ReadSafety.com

ISO 27001 Questions, Answered

How do you prepare for an ISO 27001 audit?

Quick answer

Prepare for an ISO 27001 audit by making one chain unbreakable: risks in your register, treatments chosen, SoA controls implementing them, and evidence those controls operate. Complete an internal audit and management review first, have access reviews, incident and change records current, and prepare staff to describe security in their own daily work.

The chain the auditor will pull

Every ISO 27001 audit, initial or surveillance, walks the same spine: pick a risk, follow it to a treatment decision, to the SoA, to the control in operation, to its evidence, and to how monitoring or audit would detect its failure. Then pick an incident and walk it backward. Before the audit, run that trace yourself on your top five risks and your last three incidents; every break you find and fix is a finding removed from the report.

The evidence set auditors always sample

  • Internal audit and management review: completed, covering the full ISMS scope, with findings tracked to closure. Both are mandatory before Stage 2; arriving without them is the most common cause of delayed certification.
  • Access control evidence: joiner and leaver records, privileged access reviews with dates and actions (departed employees with live accounts remain the most reliably found nonconformity in the standard's history).
  • Incident records: detections, response, and what improved afterward. A zero-incident log at a real company reads as blindness, not perfection.
  • Change and vulnerability management: changes with approvals; scan or test results with triage and closure.
  • Supplier and cloud governance: your list of critical providers, the security terms in their contracts, and any review you actually performed.
  • Awareness: training records, and staff who can answer questions about phishing reporting and data handling without a script.
Key factInterviews decide more than documents. Auditors ask engineers how a change reaches production, ask support staff what they would do with a suspicious email, and ask a manager who approved an access grant. Consistent answers from ordinary staff prove a living system faster than any binder; rehearsed answers from a designated spokesperson prove the opposite.

Stage 1 is a gift; use it

Stage 1 exists to review your documentation and readiness before the full audit. Treat its output as a free consultancy report: every observation is a preview of a Stage 2 finding. Fix them all, and confirm the fixes with evidence at Stage 2's opening meeting; entering the full audit with Stage 1's list already closed sets the credibility for everything that follows.

Audit-week discipline

Confirm the plan and interviewees in advance, ensure remote access or facilities for the auditor, appoint a guide who knows where evidence lives, and hold one rule with your team: answer honestly, and if something is broken, show the corrective action already moving. Auditors certify systems that find and fix their own problems, and nothing demonstrates that better than watching it happen live.

Ready to take the next step?

USQC - United Safety Quality Council is an ASC-accredited certification body providing third-party ISO 27001 certification audits, internal and supplier audit services, and auditor training. Since 2015, USQC has automated audit planning, reporting, and decision support, cutting audit man-days that other certification bodies bill for and placing USQC pricing in the lower quartile, with highly experienced lead auditors on every audit.

Talk to USQC