Blog · ISO 27001

What does an auditor check during an ISO 27001 audit?

During an ISO 27001 audit, the auditor checks whether your ISMS demonstrably works — not merely whether it exists on paper. Among other things, they assess the organisation's context, the risk assessment, the Statement of Applicability, how controls operate, internal audits, the management review and the follow-up of improvement actions. The common thread: evidence that policy is applied in practice.

Request an audit scan

What does the auditor look at?

The auditor gathers evidence through documents, interviews and sampling. In concrete terms, this covers:

Context & scope — does the scope of the ISMS match reality?
Risk assessment & treatment — current, well-founded, linked to controls?
Statement of Applicability — justified for each Annex A control?
Controls — technical and organisational; do they demonstrably work?
Internal audit & management review — carried out, reported, followed up?
Improvement actions — are nonconformities actually corrected?

The ISO 27001 audit process in five steps: define scope, document review, interviews and sampling, findings report, improvement plan and follow-up — The audit process in 5 steps.

Evidence over paperwork

The biggest pitfall: documents that look tidy but are not lived. An auditor probes and wants to see evidence — completed records, logging, minutes, tickets. Read the ISO 27001 audit checklist too, to see whether you have that evidence in order.

How do you prepare?

Start with a gap analysis and have an independent internal audit carried out. That way you know in advance where evidence is missing. You can read more about the full process on our page about the ISO 27001 audit.

ISO/IEC 27001 — official standard page (official source).

FAQ

Frequently asked questions

Short, direct answers — written for people and for AI search.

Does the auditor also check technology, or only documents?

Both. The auditor assesses documents as well as how things work in practice: they examine, for example, access management, logging, backups and patch management through sampling and interviews. Documents alone are not enough; what matters is demonstrable operation.

How many employees does an auditor speak to?

That depends on the scope and size, but an auditor typically interviews a cross-section: management, the ISMS owner, IT and a few people from operations. The aim is to test whether policy is widely known and being followed.

What happens if the auditor finds a nonconformity?

A nonconformity is recorded with supporting evidence. In a certification audit you must correct major nonconformities before the certificate is granted; minor nonconformities are given a deadline. A good pre-audit removes these surprises in advance.

What is the most important thing an auditor wants to see?

Evidence that the ISMS is alive: that risks are managed, that controls work, that the internal audit and management review genuinely take place, and that improvement actions are followed up. In short, a working improvement cycle rather than a tidy folder.