stop at policy approval dates.
They ask:
- How are policies communicated?
- How do employees know what applies to them?
- How is awareness verified?
They expect evidence such as training records, acknowledgements, or onboarding materials.
Common issue: Policies approved by management but never demonstrably communicated.
Asset Management and Ownership
Auditors expect clarity around information assets.
They ask:
- What are your key information assets?
- Who owns them?
- How are they protected?
They expect an asset inventory with ownership and classification linked to risk.
Common issue: Asset lists maintained by IT but not integrated into risk management.
Supplier and Third-Party Risk
Supplier risk is a major audit focus.
Auditors ask:
- How are suppliers assessed?
- How are security requirements enforced?
- How are critical suppliers reviewed?
They expect supplier risk assessments, contractual controls, and evidence of ongoing oversight.
Common issue: One-off supplier questionnaires with no follow-up.
Incident Management
Even if no major incidents occurred, auditors still ask:
- How would incidents be detected?
- How would they be recorded?
- Who would respond?
They expect an incident process and evidence that it has been tested or used.
Common issue: No incident records at all, suggesting the process is untested.
Governance: Internal Audit and Management Review
Auditors pay close attention to governance.
They expect:
- Internal audits that are independent and meaningful
- Management reviews with real inputs, decisions, and actions
- Evidence that issues are tracked and closed
Common issue: Management reviews conducted as a formality, with no outcomes.
Documentation vs Evidence
A key audit principle is often misunderstood:
Documentation describes intent. Evidence proves execution.
Policies, procedures, and plans are necessary—but they are not evidence on their own. Evidence shows that controls operate consistently and are reviewed over time.
Screenshots without context, documents created just before the audit, or unmanaged logs are weak evidence.
How to Prepare Effectively
Organisations that pass audits smoothly:
- Map evidence directly to controls
- Assign clear ownership
- Collect evidence continuously, as part of normal operations
An audit-ready ISMS is built gradually, not assembled just before the audit.
Final Thought
ISO 27001 audits are predictable. The same themes appear repeatedly, across internal audits, Stage 1, and Stage 2.
When organisations understand what auditors actually ask for, audits stop being adversarial and become a confirmation that the ISMS is doing its job.
If you need any help in your 27001 Audit, please do not hesitate to contact me.