EN 
NL 
DE 
An ISO 27001 audit is a systematic assessment of your information security management system by an independent auditor. During the audit, the auditor checks that your organisation meets the requirements of the ISO 27001 standard and that your security measures are actually working. The process consists of several phases: preparation, documentation review, on-site audit and reporting.
What is an ISO 27001 audit and why is it performed?
An ISO 27001 audit is an independent assessment in which a certified auditor checks whether your information security management system (ISMS) complies with the international standard ISO 27001. The audit tests both the documentation and practical implementation of security measures within your organisation.
Organisations undergo this audit for various reasons. Certification shows that you structurally protect information and manage risks. For many companies, ISO 27001 certification is a requirement from tenders or cooperation agreements with customers who have high security requirements.
There are two main types of audits: internal audits that you conduct yourself to check the system, and external audits by accredited bodies for official certification. External audits are independent and objective, making them more valuable for compliance and stakeholder trust-building.
The audit contributes to better information security by exposing weaknesses and identifying opportunities for improvement. This helps organisations strengthen their digital resilience and comply with legal obligations such as the AVG.
What stages does an ISO 27001 audit go through from start to finish?
An ISO 27001 audit consists of several consecutive phases that together take about 6-12 weeks, depending on the size of your organisation. The process starts with preparation and ends with certificate issuance after a positive assessment.
The preparation phase takes 2-4 weeks. In it, the auditor plans the audit, studies your documentation and agrees the scope. You will receive an audit plan with dates, time schedule and required documents.
During the documentation review (1-2 weeks), the auditor reviews your ISMS documentation for completeness and compliance. This is often done remotely. Any shortcomings are reported so you can complete them.
The on-site audit takes place at your location and lasts 1-3 days. The auditor conducts interviews, checks processes, tests systems and collects evidence. This phase is the heart of the audit, testing practical operation.
The audit will be followed by reporting and assessment (1-2 weeks). You will receive an audit report with findings and any non-conformities. If the outcome is positive, the certificate is issued, otherwise you are given time for corrective action.
How do you prepare your organisation for an ISO 27001 audit?
Good preparation largely determines the success of your ISO 27001 audit. Begin an internal audit 4-6 weeks before the audit to check that all documents are complete and processes are functioning correctly. Make sure your ISMS is fully implemented and employees know their tasks.
Ensure complete documentation: policies, procedures, risk analysis, Statement of Applicability (SoA) and evidence of implementation. Check that all documents are up to date and correspond to practice. List changes since the previous audit.
Prepare your staff by informing them about the audit process. They should be able to explain their tasks within the ISMS and know where to find relevant documents. Organise a short session on what they can expect during interviews.
Common pitfalls include incomplete documentation, differences between policy and practice and insufficient evidence of effectiveness. Avoid these by conducting an internal pre-audit where you take a critical look at your own system.
Create a practical checklist: check access rights, backup procedures, incident logs, training records and supplier contracts. Make sure systems are available for demonstration and that key people can be present during the audit.
What does the auditor expect during the on-site audit days?
During the on-site audit, the auditor performs several activities to assess whether your ISMS is working effectively. The auditor usually starts with an opening meeting to go over the programme and align expectations. This is followed by interviews, document checks and system testing over 1-3 days.
Interviews with employees form an important part. The auditor speaks to different roles: management, IT administrators, users and security officers. They ask about roles, responsibilities and how security procedures work in practice.
In document control, auditors review policies, procedures, logs and records. They check whether documentation is up to date, followed and proven effective. They also assess the quality of your risk analysis and whether chosen measures are appropriate.
System tests and observations show how security measures actually work. The auditor may ask to demonstrate access rights, show backup procedures or walk through incident response. They observe work processes to see if employees follow procedures.
The auditor collects objective evidence and notes findings during the process. At the end of each day, they discuss preliminary conclusions. The audit ends with a closing meeting where key findings are presented before the final report.
What happens after the audit and how do you achieve certification?
After the on-site audit, you will receive a detailed audit report with all findings, ratings and recommendations within 1-2 weeks. In case of a positive assessment with no major non-conformities, your certificate will be issued. In case of non-conformities, you get the chance to take corrective action before certification takes place.
The audit report contains different types of findings: strengths, areas for improvement and possible non-conformities. Major non-conformities must be resolved before certification is possible. Minor non-conformities can be addressed after certification within an agreed timeframe.
For corrective measures, you usually have 30-90 days. You must demonstrate that the cause has been eliminated and measures are effective. The auditor will assess your response and may ask for additional evidence or conduct a limited re-audit.
An ISO 27001 certificate is valid for three years. Control audits take place annually to check that the system is still compliant. Recertification is required after three years, during which the entire ISMS is reassessed.
Maintaining certification requires continuous work: regular internal audits, management reviews, tracking changes and improving the system. This ensures that your information security stays current and adds value to your organisation.
Want to know more about the complete ISO 27001 certification process Or do you have questions about how we can help you? If so, please contact with us for a no-obligation discussion about your specific situation.
Frequently Asked Questions
What does an ISO 27001 audit cost and what factors determine the price?
The cost of an ISO 27001 audit ranges between €5,000 and €25,000, depending on organisation size, complexity and scope. Larger companies with multiple sites pay more because of longer audit days and more extensive documentation review.
How long does it take to receive ISO 27001 certification after a successful audit?
After a positive audit, you will usually receive the ISO 27001 certificate within 2-4 weeks. The certification body needs time for administrative processing and quality control of the audit report before official issuance.
What happens if your organisation fails the ISO 27001 audit?
If you fail, you get 30-90 days to resolve non-conformities through corrective actions. The auditor will assess your improvements and may conduct a limited re-audit before certification is still granted.
Why are annual monitoring audits necessary and what is checked?
Annual surveillance audits check whether your ISMS is still functioning effectively and meeting ISO 27001 requirements. The auditor assesses changes, new risks, incident handling and the operation of improvement measures since the previous audit.
