Common ISO 27001 Audit Findings: Top Nonconformities & How to Avoid Them

Understanding Audit Finding Types

Before diving into specific findings, understand the severity levels auditors use:

• Major Nonconformity: Absence or complete breakdown of a required system element. Must be resolved before certification can be granted.
• Minor Nonconformity: Single instance of non-compliance that doesn't indicate systemic failure. Certificate can be issued with an accepted corrective action plan.
• Observation/Opportunity for Improvement (OFI): Area that could be enhanced but is not a conformity issue. No action required.

Risk Assessment Findings

Risk assessment is the heart of ISO 27001, and it's where many organizations struggle.

Finding #1: Incomplete or Superficial Risk Assessment

What auditors see: Risk assessments that are clearly copy-pasted from templates, don't reflect the organization's actual environment, or only cover a handful of generic risks.

Why it happens: Organizations treat risk assessment as a checkbox exercise rather than a genuine security tool.

How to avoid:

• Conduct proper asset identification first
• Involve people who understand your actual operations
• Identify specific, realistic scenarios - not generic "data breach" risks
• Update risk assessments regularly, not just at audit time

Finding #2: No Clear Risk Methodology

What auditors see: No documented methodology, or a methodology that isn't consistently applied.

Why it happens: Organizations jump into risk identification without first defining how they'll assess risks.

How to avoid:

• Document your methodology before starting assessments
• Define likelihood and impact scales with clear criteria
• Establish risk acceptance thresholds
• Train assessors on the methodology

Finding #3: Risk Treatment Disconnected from Controls

What auditors see: Identified risks but no clear link to the controls selected to treat them.

Why it happens: Organizations implement controls based on best practice or templates without linking back to their specific risks.

How to avoid:

• For each risk requiring treatment, document which controls address it
• Ensure your SoA shows the risk-control relationship
• Be able to explain why each control was selected

Documentation Findings

Documentation issues are among the most common and easily preventable findings.

Finding #4: Outdated or Unapproved Documents

What auditors see: Policies from years ago that haven't been reviewed, documents without approval signatures, or procedures that don't reflect current practice.

Why it happens: Documents created for initial certification are never updated.

How to avoid:

• Implement document control with version tracking
• Schedule annual document reviews
• Ensure all documents show approval authority
• Update documents when processes change

Finding #5: Procedures Don't Match Reality

What auditors see: A documented procedure that staff don't follow, or practices that aren't documented at all.

Why it happens: Documentation created without involving the people who do the work, or processes evolved without updating documentation.

How to avoid:

• Involve process owners when writing procedures
• Validate procedures with the people who execute them
• Update documentation when processes change
• Pre-audit: walk through procedures with staff to verify accuracy

Finding #6: Missing Required Records

What auditors see: Claims of activities (training, reviews, approvals) without evidence.

Why it happens: Activities happen but aren't recorded, or records aren't retained.

How to avoid:

• Know what records are required by the standard
• Build record generation into processes
• Define retention requirements
• Store records in accessible, organized locations

Operational Control Findings

Finding #7: Access Reviews Not Performed

What auditors see: No evidence of periodic access reviews, or reviews that are clearly just rubber-stamped.

Why it happens: Access reviews are time-consuming and often deprioritized.

How to avoid:

• Schedule access reviews (quarterly for privileged, annually for standard)
• Document actual review decisions, not just approvals
• Record any access removed as a result of reviews
• Use tooling to automate where possible

Finding #8: Supplier Security Not Managed

What auditors see: No assessment of supplier security, or contracts without security clauses.

Why it happens: Suppliers are seen as procurement's responsibility, not security's.

How to avoid:

• Maintain inventory of suppliers with access to your data/systems
• Include security requirements in contracts
• Assess critical suppliers' security posture
• Monitor supplier security performance

Finding #9: Incident Management Gaps

What auditors see: No incident records, or incidents without documented resolution and lessons learned.

Why it happens: Incidents are resolved but not formally tracked, or organizations hide incidents thinking it looks bad.

How to avoid:

• Log all security events and incidents
• Document investigation and resolution
• Perform root cause analysis
• Track lessons learned and improvements
• Remember: having incidents shows your detection works

Management System Findings

Finding #10: Internal Audit Not Independent or Competent

What auditors see: Internal audits performed by people who audit their own work, or auditors without training.

Why it happens: Small teams have limited people, or internal audit is seen as a formality.

How to avoid:

• Ensure auditor independence (don't audit your own work)
• Train internal auditors (ISO 27001 Lead Auditor course recommended)
• Use external auditors if independence is impossible internally
• Document auditor competence

Finding #11: Management Review Incomplete

What auditors see: Management reviews that don't cover all required inputs, or no evidence of decisions and actions.

Why it happens: Management review treated as a quick sign-off rather than genuine oversight.

How to avoid:

• Use a checklist covering all required inputs
• Document actual discussion and decisions
• Record assigned actions with owners and deadlines
• Track action completion

Finding #12: Objectives Not Measurable or Monitored

What auditors see: Vague objectives like "improve security" with no metrics, or objectives that are never measured.

Why it happens: Objectives created at initial implementation and forgotten.

How to avoid:

• Set SMART objectives (Specific, Measurable, Achievable, Relevant, Time-bound)
• Define how each objective will be measured
• Report on objective progress at management review
• Update objectives when achieved or no longer relevant

Technical Control Findings

Finding #13: Vulnerability Management Gaps

What auditors see: Known vulnerabilities not patched, no regular scanning, or no defined remediation timelines.

Why it happens: Patching is disruptive and deprioritized; no formal process.

How to avoid:

• Implement regular vulnerability scanning
• Define remediation timelines based on severity
• Track patching compliance
• Document exceptions with risk acceptance

Finding #14: Backup Not Tested

What auditors see: Backups exist but have never been tested for restoration.

Why it happens: "We run backups" is assumed to mean they work.

How to avoid:

• Test backup restoration regularly (at least annually)
• Document test results
• Verify restoration meets RTO/RPO requirements
• Address any issues found during testing

Finding #15: Logging and Monitoring Inadequate

What auditors see: No centralized logging, logs not reviewed, or insufficient retention.

Why it happens: Logging is seen as storage cost; review requires effort.

How to avoid:

• Implement centralized log management
• Define what events to log (authentication, changes, access)
• Set retention periods per requirements
• Review logs regularly or implement alerting

Prevention Strategies

Before the Audit

• Internal Audit: Conduct a thorough internal audit at least 1 month before certification audit
• Pre-Audit Review: Walk through your evidence with fresh eyes
• Staff Preparation: Brief staff who may be interviewed on what to expect
• Document Check: Verify all documents are current and approved
• Evidence Organization: Organize evidence so it's quickly accessible

During the Audit

• Be Honest: Don't try to hide problems - auditors will find them
• Answer What's Asked: Don't volunteer extra information
• Show Evidence: Auditors need to see evidence, not just hear claims
• Ask for Clarification: If you don't understand a question, ask
• Take Notes: Record what auditors ask and observe

The best audit preparation is a well-functioning ISMS that operates throughout the year - not just a last-minute scramble before the auditor arrives. If your ISMS is genuinely implemented, audits become a validation exercise rather than a stressful event.

Frequently Asked Questions