Common ISO 27001 Audit Findings (And How to Avoid Them)

After supporting numerous ISO 27001 implementations and audits, we’ve noticed patterns in what auditors find. Here are the most common issues and how to avoid them.

The top audit findings

1. Risk assessment disconnected from controls

The problem: Your Statement of Applicability says you’ve implemented certain controls, but there’s no clear link showing why. Auditors want to see that control decisions flow from your risk assessment.

How to avoid it:

• Document the rationale for each control selection
• Reference specific risks that each control addresses
• Keep your risk assessment and SoA in sync
• Review both documents together when making changes

2. Policies that don’t match practice

The problem: Your policies describe one process, but staff describe (or demonstrate) something different. This immediate disconnection raises red flags.

How to avoid it:

• Write policies based on what you actually do
• Involve the people who do the work in policy development
• Keep policies simple and achievable
• Update policies when processes change

3. Missing or incomplete records

The problem: ISO 27001 requires evidence that your ISMS is working. “We do this” isn’t enough—auditors want to see proof.

What auditors typically ask for:

• Access review records
• Change management logs
• Security awareness training records
• Risk assessment evidence
• Incident response records
• Management review minutes

How to avoid it:

• Identify required records before implementation
• Build record-keeping into your processes
• Use templates to ensure consistency
• Review records regularly for completeness

4. Inadequate access management evidence

The problem: You say you review access regularly, but can’t show evidence. Or you can show one review, but not a pattern of regular reviews.

How to avoid it:

• Schedule access reviews and stick to them
• Document who reviewed what, when, and what actions resulted
• Keep records of access requests and approvals
• Include joiners, movers, and leavers processes

5. Weak internal audit programme

The problem: Internal audits that just tick boxes without actually examining whether controls work. Or internal audits conducted by people too close to the areas being audited.

How to avoid it:

• Plan internal audits to cover the full ISMS over the certification cycle
• Use auditors who are independent of the area being audited
• Test controls, don’t just verify documentation exists
• Report findings honestly—auditors appreciate self-awareness

6. Supplier management gaps

The problem: You have security requirements for suppliers, but no evidence you’ve assessed whether suppliers meet them. Or you assess suppliers once and never again.

How to avoid it:

• Maintain a register of suppliers with security relevance
• Document your supplier assessment approach
• Conduct initial and periodic supplier reviews
• Include security requirements in contracts

7. Incomplete security awareness

The problem: Training records show staff completed security awareness training, but interviews reveal they don’t understand key policies or their responsibilities.

How to avoid it:

• Make training relevant to people’s actual roles
• Include practical examples, not just policy recitation
• Test understanding, not just completion
• Reinforce messages throughout the year

8. Incident management without incidents

The problem: You have an incident management process, but no evidence of any incidents. Either you’ve been incredibly lucky, or you’re not identifying incidents properly.

How to avoid it:

• Define clearly what constitutes an incident
• Make reporting easy and non-punitive
• Review potential incidents regularly
• Document near-misses as well as actual incidents

9. Business continuity plans that haven’t been tested

The problem: You have business continuity plans, but no evidence they work. Plans that haven’t been tested are just assumptions.

How to avoid it:

• Schedule regular tests (at least annually)
• Document test results and lessons learned
• Update plans based on test findings
• Test different scenarios over time

10. Management review as a rubber stamp

The problem: Management review meetings that just work through a checklist without genuine discussion or decisions. Auditors can spot superficial engagement.

How to avoid it:

• Prepare meaningful metrics and analysis
• Include real issues and decisions, not just status reports
• Document actions and track them to completion
• Involve senior management genuinely, not just nominally

Minor vs Major nonconformities

Minor nonconformity: A single lapse or partial failure. You have a process but it’s not always followed, or documentation is incomplete but exists.

Major nonconformity: A systematic failure or complete absence of a required element. You don’t have a process at all, or evidence shows widespread non-compliance.

Major nonconformities must be addressed before certification (or recertification). Minor nonconformities can be addressed with a corrective action plan.

During the audit

Be honest

If you don’t do something, say so. If something went wrong, explain how you addressed it. Auditors appreciate organisations that acknowledge issues and demonstrate learning.

Provide evidence

“We always do that” isn’t evidence. Be ready with records, logs, and examples. Prepare evidence packs for common areas before the audit.

Know your ISMS

Staff may be interviewed. Make sure they understand their responsibilities and can explain relevant processes. They don’t need to know the whole ISMS—just their part.

Ask for clarification

If you don’t understand what the auditor is asking for, ask them to clarify. It’s better than providing the wrong information.

The silver lining

Finding issues in your ISMS isn’t necessarily bad. It shows your audit process is working and identifies opportunities for improvement. The worst outcome is an ISMS that looks perfect on paper but doesn’t actually protect your information.

Preparing for an ISO 27001 audit? Get in touch to discuss an audit readiness review.