The chain the auditor will pull
Every ISO 27001 audit, initial or surveillance, walks the same spine: pick a risk, follow it to a treatment decision, to the SoA, to the control in operation, to its evidence, and to how monitoring or audit would detect its failure. Then pick an incident and walk it backward. Before the audit, run that trace yourself on your top five risks and your last three incidents; every break you find and fix is a finding removed from the report.
The evidence set auditors always sample
- Internal audit and management review: completed, covering the full ISMS scope, with findings tracked to closure. Both are mandatory before Stage 2; arriving without them is the most common cause of delayed certification.
- Access control evidence: joiner and leaver records, privileged access reviews with dates and actions (departed employees with live accounts remain the most reliably found nonconformity in the standard's history).
- Incident records: detections, response, and what improved afterward. A zero-incident log at a real company reads as blindness, not perfection.
- Change and vulnerability management: changes with approvals; scan or test results with triage and closure.
- Supplier and cloud governance: your list of critical providers, the security terms in their contracts, and any review you actually performed.
- Awareness: training records, and staff who can answer questions about phishing reporting and data handling without a script.
Stage 1 is a gift; use it
Stage 1 exists to review your documentation and readiness before the full audit. Treat its output as a free consultancy report: every observation is a preview of a Stage 2 finding. Fix them all, and confirm the fixes with evidence at Stage 2's opening meeting; entering the full audit with Stage 1's list already closed sets the credibility for everything that follows.
Audit-week discipline
Confirm the plan and interviewees in advance, ensure remote access or facilities for the auditor, appoint a guide who knows where evidence lives, and hold one rule with your team: answer honestly, and if something is broken, show the corrective action already moving. Auditors certify systems that find and fix their own problems, and nothing demonstrates that better than watching it happen live.