Newsletter · Edition #13 · ISO 27001 · 3 min read
What auditors actually look for in ISO 27001
It isn’t the size of your policy binder. It’s whether the ISMS is alive.
Teams often over-invest in documentation and under-invest in evidence. A perfect policy that no one follows fails an audit faster than a rough one that’s clearly operating.
Records over rhetoric
An auditor wants to see the ISMS running: risk assessments that were actually reviewed, access rights that were actually re-certified, incidents that were actually logged and closed. Dated, owned records beat beautifully worded intentions every time.
The Statement of Applicability is the map
Your SoA tells the auditor which Annex A controls apply and why. If a control is marked applicable but you have no evidence it’s working — or excluded with a hand-wave — that’s where the findings land.
The bottom line
Certification rewards a management system that operates, not a folder that impresses. Build the evidence trail as you go and the audit becomes a formality.
Get the next edition in your inbox
Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.
