Skip to main content

Five recurring themes in ISO 27001 audit findings

Across recent client audits, the same five patterns account for most OFIs. They are not about missing controls. They are about consistency, traceability, and follow-through.

An OFI, Opportunity for Improvement, is an audit observation that does not constitute a nonconformity but signals room for the ISMS to mature. They are not failures. They are quieter signals that the system is working but could be more tightly integrated.

We reviewed OFIs across recent client audits looking for cross-cutting patterns. Five themes turned up again and again, and they were not the themes most organisations expect.

Key takeaways

  • Most OFIs are not about missing controls or technical failures.
  • The five recurring themes cluster around consistency, traceability, currency, and follow-through.
  • These patterns are characteristic of organisations with a working ISMS but uneven process maturity.
  • The fix is rarely more controls. It is tighter integration between the controls you already have.

The five themes at a glance

ThemeCommon observationsPrimary clauses
Risk register and SoA linkageRisks not mapped to Annex A controls, weak SoA justifications, inconsistent treatment information6.1.2, 6.1.3
Document control and currencyOutdated logos, inconsistent footer dates, missing version control, superseded company names7.5
Context, interested parties, governanceCertification bodies missing as interested parties, incomplete legal obligations, fragmented context, weak link to management review4.1, 4.2, 9.3
Physical and environmental controlsAlarm code reviews, key registers, CCTV time checks, unlocked cabinets, server room housekeepingA.7.5, A.7.8, A.7.9
Awareness, communication, follow-throughPhishing cadence, CAPA follow-up, pentest findings not logged, meeting outputs not retained, KPI inconsistenciesA.6.3, 7.4, 10.2

1. Risk register and SoA linkage

This was the most consistently raised theme. The pattern is rarely a missing risk assessment or Statement of Applicability. Both usually exist. The issue is how tightly they connect, and in which direction.

The ISMS exists to manage information security risks. Your risks are the weaknesses you are controlling for. Annex A controls, captured in the SoA, are the mitigation. The link an auditor wants to follow runs from each risk to the controls that mitigate it. That closed loop is the whole point of the framework: identify the weakness, apply the control, evidence the treatment.

Typical observations included:

  • Risks identified in the register but not linked to the Annex A controls that mitigate them.
  • Treatment plans referring to generic actions rather than the specific SoA controls being applied.
  • SoA justification fields completed minimally (“yes” or “implemented”) without rationale for applicability.
  • Risk treatment columns inconsistent across entries.
  • Controls retained as applicable without periodic review of whether they still apply.

Why it matters. An auditor reading your risk register wants to see how each risk is being mitigated and which SoA controls do that work. When the trail is missing, the SoA reads as a populated checklist rather than the output of a risk-driven control selection.

How to tighten this. In the risk register or treatment plan, name the specific SoA controls that mitigate each risk. Use the SoA justification field to record, in your own words, why each control is applicable or not. Review applicability annually rather than only at certification cycles. Treat the risk register and SoA as two sides of the same artefact: risks on one side, controls on the other, and an explicit link between them.

2. Document control and currency

The easiest theme to fix, and the most common to recur. The pattern is documents that were correct at some point but drifted as the organisation changed.

Typical observations included:

  • ISO 27001:2013 logos still in use after the 2022 transition.
  • Footer dates and document review dates inconsistent with version history.
  • Old certification body names following a change of provider.
  • Superseded company names after rebrand or acquisition.
  • Scope statements that no longer reflect the current organisation.

Why it matters. A document that has not been reviewed since 2022 raises a quiet question about whether anything in the ISMS has been reviewed since 2022.

How to tighten this. Build a documented review schedule with named owners. Use a master document register with last reviewed dates visible. Include document review as a standing agenda item in ISMS forums. Treat rebrands and certification body changes as triggers for a full review pass.

3. Context, interested parties, governance

This theme is about the upstream of the ISMS, the parts that shape what gets controlled in the first place. It rarely fails outright. It just gets less attention than the downstream controls.

Typical observations included:

  • Certification body or external auditor not listed as an interested party.
  • Legal, regulatory, and contractual obligations recorded incompletely.
  • Internal and external issues spread across multiple documents without a clear summary.
  • SWOT or context analysis present but not refreshed.
  • Management review minutes that do not reference the context or interested parties analysis.

Why it matters. Clauses 4.1, 4.2, and 9.3 frame the whole management system. When they are stale, the rest of the ISMS may be operating on assumptions that no longer hold.

How to tighten this. Consolidate context, interested parties, and obligations into one regularly reviewed artefact. Reference it explicitly in management review inputs. Refresh annually, or whenever material change occurs such as new regulation, new market, or a new product line.

4. Physical and environmental controls

This theme cuts across the most operational layer of the ISMS. The observations are rarely about whether controls exist. They are about whether the operational housekeeping around the controls is being maintained.

Typical observations included:

  • Alarm code review processes documented but not consistently evidenced.
  • Key registers incomplete, or key codes not changed after leavers.
  • CCTV system time not verified against a reliable time source.
  • Cabinets holding sensitive information left unlocked during walkthrough.
  • Server rooms used for general storage, with non-essential equipment inside.
  • Old certification displays no longer accurate, physical signage outdated.

Why it matters. Annex A controls A.7.5, A.7.8, and A.7.9 are easily evidenced visually. Auditors form impressions during the walkthrough, and those impressions colour the rest of the audit.

How to tighten this. Run periodic physical walkthroughs as a documented internal audit input. Trigger key code rotation on any leaver in scope. Build clear desk checks into routine team operations rather than treating them as audit prep. Review physical signage and certificates quarterly.

5. Awareness, communication, follow-through

The most varied theme, but the underlying issue was consistent: things that started well were not consistently followed through.

Typical observations included:

  • Phishing simulations run, but cadence inconsistent.
  • Information security reminders sent ad hoc rather than to a schedule.
  • Corrective and preventive actions raised but not always closed out.
  • Pentest findings not logged in the ISMS as actions or risks.
  • Management forum outputs not retained as documented information.
  • Objectives and KPIs referenced in policy but not consistently tracked.

Why it matters. Clauses A.6.3, 7.4, and 10.2 are where the ISMS proves it is alive. When activities start but do not finish, the ISMS reads as performative rather than operational.

How to tighten this. Treat awareness as a programme with a documented annual schedule. Bring all findings (audit, pentest, incident, observation) into one tracker. Make CAPA closure a standing item, not a periodic catch-up. Retain outputs from every management forum, including the informal ones.

The pattern across all five

Read together, the picture is consistent. Most OFIs were not about missing controls, technical failures, or absent processes. They were about consistency, traceability, currency of documentation, governance maturity, and evidence of operational follow-through.

That is the hallmark of organisations with a functioning ISMS, but varying levels of process maturity and integration.

If you recognise your organisation in this list, it is not a sign that your ISMS is failing. It is a sign that you have an ISMS, and the next stage of maturity is making it tighter and more joined-up rather than building more controls.

What this means for audit preparation

The practical implication of these patterns is that the highest-value work before a certification or surveillance audit is rarely a fresh control implementation. It is usually:

  1. A review pass on document currency.
  2. An audit of the linkage between risk register, SoA, and treatment decisions.
  3. A refresh of context, interested parties, and obligations.
  4. A physical walkthrough with fresh eyes.
  5. A status check on every action and finding raised over the last 12 months.

None of these are expensive. All of them improve the audit outcome more reliably than another policy revision.

If you are working through any of these themes ahead of a certification or surveillance audit, get in touch. We support organisations through audit preparation as part of our ISO 27001 services and broader vCISO engagements.

Common questions

What is an OFI in an ISO 27001 audit?
An OFI, Opportunity for Improvement, is an observation raised during an ISO 27001 audit that does not constitute a nonconformity but suggests where the ISMS could mature. OFIs do not block certification, but recurring or unaddressed OFIs can become nonconformities at a future audit.
What is the difference between an OFI and a nonconformity?
A nonconformity is a failure to meet a requirement of the standard. An OFI is an observation that points to room for improvement without a formal failure. Nonconformities require corrective action. OFIs are good practice to address but not mandatory.
Do OFIs need to be closed before certification?
No. OFIs do not block certification or recertification. Major nonconformities do, and minor nonconformities require a documented corrective action plan. OFIs are usually noted and revisited at the next audit cycle.
How can we identify these patterns in our own ISMS before the audit?
Run an internal review focused on integration rather than control existence. Walk the trail from risk to control to treatment to evidence. Check whether documents reference each other consistently. Review the past 12 months of CAPA, audit, and incident records for unclosed items.
Does this pattern apply to organisations new to ISO 27001?
No. These themes are characteristic of organisations that have an established ISMS but uneven process maturity. Organisations approaching first certification typically face different patterns, more often related to missing or partial controls rather than integration gaps.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk