ISO Audit Frequently Asked Questions
Short, honest answers to the questions organisations ask us most about ISO 27001, NEN 7510 and ISO 9001 audits — from cost and timelines to certification, internal audits and hiring an independent Lead Auditor in the Netherlands.
ISO audits: the basics
An ISO audit is a systematic, evidence-based assessment in which an auditor checks whether your management system meets an ISO standard (such as ISO 27001 or ISO 9001) and whether it works in practice. The auditor gathers evidence through documents, interviews and sampling, compares it against the requirements of the standard and reports findings. Audits follow the guidelines of ISO 19011.
Broadly there are three types. A first-party audit is an internal audit you run yourself (or via a hired auditor). A second-party audit is one you perform on a supplier or partner. A third-party audit is carried out by an independent certification body and leads to a certificate. There are also preparatory forms such as the gap analysis and the pre-audit.
You carry out an internal audit yourself or through a hired auditor as a mandatory part of your management system (ISO 27001 clause 9.2). A certification audit is performed by an accredited certification body and leads to the official certificate. A solid internal audit and pre-audit make the certification audit considerably smoother, because you fix nonconformities in advance.
A gap analysis is a baseline assessment at the start of your journey: the auditor maps where you stand against the standard, which controls and documents are missing and what is realistically needed towards certification. The result is a concrete priority list, so you can get to work in a focused way and without waste.
A pre-audit is a dress rehearsal just before the certification audit. We audit the way the certification body does and flag nonconformities you can still fix in time. That way you enter the real audit with confidence and no surprises. A pre-audit is especially valuable for a first certification or after major changes.
A Lead Auditor leads the entire audit according to ISO 19011: they set the scope with you, draw up the audit plan, conduct interviews and sampling, weigh findings objectively and report clearly. A good Lead Auditor combines knowledge of the standard with hands-on experience and speaks the language of both technical teams and management.
An external lead auditor brings independence, knowledge of the standard and a fresh perspective that is often missing internally. They can carry out your mandatory internal audit objectively, remove surprises before the certification audit with a pre-audit, and establish your starting position with a gap analysis. They also bring benchmarks from other organisations and sectors. Read more about hiring one.
Yes. Secrotec audits for foreign companies with an office, clients or suppliers in the Netherlands, and for international organisations that want ISO 27001, NEN 7510 or ISO 9001 assessed in the Dutch context. We work on-site or remotely and report in Dutch, English, German or French. Get in touch to discuss your situation.
Both. Many audit activities — document review, interviews and sampling — work well remotely via video calls and secure document sharing. For certain elements, such as physical security or a walk-through on location, an on-site visit adds value. We agree the mix with you in advance, suited to your scope, locations and schedule.
ISO 27001
An ISO 27001 audit assesses whether your information security management system (ISMS) meets ISO 27001 and works in practice. The auditor reviews things like the risk assessment, the Statement of Applicability, the controls, the policy, the internal audits and the management review, and reports findings and improvement points.
The auditor checks both design and operation: the ISMS policy and scope, risk assessment and treatment, the Statement of Applicability, the Annex A controls, awareness and training, supplier management, incident management, logging and monitoring, internal audits, management review and continual improvement. For each area they look for evidence that it actually happens. See also what an auditor checks.
It depends on the scope, the number of employees and sites and the complexity. An internal audit at a smaller organisation can often be done in one to a few days, while a certification audit (stage 1 plus stage 2) at larger organisations takes more days. Certification bodies use guidelines based on your size for this. We give you a realistic estimate in advance.
The cost depends on the scope, the number of locations, the maturity of the ISMS and the type of audit (gap analysis, internal audit or pre-audit). Hiring per audit is usually cheaper and more flexible than employing a permanent internal auditor: you only pay for the audits you need. Request a no-obligation estimate for your situation.
Common nonconformities include: a risk assessment that doesn't match reality, a Statement of Applicability that doesn't align with the implemented controls, missing or shallow internal audits and management reviews, weak supplier and access management, insufficient evidence of awareness, and corrective actions that are never closed. The common thread: policy on paper that can't be shown to work in practice.
A major nonconformity is a serious or systematic failure showing that a requirement of the standard isn't met — for example a mandatory process that is entirely absent. It must be resolved before certification. A minor nonconformity is a smaller, isolated shortcoming; you get time to fix it with a corrective action plan. Many minors together can add up to a major.
Yes, absolutely. ISO 27001 is risk-based and scales with your size: a small company doesn't need the same volume of documentation as a multinational. The skill is keeping controls proportionate and achievable, without a dedicated security department. Many SMEs pursue the certificate precisely to win enterprise clients or tenders. See ISO 27001 for SMEs.
For most organisations the path from start to certificate takes around three to nine months, depending on your starting point, available capacity and complexity. The ISMS also has to run demonstrably for a period (including at least one internal audit and management review) before the certification audit makes sense. A gap analysis at the start helps build a realistic timeline.
An ISMS (Information Security Management System) is the whole of policy, processes, people and controls with which you manage information security structurally. It's not a software package but a way of working: you determine risks, choose appropriate controls, implement them, measure whether they work and improve continually (the plan-do-check-act cycle). ISO 27001 sets the requirements for such an ISMS. Read what an ISMS is.
The Statement of Applicability (SoA) is a mandatory core document in which you record, for each Annex A control of ISO 27001, whether it applies, why or why not, and how it is implemented. The SoA links your risk assessment to the chosen controls and is one of the first documents an auditor requests. It must match reality.
The risk assessment is the heart of ISO 27001. You identify risks to the confidentiality, integrity and availability of information, estimate likelihood and impact, and decide which risks you accept, reduce, transfer or avoid. The chosen treatment is translated into concrete controls, recorded in the Statement of Applicability. The auditor checks whether this process is logical, repeatable and up to date.
In the 2022 version, Annex A was mainly revised: the controls were consolidated to 93, grouped into four themes (organisational, people, physical and technological), with eleven new controls such as threat intelligence, cloud security and data leakage prevention. The core requirements (clauses 4 to 10) stayed largely the same. Existing certified organisations had to migrate within the transition period. Read what changed.
ISO 27001 doesn't prescribe a fixed frequency but requires internal audits at planned intervals (clause 9.2). In practice this means at least once a year, with the full scope covered over a certification cycle. Where risks are higher or after major changes, you audit more often or more specifically. A multi-year audit programme helps plan this demonstrably.
A certification audit runs in two stages. In stage 1 the certification body mainly reviews your documentation and whether the ISMS is ready for the real assessment (a readiness review). In stage 2 the auditor tests operation in practice through interviews, observation and sampling, and records any nonconformities. After successful completion and closing of nonconformities the certificate follows, then annual surveillance audits.
ISO 27001 itself is not legally mandatory. In practice, however, the certificate is often required contractually or in tenders by clients, partners and government. It also helps you demonstrably meet legal frameworks such as the GDPR and NIS2. For many organisations ISO 27001 is therefore 'de facto' required to do business, even though it isn't written into law.
ISO 27001 and the GDPR overlap strongly but are not the same. ISO 27001 focuses on information security broadly; the GDPR on the protection of personal data. A solid ISMS produces a lot of evidence that is also useful for the GDPR (access management, incident management, processor management). For full privacy coverage, the ISO 27701 extension or a targeted GDPR and ISO 27001 approach is recommended.
NIS2 is European legislation requiring essential and important organisations to manage risk, report incidents and take board-level responsibility for cybersecurity. ISO 27001 is not a legal replacement for NIS2, but an excellent foundation: a working ISMS demonstrably covers a large part of the NIS2 obligations. Read more about NIS2 and compliance. See also the NCSC.
NEN 7510 (healthcare)
NEN 7510 is the Dutch standard for information security in healthcare. It builds on ISO 27001 and ISO 27002 but adds requirements specific to protecting patient data and other health information. Organisations that process personal health data use NEN 7510 to demonstrably handle that sensitive data with care. See our NEN 7510 audit.
In practice NEN 7510 is mandatory in the Netherlands for healthcare providers and other parties that process personal health data: the standard is designated in law as the standard to use for information security in healthcare. Regulators expect healthcare organisations to demonstrably meet NEN 7510. Check the current requirements via NEN and your own legal adviser.
Both standards share the same foundation (an information security management system), but NEN 7510 is tailored to healthcare. Where ISO 27001 is sector-neutral, NEN 7510 adds healthcare-specific controls and requirements around patient data, access to medical records and logging. In practice the two combine well: an ISO 27001-compliant ISMS is an excellent basis for NEN 7510. Read ISO 27001 and NEN 7510.
NEN 7510 applies to all organisations that process personal health data: hospitals, GPs, mental health and care institutions, but also dentists, pharmacies and care providers. The standard is also increasingly required of suppliers to healthcare, such as software vendors, hosting providers and processors working with medical data. Not sure whether it applies to you? We're happy to advise.
Yes. Because NEN 7510 is based on the same structure as ISO 27001, a combined approach is efficient: you assess the shared foundation once and give extra attention to the healthcare-specific requirements. That saves time, duplicate work and cost. See our combined audit for multiple standards at once.
Start with a risk assessment that genuinely matches your care processes, and make sure access to medical data is strictly controlled and logged. Common pitfalls are authorisation management, logging of record access and agreements with processors. An internal audit or pre-audit beforehand surfaces these points in time. Our NEN 7510 approach helps you prepare in a focused way.
ISO 9001
An ISO 9001 audit assesses your quality management system: does your organisation demonstrably meet customer and regulatory requirements, and do you improve continually? The auditor reviews things like context and objectives, processes, customer satisfaction, risk-based thinking, control of nonconformities and the management review, looking for evidence that it works in practice.
ISO 9001 is about quality management — consistently delivering what customers expect and improving continually. ISO 27001 is about information security — managing risks to the confidentiality, integrity and availability of information. Both share the same management system structure (the High Level Structure), which makes them easy to implement and audit side by side or combined.
Things often go wrong with: objectives that aren't measurable or aren't followed up, processes that run differently from how they're described, weak control of nonconformities and corrective actions, insufficient analysis of customer satisfaction, and management reviews that are too shallow. As with ISO 27001, the common thread is the gap between the system on paper and how work really happens.
Risk-based thinking means you identify, in advance, the risks and opportunities that affect the quality of your products or services and manage them deliberately — instead of only reacting to problems afterwards. Since ISO 9001:2015 this runs as a thread through the whole standard. The auditor doesn't expect a heavy risk register, but does expect demonstrable thinking about what can go wrong and what you do about it.
Yes. Thanks to the shared management system structure, you can combine ISO 9001 and ISO 27001 (and, say, NEN 7510) well into one integrated programme. A combined audit assesses the common elements — context, leadership, objectives, internal audit, management review — in one go and handles the standard-specific requirements separately. That saves time and avoids duplicate work.
The audit process & working with Secrotec
Make sure your documentation is current and matches practice, that mandatory elements have been demonstrably carried out (risk assessment, internal audit, management review, corrective actions) and that staff know what's expected of them. Gather evidence in advance, not during the audit. An internal audit or pre-audit is the best dress rehearsal. See our preparation step-by-step plan.
For ISO 27001 these include: the ISMS scope, the information security policy, the risk assessment and risk treatment plan, the Statement of Applicability, evidence of the controls, the results of internal audits and the management review, and the register of nonconformities and corrective actions. Other standards ask for comparable core documents. We send you a clear checklist in advance.
You receive a clear audit report with the findings, prioritised by risk and impact, plus a concrete improvement plan with achievable next steps. We report in two layers: a management summary for the leadership and detailed findings for the operational teams. Afterwards you know exactly where you stand, what still needs to happen and in which order to improve.
A finding is the general result of testing evidence against the standard. A nonconformity is a finding where a requirement is demonstrably not met; you must correct it. An observation or opportunity for improvement is not a nonconformity, but a chance to strengthen something or a warning of a possible future nonconformity. Good audit reports make this distinction explicit.
No. Only an accredited certification body may issue the official ISO certificate. Secrotec is an independent Lead Auditor and performs gap analyses, internal audits, pre-audits and supplier audits. Precisely because we don't certify and don't assess work we implemented ourselves, our judgement stays impartial and usable for your certification body. We prepare you optimally; they issue the certificate.
Yes. Independence is the core of a usable audit judgement. We don't assess advisory or implementation work we delivered ourselves, and we work according to the objectivity and impartiality principles of ISO 19011. As a result our internal audit meets the impartiality requirement of ISO 27001 (clause 9.2) and our judgement is usable in the run-up to your certification.
Often within a few weeks, depending on the scope and your schedule. A no-obligation introductory call can usually happen at short notice. In it we set the scope, the right type of audit and a realistic timeline together. Do you have a deadline from a client or tender? Let us know and we'll take it into account. Get in touch to set a date.
Secrotec works for IT and SaaS companies, healthcare institutions (including NEN 7510), SMEs and suppliers to government and large clients, among others. For IT/SaaS we align with cloud and development; in healthcare with patient data; for SMEs we keep the approach light and achievable without a dedicated security department. We always tailor scope and depth to your size, risks and sector.
As an independent auditor, we can't implement work that we'd then assess ourselves — that would undermine impartiality. What we do is deliver your findings clearly and prioritised, with a concrete, actionable improvement plan, so your own team or a separate advisory party can get straight to work. That way you stay in control and the audit judgement stays clean.
A surveillance audit is a periodic check audit by the certification body, usually annual, between the three-yearly recertifications. It samples whether your management system still complies and keeps improving. With good internal audits and a working ISMS, surveillance audits usually go smoothly, because you stay continuously 'audit-ready'.
In a supplier audit you assess, on behalf of your organisation, the information security of a supplier or processor — for example against ISO 27001 or your own requirements framework. This matters more and more now that many risks sit in the supply chain: cloud, hosting and third-party software. Secrotec carries out these audits independently for you and gives you a clear, well-founded judgement on the supplier.
We conduct audits and report in Dutch and English, and on request in German or French as well. For international organisations we deliver the audit report in English, so that head office and local teams can use the same document. Let us know your preferred language when you make your request.
It's simple: get in touch via the form, email or phone and briefly describe your situation (standard, size, goal and any deadline). We schedule a no-obligation audit scan, give you a suitable estimate based on it and propose the right type of audit. You're not committed to anything until you give the go-ahead.
Can't find your question?
Book a no-obligation audit scan. In a single conversation you'll know where you stand, which type of audit fits and what the next step is.
Official sources
Want to read the standards and frameworks yourself? These are the authoritative sources behind our answers:
