How to Prepare for an ISO 27001 Audit

Map your current controls against the 93 controls in ISO 27001:2022 Annex A. Identify which controls are implemented, partially implemented, or absent. This becomes the foundation of your Statement of Applicability and your remediation roadmap.

• Use the official Annex A as your checklist template
• Assign ownership for each control domain
• Score each control: Not implemented / Partial / Implemented / Not applicable
• Document your justification for excluding any Annex A controls

ISO 27001 requires a defined set of documented procedures and policies. Auditors will review these in Stage 1. Missing or incomplete documentation is the most common reason Stage 1 audits raise major nonconformities.

• Information Security Policy (top-level management statement)
• Risk assessment methodology and results
• Statement of Applicability with justifications
• Risk treatment plan with control owners and timelines
• Documented procedures for key processes (access control, incident management, change management)
• Internal audit procedure and records
• Management review records

ISO 27001 requires a systematic risk assessment covering your information assets, threats, vulnerabilities, and risk levels. The assessment must use a defined methodology and produce documented risk treatment decisions.

• Define your risk scoring methodology before starting
• Identify all information assets in scope
• Map threats and vulnerabilities to each asset
• Calculate inherent and residual risk scores
• Link each risk to Annex A controls in your Statement of Applicability

Remediate the gaps identified in your gap analysis. Focus first on controls that address your highest-rated risks. Auditors do not expect perfection, but they do expect evidence that implemented controls are operating and effective.

• Prioritise by risk rating, not alphabetical order
• Collect evidence of operation (logs, screenshots, review records)
• Train staff on new procedures and record attendance
• Assign a named owner for each control with accountability

ISO 27001 requires at least one internal audit before certification. The internal audit must cover the full scope of the ISMS and be conducted by someone independent of the areas being audited.

• Use auditors who are independent of the areas they audit
• Follow a documented audit programme and checklist
• Raise nonconformities for any gaps found
• Close nonconformities before the external audit or be prepared to explain timelines

Senior management must formally review the ISMS at least once before certification. This meeting must cover the results of the risk assessment, audit findings, control performance, and decisions about continual improvement.

• Keep detailed minutes with decisions documented
• Ensure senior leadership (not just IT management) attends
• Record any resource allocation decisions
• Show the audit results and remediation status