An ISO 27001 certification audit is not a surprise inspection β it follows a predictable structure, examines specific evidence, and can be prepared for systematically. Most organisations that fail or get delayed at audit do so not because of weak security, but because of documentation gaps, scope ambiguities, or evidence that doesnβt match what auditors expect to see.
This checklist is based on what ISO 27001:2022 auditors actually look for β drawn from our experience supporting certification across banking, healthcare, IT/SaaS, and manufacturing organisations in India.
ISO 27001 certification is granted by an accredited certification body (CB) after a two-stage audit:
After certification, surveillance audits happen annually, and a recertification audit happens every three years.
At Stage 1, auditors review whether your ISMS is properly documented. Missing or immature documentation at Stage 1 results in postponement of Stage 2.
These documents are explicitly required by ISO 27001:2022:
For each control in your Statement of Applicability (marked as applicable), auditors will expect documented procedures. Key ones:
At Stage 2, documentation is not enough β auditors want to see evidence of implementation. This is where most organisations get findings.
Common audit finding: Risk register exists, but risks have not been reviewed in 6+ months, or risk owners cannot explain their risks when interviewed.
Common audit finding: A leaverβs accounts were not disabled within the policy-defined timeframe, or MFA is not enforced on all remote access paths.
Common audit finding: No incidents recorded in 12 months. Auditors are suspicious β every organisation has events. If you have no incident log, it signals the procedure is not operating.
Common audit finding: Internal audit was completed too close to Stage 2 (less than 4 weeks before), or the internal auditor audited their own work.
Common audit finding: Management review was a box-ticking exercise β minutes show no real discussion, no decisions, and no assigned actions.
Common audit finding: Cloud providers (AWS, Azure, Microsoft 365) not included in supplier register, or no security clauses in supplier contracts.
Common audit finding: BCP exists but has never been tested. ISO 27001 requires evidence of testing, not just the existence of a plan.
Based on our experience supporting certifications, these are the most frequent causes of audit delays or non-conformities:
Statement of Applicability not justified β Controls are marked as applicable or not applicable without a documented reason. Every exclusion needs a justification.
Risk register not maintained β The risk register was completed as a one-time exercise and has not been reviewed since. Risks must be reviewed at defined intervals.
Internal audit too shallow β The internal audit only covered documentation, not whether controls are operating in practice. Auditors interview staff and request evidence samples.
Management review pro-forma β Management review minutes that clearly show no real discussion took place. Top management must demonstrate genuine engagement with ISMS performance.
Scope too narrow or too broad β An overly narrow scope (e.g., one server room excluded from the scope boundary) raises questions about what you are protecting. An overly broad scope means more controls to implement and evidence to collect.
No evidence of corrective action β Nonconformities were identified (in internal audits or incidents) but no corrective action was documented or completed.
Staff cannot answer questions β Auditors interview staff across the organisation. If employees cannot explain the information security policy, what to do in a security incident, or what their access control obligations are, this is a nonconformity even if the documentation is perfect.
If you are transitioning from ISO 27001:2013, note that the 2022 version introduced:
All new certifications issued after October 2023 must be against ISO 27001:2022. Organisations certified against 2013 must transition by October 2025.
For a typical Indian mid-market organisation (100β500 employees, cloud-first, single office):
| Phase | Typical Duration |
|---|---|
| Gap assessment | 2β3 weeks |
| ISMS design and documentation | 4β8 weeks |
| Control implementation | 8β16 weeks |
| Internal audit | 2 weeks |
| Management review | 1 week |
| Stage 1 audit | 1β2 days |
| Stage 1 finding remediation | 2β4 weeks |
| Stage 2 audit | 2β3 days |
| Total end-to-end | 4β6 months |
Organisations that have existing security controls (MFA, endpoint protection, logging) in place will reach the faster end. Greenfield implementations typically take 6β8 months.
Crewtecβs ISO 27001 consulting practice covers the full certification journey:
Our consultants are ISO 27001 Lead Auditors β they know exactly what certification body auditors look for because they perform audits themselves.
Tags
Navigate to sections as you read.
Need Help?
Get personalised guidance on implementing strategies discussed in this article for your enterprise.
Book Free Consultation