Common ISO 27001 audit findings, and how to avoid them
The most frequent nonconformities and observations found in ISO 27001 audits, with practical advice on how to prevent them.
After supporting numerous ISO 27001 implementations and audits, we have noticed patterns in what auditors find. Here are the most common issues, and how to avoid them.
The top audit findings
1. Risk assessment disconnected from controls
The problem. Your Statement of Applicability lists implemented controls, but there is no clear link to why. Auditors want to see that control decisions flow from your risk assessment.
How to avoid it. Document the rationale for each control selection. Reference the specific risks each control addresses. Keep your risk assessment and SoA in sync, and review both together when making changes.
2. Policies that do not match practice
The problem. Your policies describe one process, but staff describe or demonstrate something different. The disconnect raises red flags quickly.
How to avoid it. Write policies based on what you actually do. Involve the people doing the work in policy development. Keep policies simple and achievable, and update them when processes change.
3. Missing or incomplete records
The problem. ISO 27001 requires evidence that your ISMS is working. “We do this” is not enough. Auditors want proof.
What auditors typically ask for: access review records, change management logs, security awareness training records, risk assessment evidence, incident response records, and management review minutes.
How to avoid it. Identify required records before implementation. Build record keeping into your processes. Use templates to keep things consistent, and review records regularly for completeness.
4. Inadequate access management evidence
The problem. You say you review access regularly, but cannot show evidence, or you can show one review but not a pattern of regular reviews.
How to avoid it. Schedule access reviews and stick to them. Document who reviewed what, when, and what actions followed. Keep records of access requests and approvals, and include your joiners, movers, and leavers processes.
5. Weak internal audit programme
The problem. Internal audits that tick boxes without examining whether controls work. Or internal audits conducted by people too close to the area being audited.
How to avoid it. Plan internal audits to cover the full ISMS over the certification cycle. Use auditors who are independent of the area being audited. Test controls rather than just verifying that documentation exists. Report findings honestly. Auditors appreciate self awareness.
6. Supplier management gaps
The problem. You have security requirements for suppliers but no evidence you have assessed whether suppliers meet them. Or you assess suppliers once and never again.
How to avoid it. Maintain a register of suppliers with security relevance. Document your supplier assessment approach. Run initial and periodic supplier reviews, and include security requirements in contracts.
7. Incomplete security awareness
The problem. Training records show staff completed security awareness training, but interviews reveal they do not understand key policies or their responsibilities.
How to avoid it. Make training relevant to people’s actual roles. Use practical examples rather than policy recitation. Test understanding, not just completion. Reinforce messages throughout the year.
8. Incident management without incidents
The problem. You have an incident management process but no evidence of any incidents. Either you have been very lucky or you are not identifying incidents properly.
How to avoid it. Define clearly what constitutes an incident. Make reporting easy and non punitive. Review potential incidents regularly, and document near misses as well as actual incidents.
9. Business continuity plans that have not been tested
The problem. You have business continuity plans but no evidence they work. Untested plans are assumptions.
How to avoid it. Schedule regular tests, at least annually. Document test results and lessons learned. Update plans based on findings, and test different scenarios over time.
10. Management review as a rubber stamp
The problem. Management review meetings that work through a checklist without genuine discussion or decisions. Auditors can spot superficial engagement.
How to avoid it. Prepare meaningful metrics and analysis. Include real issues and decisions, not just status reports. Document actions and track them to completion. Involve senior management genuinely, not just nominally.
Minor versus major nonconformities
Minor nonconformity. A single lapse or partial failure. You have a process but it is not always followed, or documentation is incomplete but exists.
Major nonconformity. A systematic failure or complete absence of a required element. You do not have a process at all, or evidence shows widespread non compliance.
Major nonconformities must be addressed before certification or recertification. Minor nonconformities can be addressed with a corrective action plan.
During the audit
Be honest. If you do not do something, say so. If something went wrong, explain how you addressed it. Auditors appreciate organisations that acknowledge issues and show learning.
Provide evidence. “We always do that” is not evidence. Be ready with records, logs, and examples. Prepare evidence packs for common areas before the audit.
Know your ISMS. Staff may be interviewed. Make sure they understand their responsibilities and can explain the relevant processes. They do not need to know the whole ISMS, just their part.
Ask for clarification. If you do not understand what the auditor is asking for, ask them to clarify. Better that than providing the wrong information.
The silver lining
Finding issues in your ISMS is not necessarily bad. It shows your audit process is working and identifies opportunities for improvement. The worst outcome is an ISMS that looks perfect on paper but does not actually protect your information.
Preparing for an ISO 27001 audit? Get in touch to discuss an audit readiness review.