The ISO 27001 Audit Process: A Surprisingly Un-Terrifying Guide

Written By Tom Gell

Most people imagine ISO audits involve stern-faced professionals in grey suits tutting at your password policy while secretly judging your coffee choice.

The reality? Less dramatic, more constructive, and you can keep your oat milk latte.

Let me walk you through what actually happens.

Stage 1: The 'Getting to Know You' Phase

Think of Stage 1 as a first date with your auditor. They're checking if you're ready for a more serious commitment (Stage 2), not trying to catch you out.

They'll want to see:

  • Your Information Security Management System (ISMS) documentation

  • Evidence you've actually read said documentation

  • Risk assessment and treatment plans

  • Internal audit results

  • Management review minutes

  • Statement of Applicability

The goal? Making sure you've got the basics in place before diving deeper.

Common Stage 1 findings:

  • Policies that read like they were written for a different company

  • Risk assessments that missed something obvious (like forgetting humans work there)

  • Internal audits that somehow found zero issues (always suspicious)

Stage 2: The Deep Dive

This is where theory meets reality. Your auditor wants to see how your ISMS works in practice.

They'll:

  • Interview your team (yes, including that developer who thinks documentation is optional)

  • Check your controls actually work

  • Verify you're doing what your policies say you do

  • Look for evidence of continuous improvement

Pro tip: Your auditor isn't trying to catch you out. They're looking for evidence you understand your risks and are managing them sensibly.

What It's Actually Like

Here's what usually happens:

  • Your auditor arrives (virtually or physically)

  • Everyone panics slightly less than they expected to

  • There's a surprisingly normal opening meeting

  • People realize the auditor is actually quite helpful

  • Someone admits they haven't read the latest policy

  • The auditor finds some things you can improve

  • You realize that's actually quite useful feedback

  • There's a closing meeting to discuss findings

  • Life continues

The Secret to Success?

Be honest. If something isn't working, say so. Show how you're planning to fix it. Auditors prefer seeing real improvements in progress over perfect-looking paperwork that's clearly fiction.

Real example: A client recently admitted their access review process wasn't working well. Instead of hiding it, they showed their improvement plan. The auditor was impressed with their transparency and approach to fixing it.

Common Findings

Most certification findings fall into three categories:

  1. Documentation that doesn't match reality

  2. Controls that exist but aren't consistently followed

  3. Missing evidence for things you actually do

The good news? All fixable.

Timeline

  • Stage 1 usually takes 1-2 days

  • You get about a month to fix any findings

  • Stage 2 takes 2-3 days

  • If all goes well, certification follows shortly after

  • If not, you get time to fix major findings before a follow-up

Remember

A good auditor wants you to succeed. They're there to verify your security controls work, not ruin your day or judge your choice of office snacks.

Though maybe hide the password Post-its before they arrive. Just saying.

Questions about the audit process? Email me at tom@isoserious.com

And if you're approaching certification and feeling that pre-audit panic, let's talk. We've guided plenty of companies through this - without anyone needing emergency biscuits.

Tom Gell

Translating ISO 27001 into human language for fast-growing companies. Former public sector leader who helped scale a startup to £1M ARR by making compliance digestible. Now on a mission to prove security certification doesn't require a 400-page policy manual or a PhD in bureaucracy. Powered by coffee and clarity.

https://www.isoserious.com
Previous

The Real Reasons Companies Get ISO 27001 Certified (It's Not Just for the Badge)