Why your ISO 27001 audit should not be your first real ISMS review
Certification audits reveal problems that were visible months earlier. Here is what auditors find, why teams miss it, and how to run your own review before the stakes get high.
By Kellwick Team · July 1, 2026 · 3 min read
Most teams meet their ISMS twice: once when they build it, and once when an auditor takes it apart. Everything in between - the operating of the system - is where certifications are actually won or lost.
If the audit is the first time anyone looks at your ISMS critically, you are not walking into a review. You are walking into a discovery process, with a stranger holding the flashlight.
The problem starts months before the audit
An ISO 27001 audit does not test whether your documentation exists. It tests whether your management system operates. The difference shows up in questions like:
- When was your risk register last updated - and did anything change because of it?
- Who reviewed supplier risk this year, and where is the record?
- Your policy says access reviews happen quarterly. Show me Q2.
- Management review happened - what was decided, and who owns the follow-up?
None of these can be fixed the week before the audit. Access reviews that did not happen in Q2 cannot be conjured in Q4. Evidence has timestamps.
What auditors find fast
Experienced auditors go straight for the seams between documentation and operation:
- A risk register frozen at certification. Same risks, same scores, no treatment progress. It signals the register is a document, not a tool.
- A Statement of Applicability that does not match reality. Controls marked implemented that nobody can demonstrate, or justifications copied from a template.
- Policies without owners. When a control has no named owner, evidence is nobody's job - and it shows.
- Management review minutes with no decisions. A meeting happened; management did not actually review anything.
- Internal audits that were rushed or not independent. One afternoon, done by the person who built the ISMS, finding nothing.
Each of these is visible in an internal review. Each becomes a nonconformity when an external auditor finds it first.
Why internal teams miss it
Not because they are careless - because they are close to it. The person who wrote the risk register reads it as they intended it, not as it stands. The team that "does access reviews in Slack" knows they happen; they do not notice that no exportable record exists.
There is also an incentive problem: the person maintaining the ISMS is rarely rewarded for reporting that it is weak. So the honest look keeps getting deferred until an auditor forces it.
What a real pre-audit review looks like
A genuine readiness review is not a documentation checklist. It follows the same trail an auditor will:
- Scope sanity. Does the ISMS scope match how the product and company actually operate today?
- Risk register quality. Are risks current, specific, owned - and connected to treatment decisions?
- SoA against reality. For each applicable control: can someone demonstrate it, and does evidence exist?
- Evidence sampling. Pick controls at random and pull the records. Access reviews, supplier assessments, incident logs, change approvals.
- The management loop. Internal audit → findings → management review → decisions → corrective actions. Is the loop actually closed?
If that review happens 90 days before the audit, everything it finds is fixable. If it happens during the audit, everything it finds is a finding.
The commercial angle
A failed or rough audit is not just a compliance event. It can delay enterprise deals waiting on your certificate, extend sales cycles, and force expensive remediation under time pressure. Enterprise security teams also ask for more than the certificate - recent audit results, risk process, incident history. Weak readiness leaks into every one of those conversations.
Do the review before it counts against you
The audit will happen either way. The only question is whether its findings surprise you.
Run an honest internal review - or bring in someone independent to run it - while there is still time to act on what it finds. That is the entire logic of a readiness review: same questions, same evidence trail, but on your calendar instead of the auditor's.
Need a second pair of eyes before the auditor does?
A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.