Inside the ISO 27001 Certification Process: What the Auditor Looks For

Compliance FrameworksAudit & ReadinessGRC & Advisory ServicesCybersecurity & Risk Management
Written By Odessa Nazarrea

Getting ISO 27001 certified is a big milestone. It signals to clients, partners, and stakeholders that you take information security seriously. But many teams aren’t sure what actually happens during the audit—and what the auditor is really looking for.

This post breaks it down. Whether you’re getting ready for your first certification or just starting the conversation, here’s what to expect when an ISO 27001 auditor walks through your door.

What Is ISO 27001 Certification?

ISO 27001 is an international standard for information security management. It focuses on how your organization identifies, manages, and mitigates risks to sensitive information.

The end goal is to build a functioning Information Security Management System (ISMS)—a structured framework that covers policies, processes, roles, and controls.

To get certified, you’ll need to go through a two-stage external audit conducted by an accredited certification body.

The 2 Stages of the ISO 27001 Audit

Stage 1: Documentation Review

The auditor first checks whether your ISMS has been properly set up on paper. They’re not verifying implementation yet—just looking at whether your policies and procedures are aligned with ISO requirements.

Expect them to review:

  • Your ISMS scope and boundaries

  • Risk assessment and treatment methodology

  • Statement of Applicability (SoA)

  • Security policies and roles

  • Internal audit plan and management review process

  • List of controls selected (Annex A)

They’ll also assess if you’re ready for the next phase. If your documentation is incomplete, they’ll ask for fixes before moving to Stage 2.

Stage 2: Implementation Review

This is where things get real. The auditor checks whether your ISMS is actually working—by interviewing staff, sampling evidence, and reviewing how policies are being followed.

They’ll look for:

  • Actual risk assessments and treatment plans

  • Access control records

  • Change management logs

  • Incident response documentation

  • Training and awareness sessions

  • Internal audit results

  • Management reviews and follow-ups

  • Business continuity testing (if in scope)

If there’s a gap between what’s documented and what’s practiced, it may result in a finding.

What the Auditor Cares About Most

Auditors aren’t just looking for perfectly formatted policies. They’re trying to confirm that your team:

  • Understands the ISMS and their role in it

  • Follows processes consistently

  • Reviews risks regularly and adapts when needed

  • Can respond to incidents in a controlled way

  • Learns from audits, reviews, and near misses

They’re also looking at evidence over time. A single training slide isn’t enough—you need to show that your program is being used, maintained, and improved.

What Counts as a “Finding”?

There are three types of audit findings:

  • Major Nonconformity: A serious issue that must be fixed before certification

  • Minor Nonconformity: A smaller issue that requires follow-up but doesn’t block certification

  • Observation: Not a formal issue, but something to monitor or improve

You’ll get a chance to respond to each finding and submit corrective actions. Many companies pass the audit with a few minors or observations—it’s normal.

What Happens After Certification?

Once certified, your ISO 27001 certificate is valid for three years, but there are annual surveillance audits to ensure continued compliance.

You’ll need to:

  • Keep records updated

  • Run internal audits annually

  • Conduct at least one management review per year

  • Continuously improve the ISMS based on findings and feedback

Final Thought

ISO 27001 isn’t just about passing an audit. It’s about building a system that protects your business, builds trust with customers, and improves how you manage risk.

If you’re preparing for certification, start early. Understand what the auditor will expect, involve your team, and treat it as more than a checklist.

How SAMN Consulting Can Help

We’ve helped companies across industries get certified quickly and with less stress. Our ISO 27001 services include:

  • ISMS design and documentation

  • Readiness assessments

  • Internal audit support

  • Stage 1 and Stage 2 preparation

  • Post-audit improvement guidance

📩 Contact us to schedule a consultation or request a tailored certification roadmap.

Odessa Nazarrea
Previous

The Hidden Risk of Vendor Sprawl: How to Build a Third-Party Risk Program
Next

Building a Privacy Program from Scratch: A Guide for Scaling SaaS Teams