Common Problems ISO 27001 Auditors Face

ISO 27001ISO 27001 is the widely known Information Security Management standard. By implementing it, organizations can manage security assets like financial information and intellectual property through an information security management system (ISMS). 

However, organizations need to ensure their ISMS provides all of its benefits. That is why regular ISO 27001 audits are a must. Especially since they also gauge the involvement of top management, continual improvement efforts, and ISMS processes and security controls. 

To ensure that your audits are carried out efficiently, here are some problems you need to be prepared for. 

Lack of Knowledge on ISO 27001:2013 Standard

In most cases, auditees and even auditors themselves may not have a firm grasp on what ISO 27001 is. This is a recipe for disaster as it results in audits failing. 

Auditors who are unaware of the standard tend to follow their own practices rather than the clauses of the standard itself. As a result, their audits do not achieve this ISO standard’s objectives. 

Similarly, auditees who do not understand what they are up against will continuously question auditors. Especially if their previous audits were handled by non-certified auditors. Therefore, they may hurdle the process. 

The easiest way to counter this issue is for auditors to achieve the ISO 27001 Lead Auditor certification. That way, they can handle audits effectively and navigate auditees through them. 

Emphasis on Technical Controls instead of Management Level Controls

An ISMS defines and manages controls for protecting the confidentiality, availability, and integrity of information assets. These assets are not limited to IT alone; they include capital, infrastructure, and people. 

Unfortunately, most auditors limit the scope of their audits to technical controls. This is quite an interesting phenomenon considering the standard is non-technical. However, the result of this behavior is ignoring management level controls and the bigger picture of an ISMS. 

Absence of Leadership During ISO 27001 Audits

The leadership focused clause of the standard mandates the visible and material support of senior management. If leadership cannot verify their active involvement in the implementation and continual improvement of ISMS, the organization will fail this audit. 

If you are auditing your organization, have ensure that senior management is aware of its roles & and responsibilities required byas per the standard. Moreover, prepare a policy and mention the areas they’ll be involved in before even commencing your audit. 

Not only will this remind leadership of the commitment expected of them, but it will also help you see the evidence you need for this standard. 

Distrusting Auditors and Hiding Facts/Information

One of the common problems an auditor will come across is trust deficiency. 

As aAuditors collect information such as roles, responsibilities, and processes, documented policies, &and procedures to check the implementation of controls from a holistic perspective. Unfortunately, this results in a, auditees may assumeassuming that their mistakes are being highlighted. 

This gap is especially apparent when the auditee hires a certified auditor for the first time. As their previous audits may not have been as thorough, they may be skeptic of their current auditors. Contributing to this issue is the lack of auditees’ knowledge of the standard. 

One of the biggest signs of distrusting auditors is auditees hiding facts or information. While upper management may do so to avoid complicating audits, leadership teams do so to avoid airing dirty laundry by documenting non-conformances. 

As an ISO 27001 auditor, youYou need to highlight that you need to see the controls procedures the company is supposed to be usingfrom a people, process and technology perspective rather than focusing on a single aspect only. Otherwise, the organization is not as quality driven as it should be. 

Mixing the Requirements of ISO 27001 with the Organizations’ Own Implemented Standards  

To ‘get ISO’, organizations may focus less on ISO 27001 and more on their own set of standards. UsuallyThis is because organizations are reluctant to change the their current practices which they may bethey have been using since a longerfor a long period of time. Hence, they , and hence try to fit ISO 27001 requirements in them.

 While this may help them certified, this approach will complicate audits as it may compromise their objectivity of the audits. After all, it will not be easy to compare the standard’s clauses to the actual system. Especially  specially if it is not designed by subject matters experts. 

This is especially true if the auditee opts for standards or best practices that are not internationally accepted. ISO’s audit clauses will clash with these.

Lack of Documentation on Employee Training 

While carrying out an ISO 27001 audit, you may experience delays after requesting employee training proof. This is essential as Clause 7.2 of the standard mandates having competent professionals working on the ISMS and documenting evidence of relevant education, training, or experience. 

If possible, communicate that you need records of employees completing training activities before beginning the audit. That way, department and team leaders can prepare and keep this information in a centralized location for you to access. 

Some of the factors these records should detail are:

  • Employee work evaluations 
  • Certifications and degrees
  • Performance reviews 
  • Position descriptions 
  • Training attendance 

Faulty Document Control 

Like other ISO standards, ISO 27001 mandates having documentation describing the organization’s ISMS and how its outcomes are achieved. Unfortunately, document control can be challenging for organization. Especially those that still rely on paper systems or file folders in the cloud. 

In this case, you will end up spending more time uncovering inconsistencies in the versioning and distribution of documents. After all, a since auuditors need to mention document names along with their proper version controls in their audit reports. 

This issue could be easily avoided by using document control software, one that preferably has ISO-compliant document control features. 


For an audit to be efficient, resources should be readily availablecompetent and certified. 

However, not every organization is willing to allocate a sufficient budget for the training &and certification of auditors on ISO 27001 standard. This is because they are under the with an assumption that being IT auditors, they have the required skills and knowledge.internal and external audit of the company. 

Cutting costs on this aspect compromises the quality and underestimates the importance of a thorough audit and its role in the long run. Moreover, an incomplete audit leads to inefficient results and gaps in the performance. Therefore, you need to alert the organization if the audit is too big for what is budgeted.  Investment on theInvesting in the training &and certification of auditors is equally important along with that pf other staffimportant. 

The Bottom Line

Communication is key to solving these problems during ISO 27001 audits. However, you too need to be well-versed in conducting audits. Therefore, consider strengthening your professional portfolio with the ISO 27001 Lead Auditor certification. 

Need more help? Discuss your training needs with our Training Advisors and let us find you the best certification for achieving your career goals. 

About the Author

Currently serving as the Director Advisory Services at Business Beam, Syed Nabeel Iqbal is a lead trainer at LearningCert. In addition to being an established GRC lead consultant, he has over 16 years of industry experience, in which he conducted 10+ successful training sessions. He’s also an internationally accredited trainer for 15+ standards and frameworks, including COBIT, ITIL, and ISO standards.

Leave a comment


User Registration


Reset Password