Login 
You’ll need a functioning ISMS that meets all standard requirements, supported by clear documentation, regular internal audits, and evidence of ongoing risk management and improvement.
ISO 27001 audit guide
Introduction
If you’re looking to get ISO 27001 certified or maintain your existing certification, you’ll need to be ready for an audit. It might sound intimidating, but it doesn’t have to be. This guide breaks it all down for you.
We’ll explain the full audit lifecycle in plain English, covering both internal audits and certification audits. You’ll find out what happens at each stage, what auditors are looking for, and how to feel fully prepared.
Audit overview at a glance
- Audit type: Internal and Certification (external)
- Cycle: 3 years (includes 2 annual surveillance audits)
- Focus: ISMS controls, documentation, and process adherence
- Stages: Stage 1 (document review), Stage 2 (on-site audit)
What is an ISO 27001 audit?
An ISO 27001 audit is a structured assessment of how well your information security management system (ISMS) meets the requirements of the ISO/IEC 27001 Standard. It checks that your organisation is properly managing information risks and following its policies.
It helps you:
- Confirm your controls are working effectively
- Identify gaps before they become risks
- Maintain (or achieve) ISO certification
Internal vs Certification Audits
| Audit type | Purpose | Who performs it | Frequency |
|---|---|---|---|
| Internal | Self-check readiness & compliance | Internal team or consultant | At least one per year |
| Certification | Formal approval for ISO 27001 | Accredited certification body | Every 3 years + surveillance |
Both are mandatory. The internal audit is your chance to spot issues early. The certification audit is your formal review, needed to gain or renew your ISO certificate.
As a quick example: A marketing agency might use internal audits quarterly to review staff access levels, whereas a logistics firm may focus its audits on physical security and backup protocols.
Scroll
What affects the cost of ISO 27001 certification?
ISO 27001 certification costs in the UK typically range from £5,000 to £15,000 for small to mid-sized organisations. Costs vary, but a few consistent factors shape the price tag:
- Organisation size – More people, locations, and systems typically mean a longer and more complex audit
- ISMS complexity – Bespoke or highly integrated systems require deeper reviews
- Consultancy – External support can add cost, but may reduce audit time
- Location and certification body – Prices vary between UK regions and providers
- Audit readiness – Gaps and nonconformities increase the time and effort needed. If your documentation is well organised, the auditor’s job is quicker, saving costs.
For example, a 30-person digital agency with one UK office using a templated ISMS and external support might pay £6,500 for their initial certification, including Stage 1 and 2 audits. A complex manufacturing firm with multiple sites could pay £12,000–£18,000.
ISO 27001 certification audit process (Stage 1 and Stage 2)
Achieving ISO 27001 certification involves several stages:
Pre-audit prep
- Perform a gap analysis to assess where you currently stand.
- Review your documentation – is your Information Security Policy up-to-date? Are risk assessments recent and complete?
- Fix issues before your auditor finds them.
Stage 1 audit – documentation review
- Conducted off-site (usually).
- Auditor checks your documentation:
– Policies and procedures
– SoA (Statement of Applicability)
– Risk treatment plan
– Internal audit records - Confirms readiness for Stage 2
Stage 2 audit – on-site assessment
- Auditor visits your premises.
- They interview staff, review logs and procedures, and observe how your ISMS operates day to day.
- The goal: confirm that your controls are not just documented, but actually working.
Surveillance audits
- Occur annually
- These check your ongoing compliance and improvements
Recertification audit
- Happens in year 3
- Full system review similar to stage 2
Your auditor will issue a report detailing conformities, nonconformities, and recommendations.
ISO 27001 internal audit process
Internal audits are your proactive tool for staying compliant and secure. They’re a must-have under clause 9.2 of ISO 27001 and help you catch issues before external auditors do.
You need to carry out internal audits at planned intervals, usually once per year, or more frequently in high-risk areas.
Who can perform an internal audit?
- An internal team member who is trained, competent, and independent of the area they’re auditing
- An external consultant if you want extra objectivity or lack in-house expertise
How to run an internal audit in 7 steps:
-
Define the audit scope and objectives
Decide what you’re auditing and why. Is it a full ISMS review or a specific department, process, or control set? If you’re not sure what your ISMS includes, start with our ISO 27001 implementation guide. -
Assign a qualified internal auditor
The auditor must understand ISO 27001 and not be auditing their own work. They should be impartial and competent. -
Gather documentation and records
Collect all relevant documents including:– ISMS scope
– Policies and procedures
– Statement of Applicability (SoA)
– Risk assessments
– Incident logs
– Training records -
Conduct interviews and evidence checks
Interview relevant staff to check awareness and practical application. Cross-check documentation against reality. -
Record nonconformities
Identify any gaps between documented controls and actual practice. Classify findings as:– Major nonconformities
– Minor nonconformities
– Observations or opportunities for improvement -
Create an internal audit report
Summarise:– What was audited
– Who was involved
– Findings and evidence
– Recommendations and improvement areas Share the report with ISMS owners and management. -
Implement corrective actions
– Assign owners for each issue
– Agree on corrective timelines
– Track actions to closure
– Validate effectiveness before closing the audit
ISO 27001 audit checklist
No two organisations are the same, but most certification bodies will expect to see the following areas covered:
| Audit area | Examples | Why it's important | How to prepare |
|---|---|---|---|
| ISMS Scope | Documented scope statement, boundaries of ISMS, covered sites (e.g. UK HQ, Manchester office), included third-party providers. | Ensures nothing is left outside the ISMS that could expose data risks. Auditors often raise major nonconformities if scope is incomplete. | Map all systems, offices, and providers. Document inclusions/exclusions clearly. Cross-check against GDPR requirements if personal data is processed in the UK. |
| Policies | Information Security Policy, Access Control Policy, Remote Working Policy. | Policies demonstrate management intent and direction. Auditors check that they are up-to-date, communicated, and enforced. | Schedule annual policy reviews. Ensure all staff can access policies (intranet/SharePoint). Evidence communication (e.g. training completion records). |
| Controls | Annex A controls such as incident management, backup testing, physical access control. | Controls are the backbone of ISO 27001. Auditors test whether they’re both documented and implemented. | Map each control to a risk. Run internal tests (e.g. mock phishing campaigns, access badge checks). Keep logs showing controls in action. |
| Records | Risk register, treatment plan, change management logs, GDPR DPIAs. | Records prove your ISMS is not just a document set but an active system. | Use a centralised system (e.g. SharePoint/Confluence) to avoid missing evidence. Review before audit to ensure completeness and signatures. |
| Training and awareness | Staff induction training, refresher sessions, simulated phishing tests. | A frequent nonconformity in UK SMEs. Auditors interview staff to test awareness. | Run at least annual refreshers. Document attendance. Use gamified tools to drive engagement. |
| Audit and review records | Internal audit reports, management review minutes, surveillance findings. | Shows continual improvement and compliance with ISO clause 9. | Keep a rolling log of corrective actions. Show how findings were closed out. |
A checklist isn’t required by ISO, but it’s a smart way to stay organised. Use the above checklist during your internal audit and again before Stage 2. It’s handy for surveillance and recertification prep too.
Use the ISO 27001:2022 Annex A controls as a foundation, but tailor them to your context. A good checklist includes:
- What is being reviewed
- Why it’s important
- How it’s evidenced
Scroll
Common nonconformities and how to avoid them
Even experienced teams trip up during an ISO 27001 audit. Certification bodies and auditors often see the same recurring issues across UK SMEs. Once you know what to watch out for, you can take simple steps to avoid them. Below are the most common nonconformities, with real-world style examples to show how they arise — and how to prevent them.
-
Undefined ISMS scope
Your ISMS scope defines the boundaries of your information security management system. If you leave out a key location, system, or supplier, you create a blind spot that auditors will treat as a serious issue.
Example: A UK tech startup documented its scope as “Head office IT systems.” During the audit, the assessor discovered that a third-party cloud provider hosted customer data, but wasn’t included. This omission was flagged as a major nonconformity.
How to avoid it:
– Document all systems, processes, and third parties that handle information.
– Make exclusions explicit and justifiable.
– Cross-check your scope against your GDPR processing activities to ensure personal data is covered -
Weak risk assessments
Risk assessment is the backbone of ISO 27001. If your risk register is vague or doesn’t reflect real-world threats, auditors will assume your ISMS isn’t protecting your business effectively.
Example: A digital agency used a boilerplate risk register that listed “cyber attack” but ignored hybrid working risks. Employees were regularly using personal devices, yet this wasn’t assessed. The auditor concluded the risk assessment didn’t match the organisation’s actual operations.
How to avoid it:
– Tailor risks to your organisation (e.g. remote access, supply chain, phishing).
– Update assessments annually, or after major changes.
– Involve multiple stakeholders so risks reflect business-wide perspectives. -
Unimplemented controls
Your Statement of Applicability (SoA) lists which Annex A controls you’ve chosen and why. Auditors will check that you’re not only claiming these controls but also implementing them.
Example: A logistics company’s Statement of Applicability (SoA) said backups were tested regularly. In reality, no restore tests had been documented. The control existed on paper only.
How to avoid it:
– Link every control to a documented risk.
– Keep evidence (logs, reports, screenshots) that show controls are functioning.
– Review the SoA regularly to confirm it reflects actual practice. -
Missing or poor documentation
ISO 27001 relies heavily on evidence. Missing or outdated documents leave auditors with no proof that your ISMS works as intended.
Example: A growing SME had strong processes but couldn’t provide a current risk treatment plan. Without this document, the auditor couldn’t verify that risks were being tracked and addressed.
How to avoid it:
– Keep a central document repository for all ISMS materials.
– Review policies and plans at least annually.
– Archive outdated versions but make sure the current version is easy to find. -
Lack of training records
Auditors often test ISMS effectiveness by interviewing staff. If employees aren’t aware of policies or can’t answer basic security questions, it signals a weak security culture. Missing training records compound the problem.
Example: A UK SME delivered ISMS awareness training but failed to record attendance. When the auditor asked for proof, there was none. This resulted in a minor nonconformity.
How to avoid it:
– Schedule annual refresher sessions.
– Maintain a training log with dates, attendees, and outcomes.
– Consider gamified or interactive training to improve engagement. -
Neglecting internal audits
Clause 9.2 of ISO 27001 requires planned internal audits. If you don’t run them, or you fail to record findings, auditors will question your ability to self-monitor.
Example: A small UK manufacturer completed only one internal audit in three years. The certification body flagged this as a nonconformity because internal audits should occur at least annually.
How to avoid it:
– Plan internal audits every 12 months (or more frequently in high-risk areas).
– Use an independent internal auditor where possible.
– Document scope, findings, corrective actions, and close-out.
Prevention checklist
To stay on track, use this quick list before your next audit:
- Conduct quarterly risk reviews.
- Test backups regularly and keep restore logs.
- Schedule and record annual ISMS awareness training.
- Store ISMS documents in a central system.
- Map each Annex A control to a risk in your register.
- Run internal audits annually and document results.
- Review supplier contracts for data protection and security clauses.
Learn more in our ISO 27001 Risk Assessment Guide.
Tips for preparing for your audit
ISO 27001 audits can feel daunting, but good preparation makes all the difference. With the right steps in place before the auditor arrives, you’ll not only reduce the risk of nonconformities but also demonstrate confidence and professionalism. Below are practical, real-world tips to get audit-ready.
-
Set Up an Audit Folder
Why it matters:
Auditors often have limited time. If evidence is scattered across email chains, file servers, and personal laptops, you’ll waste time retrieving it — and auditors may question your organisation.How to implement:
– Create a single digital or physical folder (e.g. “ISMS Audit Evidence 2025”).
– Include key documents: ISMS scope, policies, SoA, risk assessments, incident logs, training records, and audit reports.
– Use version control so auditors always see the latest documents.Pro tip: A cloud-based repository (SharePoint, Google Drive) ensures version history and easier collaboration.
-
Nominate an Audit Lead
Why it matters:
Auditors value clear communication. Having one person coordinate responses avoids confusion and ensures queries don’t fall through the cracks.How to implement:
– Appoint a manager or ISMS coordinator as the main point of contact.
– Brief them on the ISMS in detail so they can confidently answer high-level questions.
– Ensure they have access rights to all relevant records. -
Map controls to risks
Why it matters:
ISO 27001 is risk-based. Auditors expect to see why each control exists, not just that it’s in place. Mapping controls to risks makes this link crystal clear.How to implement:
– Take your risk register and align it with the Statement of Applicability.
– For each risk, note the relevant Annex A control(s).
– Keep a simple matrix or table to show auditors how risks are managed. -
Train your team
Why it matters:
Auditors often interview staff at random. If employees don’t understand their role in the ISMS, it undermines the effectiveness of your security management.How to implement:
– Deliver a 1-hour ISMS awareness refresher before the audit.
– Cover basics: data handling, incident reporting, access control.
– Document attendance.
– Consider gamified training or quizzes to make it engaging.Example: Reception staff should know visitor log procedures; IT staff should be able to describe how incidents are escalated.
-
Run a Mock Audit
Why it matters:
Dry runs uncover gaps before the real auditor does. They also help staff feel more comfortable under questioning.How to implement (Mock Audit Guide):
1. Appoint an internal or external consultant to act as an auditor.
2. Prepare a list of typical auditor questions (e.g. “How do you handle a suspected phishing incident?”).
3. Interview staff and test evidence.
4. Record findings in a report, then implement corrective actions.Pro tip: Use this as an opportunity to stress-test your incident response — simulate a breach scenario and see how teams react.
-
Review past findings
Why it matters:
Auditors always check whether you’ve addressed previous nonconformities. If you haven’t, it can escalate into a bigger issue.How to implement:
– Keep a log of all past audit findings.
– Document corrective actions with owners and deadlines.
– Close the loop by evidencing completion (e.g. updated policy, new log entries). -
Clean up access rights
Why it matters:
Access control is a cornerstone of ISO 27001. Outdated user accounts or shared logins are a red flag for auditors.How to implement:
– Review user accounts quarterly.
– Remove expired or inactive accounts.
– Eliminate shared passwords — move to password managers or single sign-on (SSO).
– Keep evidence of reviews (e.g. screenshots of user deactivation logs).
Final checklist before the audit
- Audit folder set up and fully populated
- Audit lead briefed and available
- Controls mapped to risks
- Team trained and refresher sessions documented
- Mock audit completed and findings resolved
- Past findings closed out with evidence
- Access rights reviewed and up to date
Want to see the top 10 nonconformities our ISO consultants see during audits?
Download our free PDF guide to uncover the most common issues that trip up UK SMEs — and how to fix them before your next ISO 27001 audit.