What Will the Auditor
Ask Your Team?
A complete department-by-department ISO 27001:2022 certification preparation guide. Interactive checklists, examiner questions, and insider context for every function that will face a certification body auditor.
Audit Preparation Tracker — check items off as you go. Progress saves in your browser session.
- Asset inventory maintained covering all information assets (hardware, software, data, services)ISO 27001:2022 · A.8.1 / A.5.9
- Asset ownership assigned and recorded for every asset in scopeISO 27001:2022 · A.5.9
- Acceptable use policy documented and communicated to all staffISO 27001:2022 · A.5.10
- Information classification scheme defined and applied to all assetsISO 27001:2022 · A.5.12 / A.5.13
- Access control policy documented and implemented (least privilege, need-to-know)ISO 27001:2022 · A.8.2 / A.5.15
- User access provisioning and de-provisioning process documented and testedISO 27001:2022 · A.5.16 / A.5.18
- Privileged access rights managed, reviewed, and time-limited where possibleISO 27001:2022 · A.8.2 / A.5.18
- User access reviews conducted and documented (minimum annual)ISO 27001:2022 · A.5.18
- Multi-factor authentication deployed on all remote access and privileged systemsISO 27001:2022 · A.8.5
- Password / authentication management policy implemented and enforcedISO 27001:2022 · A.5.17
- Network segregation implemented — critical systems isolated from general networkISO 27001:2022 · A.8.20 / A.8.22
- Firewall and perimeter security controls documented and testedISO 27001:2022 · A.8.20
- Cryptographic controls policy defined — encryption at rest and in transit enforcedISO 27001:2022 · A.8.24
- Key management procedures documented and followedISO 27001:2022 · A.8.24
- Capacity management process in place for all critical systemsISO 27001:2022 · A.8.6
- Change management process documented — security impact assessed for all changesISO 27001:2022 · A.8.32
- Vulnerability management process with tracked remediation timelinesISO 27001:2022 · A.8.8
- Patch management policy and records for last 90 days availableISO 27001:2022 · A.8.8
- Malware protection deployed and updated on all endpointsISO 27001:2022 · A.8.7
- Security event logging enabled and log review process active on critical systemsISO 27001:2022 · A.8.15 / A.8.16
- Monitoring and alerting in place for security events and anomaliesISO 27001:2022 · A.8.16
- Backup and recovery procedures documented, tested, and RTO/RPO definedISO 27001:2022 · A.8.13
- Penetration test or technical vulnerability assessment conducted within last 12 monthsISO 27001:2022 · A.8.8
- Secure software development lifecycle (SSDLC) policy implementedISO 27001:2022 · A.8.25 / A.8.26
- Clock synchronisation enforced across all systems (NTP)ISO 27001:2022 · A.8.17
- Information transfer policy covering email, file sharing, and removable mediaISO 27001:2022 · A.5.14
- Web filtering and application controls active for internet-facing systemsISO 27001:2022 · A.8.23
- Mobile device and BYOD management policy enforcedISO 27001:2022 · A.8.1
- Remote wipe capability confirmed for all mobile and remote-access devicesISO 27001:2022 · A.8.1
- Cloud service usage policy documented with approved providers listedISO 27001:2022 · A.5.23
IT is the most heavily scrutinised department in any ISO/IEC 27001:2022 certification audit. Stage 2 assessments allocate more auditor time here than to any other function, and the interview methodology is designed to test whether your Annexe A technical controls operate in practice — not just whether they exist on paper.
The failure mode we see repeatedly is the gap between the Statement of Applicability (SoA) and the live environment. An SoA that declares A.8.2 (Privileged access rights) as implemented, paired with a domain where three leavers still hold active admin accounts, is not a minor finding — it is a major nonconformity that will delay certification.
The second most probed area is logging and monitoring. Under A.8.15 and A.8.16, the auditor expects evidence that logs are not only generated but actively reviewed, with alerting tied to defined use cases and investigated anomalies documented end-to-end.
- Information security responsibilities defined in employment terms and conditionsISO 27001:2022 · A.6.2
- Background verification checks conducted for all staff appropriate to role and riskISO 27001:2022 · A.6.1
- IS responsibilities and obligations communicated before granting system accessISO 27001:2022 · A.6.2
- Confidentiality / non-disclosure agreements signed by all staff and contractorsISO 27001:2022 · A.6.6
- Information security awareness training programme documented with defined curriculumISO 27001:2022 · A.6.3
- Individual training completion records maintained and available per employeeISO 27001:2022 · A.6.3
- Role-specific IS training delivered to staff with elevated access or sensitive data responsibilitiesISO 27001:2022 · A.6.3
- IS awareness programme updated at least annually to reflect current threat landscapeISO 27001:2022 · A.6.3
- Phishing simulation or social engineering awareness tests conducted and results documentedISO 27001:2022 · A.6.3
- Disciplinary process for IS policy violations defined, communicated, and applied consistentlyISO 27001:2022 · A.6.4
- Remote working security policy documented and signed by all remote workersISO 27001:2022 · A.6.7
- Off-boarding checklist ensures access revocation on or before final working dayISO 27001:2022 · A.6.5
- All company assets (devices, access cards, tokens) returned and logged on departureISO 27001:2022 · A.6.5
- Post-employment confidentiality obligations enforced for roles with sensitive data accessISO 27001:2022 · A.6.5
- Contractors and temporary staff covered under equivalent IS obligations to permanent staffISO 27001:2022 · A.6.6
HR departments are consistently where ISO/IEC 27001:2022 auditors find the most documentation failures. Not because the people controls (Annexe A.6) are missing, but because the evidence chain linking each individual employee to each required control is incomplete.
The auditor’s method for HR is straightforward: they will sample five to ten employees by name and ask to see, for each one, the signed NDA, the onboarding IS acknowledgement, the training completion record, and the access-provisioning record. A single gap against a single named individual becomes a finding.
- Physical security perimeter defined and documented for all secure areasISO 27001:2022 · A.7.1
- Physical entry controls deployed at all access points to secure areasISO 27001:2022 · A.7.2
- Access authorisation records maintained — who is permitted where and whyISO 27001:2022 · A.7.2
- Access logs reviewed regularly and anomalies investigated and documentedISO 27001:2022 · A.7.2
- Visitor registration and escort process documented and consistently appliedISO 27001:2022 · A.7.2
- Visitor log maintained with entry/exit times retained (minimum 3 months)ISO 27001:2022 · A.7.2
- Offices, rooms, and facilities protected against unauthorised physical accessISO 27001:2022 · A.7.3
- Physical security monitoring (CCTV or equivalent) operational in all secure areasISO 27001:2022 · A.7.4
- CCTV footage retention meets organisational policy (minimum 30 days recommended)ISO 27001:2022 · A.7.4
- Equipment physically protected against environmental threats and hazardsISO 27001:2022 · A.7.8
- Server room / data centre access restricted, separately logged, and access reviewedISO 27001:2022 · A.7.5
- Environmental controls (UPS, fire suppression, temperature) tested and documentedISO 27001:2022 · A.7.5
- Clear desk and clear screen policy implemented and enforcedISO 27001:2022 · A.7.7
- Secure document destruction (cross-cut shredding or certified contractor) in placeISO 27001:2022 · A.7.10
- Equipment disposal and data sanitisation procedure documented with destruction recordsISO 27001:2022 · A.7.14
- Unattended equipment policy enforced — workstations locked when not in useISO 27001:2022 · A.7.7
- Cable security for power and data cabling documented and implementedISO 27001:2022 · A.7.12
- Supporting utilities (power, water, HVAC) documented and redundancy assessedISO 27001:2022 · A.7.11
Annexe A.7 is the one part of ISO/IEC 27001:2022 that cannot be prepared for on paper. The auditor will physically walk your site — reception, secure zones, comms rooms, destruction points — and will compare what they see against what your policies claim.
The most common failures are not the absence of controls, but the absence of consistent application. A clear-desk policy that is printed and posted but ignored on the third floor is more damaging than no policy at all, because it demonstrates an ISMS that isn’t enforced.
The auditor will also test the visitor process live — often by observing the reception experience when they themselves arrived. If escort, sign-in, and badge-issue weren’t applied rigorously to the auditor, that observation typically appears in the report.
- IS policy approved and signed by top management — current version in useISO 27001:2022 · Cl.5.2
- ISMS scope defined and documented, covering all relevant assets and processesISO 27001:2022 · Cl.4.3
- IS roles and responsibilities formally assigned — CISO or IS officer namedISO 27001:2022 · Cl.5.3
- Management commitment to ISMS evidenced through resource allocation and participationISO 27001:2022 · Cl.5.1
- Internal and external issues affecting IS identified and documented (context analysis)ISO 27001:2022 · Cl.4.1
- Interested parties and their IS requirements identified and documentedISO 27001:2022 · Cl.4.2
- Information security risk assessment methodology defined and applied consistentlyISO 27001:2022 · Cl.6.1.2
- Risk register maintained with named owners and documented treatment decisionsISO 27001:2022 · Cl.6.1.2 / Cl.6.1.3
- Risk treatment plan documented and linked to implementation of Annexe A controlsISO 27001:2022 · Cl.6.1.3
- Statement of Applicability (SoA) completed, current, and approved by managementISO 27001:2022 · Cl.6.1.3
- IS objectives defined, measurable, and tracked with progress reported to managementISO 27001:2022 · Cl.6.2
- Management review held within last 12 months with documented inputs, outputs, and decisionsISO 27001:2022 · Cl.9.3
- Internal audit programme planned, completed, and findings reported to managementISO 27001:2022 · Cl.9.2
- Nonconformities documented with root cause analysis and corrective actions assignedISO 27001:2022 · Cl.10.2
- Corrective action effectiveness verified before closure — no repeat findings acceptedISO 27001:2022 · Cl.10.2
- Continual improvement evidenced through documented actions and measurable outcomesISO 27001:2022 · Cl.10.1
- IS budget and resources allocated and evidenced for ISMS maintenance and improvementISO 27001:2022 · Cl.7.1
- Communication plan for IS matters defined — internal and external channels documentedISO 27001:2022 · Cl.7.4
The management interview under Clauses 4–10 is where ISO/IEC 27001:2022 certification is won or lost. Technical controls can be patched quickly; a weak governance story cannot. The auditor is testing whether top management genuinely owns the ISMS, or whether it has been delegated and forgotten.
The single most common failure is a management review that exists as a document but not as a decision. Minutes that record “the ISMS was reviewed and found to be effective” without inputs, outputs, risk decisions, or resource commitments will be treated as a nonconformity against Clause 9.3.
If the answer is generic or deferred to the CISO, the auditor now has reason to question leadership commitment under Clause 5.1 — and that line of questioning ripples through the rest of the audit.
- Data classification applied to all R&D files, designs, and intellectual propertyISO 27001:2022 · A.5.12 / A.5.13
- Secure development policy defined and communicated to all engineering staffISO 27001:2022 · A.8.25
- Secure coding guidelines documented and applied in the development processISO 27001:2022 · A.8.26
- Code review process includes security checks — evidence of reviews availableISO 27001:2022 · A.8.26
- Development, test, and production environments separated — access controls enforcedISO 27001:2022 · A.8.31
- Source code and design file repositories access-controlled with audit trailISO 27001:2022 · A.8.4
- Version control system in use for all design and code assetsISO 27001:2022 · A.8.4
- Security testing performed before deployment or release of new systemsISO 27001:2022 · A.8.29
- Test data derived from or equivalent to production data protected appropriatelyISO 27001:2022 · A.8.33
- Configuration management process documented — system configurations recordedISO 27001:2022 · A.8.9
- Technical vulnerability management applied to development tools and environmentsISO 27001:2022 · A.8.8
- Information leakage prevention controls active on engineering workstations and systemsISO 27001:2022 · A.8.12
- USB and removable media policy enforced in engineering environmentsISO 27001:2022 · A.8.11
- Approved file transfer channels documented and enforced for sensitive design dataISO 27001:2022 · A.5.14
- Screen lock and workstation auto-timeout enforced in engineering areasISO 27001:2022 · A.8.1
- Engineering staff trained on data classification and secure handling obligationsISO 27001:2022 · A.6.3
- Outsourced development activities governed by contractual security requirementsISO 27001:2022 · A.8.30
- Intellectual property rights and licensing obligations tracked and documentedISO 27001:2022 · A.5.32
Engineering is where Annexe A.8.25–8.32 meets the messy reality of how software and products actually get built. Auditors know this, and the engineering interview is designed to test whether secure development is a published policy or a lived practice.
The biggest single gap is the separation of development, test, and production environments (A.8.31). If a developer can push directly to production, or if production data is being used for testing without protection, no amount of secure-coding policy will compensate.
The second area of focus is information leakage (A.8.12): USB policy, approved file-transfer channels, and controls over developer workstations. A laptop full of IP that can copy to any USB drive is an immediate finding.
- Legal, statutory, regulatory, and contractual IS requirements register maintained and currentISO 27001:2022 · A.5.31
- Intellectual property rights — software licensing and IP obligations documented and compliantISO 27001:2022 · A.5.32
- Records management policy covering retention periods and secure deletion for all record typesISO 27001:2022 · A.5.33
- Privacy and personal data protection policy aligned with GDPR and applicable regulationsISO 27001:2022 · A.5.34
- Records of processing activities (RoPA) maintained, current, and covering all processingISO 27001:2022 · A.5.34
- Data processing agreements (DPAs) executed with all processors handling personal dataISO 27001:2022 · A.5.34
- Data breach notification procedure documented — 72-hour GDPR obligation understood and rehearsedISO 27001:2022 · A.5.34
- Data protection impact assessments (DPIAs) conducted for all high-risk processing activitiesISO 27001:2022 · A.5.34
- Cross-border data transfer mechanisms documented and current (post-Schrems II)ISO 27001:2022 · A.5.34
- Privacy notices in place for all data subjects — accurate and currentISO 27001:2022 · A.5.34
- Customer and partner contractual IS obligations mapped to internal controlsISO 27001:2022 · A.5.31
- Non-disclosure agreements in place with all parties handling confidential informationISO 27001:2022 · A.5.31
- Export control obligations reviewed and compliance documented where applicableISO 27001:2022 · A.5.31
- IS compliance review process — periodic check that controls meet legal obligationsISO 27001:2022 · A.5.35
- Independent IS review (internal audit or external assessment) conducted within last 12 monthsISO 27001:2022 · A.5.35
- Regulatory change monitoring process in place — new obligations captured and assessedISO 27001:2022 · A.5.36
Annexe A.5.31–5.36 is where information security meets the law. The compliance register is a small document on paper, but it is the spine of your ISMS’s legal defensibility — and auditors know most organisations maintain it poorly.
The test is simple: the auditor will pick a jurisdiction, a customer contract, or a regulation (typically GDPR), and ask you to walk from the obligation to the specific internal control that meets it. Any break in that chain is a finding under A.5.31 or A.5.35.
Privacy is the most frequent focus area: RoPA, DPAs, DPIAs, cross-border transfers, and breach notification. Each needs to be evidenced, current, and connected to the ISMS — not sitting in a separate privacy silo.
- Supplier and third-party IS policy defined — security requirements for all suppliers documentedISO 27001:2022 · A.5.19
- Supplier register maintained identifying all suppliers with access to IS-scope assetsISO 27001:2022 · A.5.19
- IS requirements included in all supplier contracts before access is grantedISO 27001:2022 · A.5.20
- Right-to-audit clause included in contracts with critical or high-risk suppliersISO 27001:2022 · A.5.20
- Supplier security assessment or questionnaire completed for all in-scope suppliersISO 27001:2022 · A.5.19
- Cloud and SaaS provider security reviewed — certifications verified and scope confirmedISO 27001:2022 · A.5.23
- Information security in ICT supply chain — software and hardware supply chain risks assessedISO 27001:2022 · A.5.21
- Supplier performance monitoring process in place — IS obligations reviewed periodicallyISO 27001:2022 · A.5.22
- Supplier risk tiering documented — higher-risk suppliers subject to more rigorous reviewISO 27001:2022 · A.5.19
- Changes to supplier services — IS impact assessed before changes are implementedISO 27001:2022 · A.5.22
- Supplier IS incident notification requirements defined in contracts with response SLAsISO 27001:2022 · A.5.22
- Sub-contractor and fourth-party risk managed — flow-down clauses in supplier contractsISO 27001:2022 · A.5.21
- Data destruction / return obligations on contract termination documented and enforceableISO 27001:2022 · A.5.20
- Supplier off-boarding process revokes all access and recovers all assets on terminationISO 27001:2022 · A.5.22
Annexe A.5.19–5.22 of ISO/IEC 27001:2022 transformed supplier risk from a side activity into a core ISMS obligation. Your supplier chain is now part of your attack surface, and the auditor will test whether you treat it that way.
The most common failure is an asymmetry between onboarding and lifecycle. Suppliers get assessed at onboarding and then forgotten — until they suffer a breach or contract renewal comes round. Under A.5.22, ongoing monitoring is mandatory, not optional.
Fourth-party risk — your supplier’s suppliers — is also increasingly probed. Flow-down clauses and sub-contractor approval processes are expected at Stage 2.
- IS in project management — IS requirements formally identified in project initiation documentsISO 27001:2022 · A.5.8
- IS risk assessment conducted at project kick-off and reviewed at each major phase gateISO 27001:2022 · A.5.8
- Data classification applied to all project deliverables, shared documents, and communicationsISO 27001:2022 · A.5.12
- Project stakeholder and external participant register maintained with access rights documentedISO 27001:2022 · A.5.8
- NDAs / confidentiality agreements executed for all external project participants before accessISO 27001:2022 · A.6.6
- Project communication channels approved and access restricted to authorised participantsISO 27001:2022 · A.5.14
- Shared project collaboration tools (SharePoint, Teams, cloud drives) access-controlled and reviewedISO 27001:2022 · A.8.1
- Change management process includes IS impact assessment for every significant project changeISO 27001:2022 · A.8.32
- IS acceptance criteria defined for project deliverables before go-live or handoverISO 27001:2022 · A.8.29
- Project closure procedure revokes external party access and recovers project assetsISO 27001:2022 · A.5.8
- Project documentation retention and secure deletion policy applied post-project completionISO 27001:2022 · A.5.33
- IS incidents arising from project activity documented and reported to the ISMS ownerISO 27001:2022 · A.5.8
- Third-party project consultants and integrators assessed for IS posture before engagementISO 27001:2022 · A.5.19
- Project reports and meeting notes containing confidential data handled under classification policyISO 27001:2022 · A.5.13
- IS compliance checkpoint embedded in project methodology — evidenced in project recordsISO 27001:2022 · A.5.8
- Post-project IS review conducted — lessons learned captured for ISMS continual improvementISO 27001:2022 · A.10.1
Annexe A.5.8 — Information security in project management — is one of the easiest controls to underestimate and one of the easiest for auditors to test. They will pick a recent project, walk from initiation to closure, and look for IS at every gate.
Projects are the main way new risk enters an organisation: new systems, new suppliers, new data flows, new people with access. An ISMS that controls the steady state perfectly but ignores projects creates a permanent exception-shaped hole in its own scope.
Change management (A.8.32) runs in parallel: any significant project change needs an IS impact assessment. This should be a pipeline step, not an afterthought.
Ready to get certified?
Book your free gap assessment today. Our experts will map your current posture against your target framework and give you a clear, honest roadmap to certification.
No commitment required • GDPR compliant • Strategy confirmed via secure link