Newsletter · Edition #13 · ISO 27001 · 3 min read

What auditors actually look for in ISO 27001

It isn’t the size of your policy binder. It’s whether the ISMS is alive.

Teams often over-invest in documentation and under-invest in evidence. A perfect policy that no one follows fails an audit faster than a rough one that’s clearly operating.

Records over rhetoric

An auditor wants to see the ISMS running: risk assessments that were actually reviewed, access rights that were actually re-certified, incidents that were actually logged and closed. Dated, owned records beat beautifully worded intentions every time.

The Statement of Applicability is the map

Your SoA tells the auditor which Annex A controls apply and why. If a control is marked applicable but you have no evidence it’s working — or excluded with a hand-wave — that’s where the findings land.

The bottom line

Certification rewards a management system that operates, not a folder that impresses. Build the evidence trail as you go and the audit becomes a formality.

Get the next edition in your inbox

Practical PCI DSS, ISO 27001, SOC 2 and DPDP insight from CERT-In empanelled auditors — a few times a month, no spam.

Compliance insights, no spam. Unsubscribe anytime.

← Browse all editions

Free tool
ISO 27001 Readiness Checker
See how close you are to ISO 27001 certification — free, in 5 questions.
Try it free →