Most teams treat an ISO 27001 audit like a surprise inspection by a hostile stranger. It isn't. The auditor follows a scope you agreed to, a schedule you helped set, and a Statement of Applicability you wrote. The whole exercise asks one question: does your information security management system actually run, or does it only exist in PowerPoint?
Prepare for that question and the panic evaporates.
Start with the Statement of ApplicabilityLink to this section
The SoA is the spine of the audit. It lists every control, whether it applies to you, and why. If you can't explain why a control is in or out of scope, nothing downstream will feel solid.
Walk the auditor through your risk-treatment decisions before they ask. "We excluded physical media controls because we're cloud-only, and here's the policy that says so" is the sound of a system that thinks. Silence followed by frantic searching is the sound of one that doesn't.
Evidence beats enthusiasmLink to this section
A beautifully designed policy deck proves you can use a template. It does not prove the policy is followed. Auditors want artefacts that fall out of normal operations:
- Access reviews with dates and reviewers
- Training completion and phishing-simulation results
- Change tickets that reference approvals
- Incident records, even the small ones
- Backup restore tests, logged
Collect this stuff as you go. Evidence assembled the week before an audit looks exactly like evidence assembled the week before an audit.
Rehearse the interviewsLink to this section
Auditors don't only read documents – they ask your managers and team leads how security works in practice. The fastest way to fail a strong system is to let a nervous team lead freeze and contradict the policy.
Give each interviewee thirty minutes of context beforehand: what the auditor will likely ask, where the relevant evidence lives, and permission to say "I don't know, but I know who does." Confident "here's how we actually do it" beats a memorised binder of acronyms every time.
Close the gaps you already know aboutLink to this section
Every organisation has open findings. Pretending otherwise reads as either dishonesty or blindness, and auditors are professionally allergic to both. For each known gap, show the plan, the owner, and the date. A credible remediation path earns more trust than a suspicious claim of perfection.
The new column on the agenda: AILink to this section
Auditors are increasingly asking how AI fits your risk picture, and with ISO/IEC 42001 (the AI management system standard) now in play, that questioning will only sharpen. Get ahead of it:
If your staff are pasting company data into AI tools, that's an information security control question – whether or not anyone has written it down yet.
Make sure your risk register names AI tools, your acceptable-use policy covers them, and your training mentions them. You don't need a separate AI programme to pass an ISO 27001 audit, but you do need to show you've thought about it rather than hoping the topic won't come up.
After the auditLink to this section
Write down what surprised you while it's fresh – the question you fumbled, the evidence you couldn't find fast enough, the control everyone forgot owned. That list is next year's improvement plan, handed to you for free by someone paid to find your blind spots.