Understanding Audit Finding Types

Before diving into specific findings, understand the severity levels auditors use:

  • Major Nonconformity: Absence or complete breakdown of a required system element. Must be resolved before certification can be granted.
  • Minor Nonconformity: Single instance of non-compliance that doesn't indicate systemic failure. Certificate can be issued with an accepted corrective action plan.
  • Observation/Opportunity for Improvement (OFI): Area that could be enhanced but is not a conformity issue. No action required.
Auditor Perspective

Auditors don't want to find major nonconformities any more than you want to receive them. They're looking for evidence of a functioning ISMS, not perfection. Most findings are avoidable with proper preparation.

Risk Assessment Findings

Risk assessment is the heart of ISO 27001, and it's where many organizations struggle.

Finding #1: Incomplete or Superficial Risk Assessment

What auditors see: Risk assessments that are clearly copy-pasted from templates, don't reflect the organization's actual environment, or only cover a handful of generic risks.

Why it happens: Organizations treat risk assessment as a checkbox exercise rather than a genuine security tool.

How to avoid:

  • Conduct proper asset identification first
  • Involve people who understand your actual operations
  • Identify specific, realistic scenarios - not generic "data breach" risks
  • Update risk assessments regularly, not just at audit time

Finding #2: No Clear Risk Methodology

What auditors see: No documented methodology, or a methodology that isn't consistently applied.

Why it happens: Organizations jump into risk identification without first defining how they'll assess risks.

How to avoid:

  • Document your methodology before starting assessments
  • Define likelihood and impact scales with clear criteria
  • Establish risk acceptance thresholds
  • Train assessors on the methodology

Finding #3: Risk Treatment Disconnected from Controls

What auditors see: Identified risks but no clear link to the controls selected to treat them.

Why it happens: Organizations implement controls based on best practice or templates without linking back to their specific risks.

How to avoid:

  • For each risk requiring treatment, document which controls address it
  • Ensure your SoA shows the risk-control relationship
  • Be able to explain why each control was selected

Documentation Findings

Documentation issues are among the most common and easily preventable findings.

Finding #4: Outdated or Unapproved Documents

What auditors see: Policies from years ago that haven't been reviewed, documents without approval signatures, or procedures that don't reflect current practice.

Why it happens: Documents created for initial certification are never updated.

How to avoid:

  • Implement document control with version tracking
  • Schedule annual document reviews
  • Ensure all documents show approval authority
  • Update documents when processes change

Finding #5: Procedures Don't Match Reality

What auditors see: A documented procedure that staff don't follow, or practices that aren't documented at all.

Why it happens: Documentation created without involving the people who do the work, or processes evolved without updating documentation.

How to avoid:

  • Involve process owners when writing procedures
  • Validate procedures with the people who execute them
  • Update documentation when processes change
  • Pre-audit: walk through procedures with staff to verify accuracy

Finding #6: Missing Required Records

What auditors see: Claims of activities (training, reviews, approvals) without evidence.

Why it happens: Activities happen but aren't recorded, or records aren't retained.

How to avoid:

  • Know what records are required by the standard
  • Build record generation into processes
  • Define retention requirements
  • Store records in accessible, organized locations

Operational Control Findings

Finding #7: Access Reviews Not Performed

What auditors see: No evidence of periodic access reviews, or reviews that are clearly just rubber-stamped.

Why it happens: Access reviews are time-consuming and often deprioritized.

How to avoid:

  • Schedule access reviews (quarterly for privileged, annually for standard)
  • Document actual review decisions, not just approvals
  • Record any access removed as a result of reviews
  • Use tooling to automate where possible

Finding #8: Supplier Security Not Managed

What auditors see: No assessment of supplier security, or contracts without security clauses.

Why it happens: Suppliers are seen as procurement's responsibility, not security's.

How to avoid:

  • Maintain inventory of suppliers with access to your data/systems
  • Include security requirements in contracts
  • Assess critical suppliers' security posture
  • Monitor supplier security performance

Finding #9: Incident Management Gaps

What auditors see: No incident records, or incidents without documented resolution and lessons learned.

Why it happens: Incidents are resolved but not formally tracked, or organizations hide incidents thinking it looks bad.

How to avoid:

  • Log all security events and incidents
  • Document investigation and resolution
  • Perform root cause analysis
  • Track lessons learned and improvements
  • Remember: having incidents shows your detection works

Management System Findings

Finding #10: Internal Audit Not Independent or Competent

What auditors see: Internal audits performed by people who audit their own work, or auditors without training.

Why it happens: Small teams have limited people, or internal audit is seen as a formality.

How to avoid:

  • Ensure auditor independence (don't audit your own work)
  • Train internal auditors (ISO 27001 Lead Auditor course recommended)
  • Use external auditors if independence is impossible internally
  • Document auditor competence

Finding #11: Management Review Incomplete

What auditors see: Management reviews that don't cover all required inputs, or no evidence of decisions and actions.

Why it happens: Management review treated as a quick sign-off rather than genuine oversight.

How to avoid:

  • Use a checklist covering all required inputs
  • Document actual discussion and decisions
  • Record assigned actions with owners and deadlines
  • Track action completion

Finding #12: Objectives Not Measurable or Monitored

What auditors see: Vague objectives like "improve security" with no metrics, or objectives that are never measured.

Why it happens: Objectives created at initial implementation and forgotten.

How to avoid:

  • Set SMART objectives (Specific, Measurable, Achievable, Relevant, Time-bound)
  • Define how each objective will be measured
  • Report on objective progress at management review
  • Update objectives when achieved or no longer relevant

Technical Control Findings

Finding #13: Vulnerability Management Gaps

What auditors see: Known vulnerabilities not patched, no regular scanning, or no defined remediation timelines.

Why it happens: Patching is disruptive and deprioritized; no formal process.

How to avoid:

  • Implement regular vulnerability scanning
  • Define remediation timelines based on severity
  • Track patching compliance
  • Document exceptions with risk acceptance

Finding #14: Backup Not Tested

What auditors see: Backups exist but have never been tested for restoration.

Why it happens: "We run backups" is assumed to mean they work.

How to avoid:

  • Test backup restoration regularly (at least annually)
  • Document test results
  • Verify restoration meets RTO/RPO requirements
  • Address any issues found during testing

Finding #15: Logging and Monitoring Inadequate

What auditors see: No centralized logging, logs not reviewed, or insufficient retention.

Why it happens: Logging is seen as storage cost; review requires effort.

How to avoid:

  • Implement centralized log management
  • Define what events to log (authentication, changes, access)
  • Set retention periods per requirements
  • Review logs regularly or implement alerting

Prevention Strategies

Before the Audit

  • Internal Audit: Conduct a thorough internal audit at least 1 month before certification audit
  • Pre-Audit Review: Walk through your evidence with fresh eyes
  • Staff Preparation: Brief staff who may be interviewed on what to expect
  • Document Check: Verify all documents are current and approved
  • Evidence Organization: Organize evidence so it's quickly accessible

During the Audit

  • Be Honest: Don't try to hide problems - auditors will find them
  • Answer What's Asked: Don't volunteer extra information
  • Show Evidence: Auditors need to see evidence, not just hear claims
  • Ask for Clarification: If you don't understand a question, ask
  • Take Notes: Record what auditors ask and observe

The best audit preparation is a well-functioning ISMS that operates throughout the year - not just a last-minute scramble before the auditor arrives. If your ISMS is genuinely implemented, audits become a validation exercise rather than a stressful event.

ISO 27001 Audit Nonconformities