Why Understanding the Difference Matters Confused about ISO 27001 and ISO 27002? You’re not alone.
Let’s be honest—ISO 27001 audits can be nerve-wracking. I’ve been there, frantically printing policies the night before an auditor arrives, wondering if we’ve covered all our bases. Whether you’re facing your first certification or your fifth surveillance audit, we all make mistakes. The good news? You’re not alone, and most audit hiccups are completely avoidable.
After years in the trenches helping companies through these audits (and making plenty of mistakes myself), I’ve compiled this real-world guide. So grab your coffee, and let’s talk about what NOT to do when the auditor comes knocking.
1. Treating Security Like Spring Cleaning
We’ve all been guilty of this one. The audit’s coming up, so everyone scrambles to update documentation that hasn’t been touched since… well, the last audit. Sound familiar?
Here’s the truth: Your Information Security Management System isn’t a once-a-year spring cleaning event. It’s more like your daily fitness routine—skip it for too long, and things get messy fast.
The human approach: Make security part of your team’s regular rhythm. Even a 15-minute monthly check-in beats a panicked week of preparation. One client of mine started “Security Fridays”—a quick end-of-week review that turned their ISMS from paperwork into practice.
2. Playing “Copy & Paste” with Risk Assessments
I remember watching a client proudly hand over their risk assessment to an auditor. The only problem? It still had another company’s name in some places. Ouch.
Risk assessments aren’t one-size-fits-all. That template you downloaded might check a box, but it won’t actually protect your business—and auditors can spot a generic assessment from a mile away.
The human approach: Think about what keeps you up at night about your business. Is it the third-party vendor with access to customer data? The outdated server running critical applications? That’s where your real risk assessment begins.
3. Getting Fuzzy with Boundaries
“So is your cloud environment in scope or not?” If this question makes you break into a cold sweat, you’ve got a scope problem.
Drawing clear ISMS boundaries is like telling friends which rooms they can hang out in when they visit your house. Without clear boundaries, you’ll either try to boil the ocean (exhausting!) or leave critical areas exposed.
The human approach: Grab a whiteboard and literally draw your scope. Include physical locations, digital environments, and who’s responsible for what. One of my clients created a simple visual map that became their go-to reference—much clearer than pages of text.
4. Playing “Where’s Waldo?” with Documents
“I know it’s here somewhere…” is not what you want to be saying when an auditor asks for your incident response procedure. Yet so many of us end up in exactly this document treasure hunt during audits.
The human approach: Think of your document system like your kitchen—everything should have a logical place. I worked with a startup that color-coded their ISMS documents and trained everyone using that simple visual system. When audit time came, even non-security folks could find what they needed.
5. Thinking Tech Alone Will Save You
I’ve seen companies spend fortunes on security tools, then fail audits spectacularly. Why? Because they thought buying expensive tech meant they could skip the human work.
It’s like buying a fancy gym membership but never creating a workout routine. The equipment alone won’t get you in shape.
The human approach: For every security tool, ask: “Who owns this? What process supports it? How do we know it’s working?” A client of mine created simple one-page “tool cards” answering these questions for each security technology—auditors loved it.
6. Keeping Security in the IT Corner
“Security is IT’s problem” is perhaps the most dangerous phrase in business today. I’ve watched executives send junior IT staff to represent the company’s security posture to auditors—talk about setting yourself up for failure!
The human approach: Security needs champions at every level. One organization I worked with had their CEO kick off every ISO 27001 meeting—even briefly—just to signal its importance. The message was clear: this matters to everyone.
7. Checking the Box on Internal Audits
Let’s be real—internal audits often feel like busywork. I’ve seen teams rush through them the week before the external audit, pencil-whipping findings and calling it done.
That’s like cramming the night before a big exam. It might get you through, but you won’t retain anything.
The human approach: Think of internal audits as dress rehearsals, not checkbox exercises. One company I advised treated their internal audit like a real event—complete with a different office space for the “auditor” and formal interviews. When the real audit came, everyone felt prepared rather than panicked.
8. Assuming “Sent = Trained”
“But I emailed the policy to everyone!” isn’t going to impress your auditor when staff can’t explain basic security practices. Training isn’t about documentation—it’s about changing behavior.
The human approach: Make training stick with stories, not slides. One of my favorite clients created security “scenarios” based on real incidents and discussed them in team meetings. People remembered these stories long after they’d forgotten policy numbers.
9. The “We Fixed It” Myth
We’ve all been there—finding the same issues popping up again and again despite supposedly being “fixed.” Auditors notice these patterns immediately.
The human approach: Treat every finding like a detective case. What really caused this? One organization I worked with started using the “5 Whys” technique for every security incident—asking “why” five times to get to the root cause. Their recurrence rate plummeted.
10. Playing Defense with Auditors
I’ve watched teams treat auditors like the enemy, hiding information and answering questions as vaguely as possible. Spoiler alert: this approach backfires spectacularly.
The human approach: Your auditor isn’t your enemy—they’re more like a personal trainer pushing you to improve. One security director I know started every audit by asking the auditor, “Where have you seen companies like ours struggle?” The insights gained were invaluable.
The Bottom Line: It’s About Progress, Not Perfection
Here’s my most human advice after years in this field: audits aren’t about being perfect. They’re about showing you’re serious about improvement.
I’ve seen companies with fancy documentation fail because they couldn’t demonstrate real security practices. And I’ve seen companies with simpler systems pass with flying colors because they could show how security actually worked in their daily operations.
Remember—behind all the standards and controls, information security is fundamentally about people protecting people. Keep that human element front and center, and you’ll not only pass your audit—you’ll actually build a safer organization.
So which of these mistakes hit close to home for you? We’ve all made them—the difference is whether we learn from them.
