Top 5 ISO 27001 Pitfalls That Fail Surveillance Audits
I've conducted ISO 27001 audits for decades. These five gaps account for 70% of surveillance non-conformities I write.
Pitfall 1: Risk Treatment Plans That Become Shelf-ware
What I Find: Treatment actions months overdue with zero progress. Risk owners unaware of their responsibilities. No evidence of implementation, configs, procedures, or records.
What I Check: Completion evidence for due actions, updated residual risk levels, regular review in ISMS meetings, accountability for overdue items.
Fix: Integrate treatment tracking into monthly meetings. Define "done" with specific evidence requirements. Update residual risk levels after implementation.
Red Flag: Can't show completion evidence for 80% of treatments due in past 12 months = major non-conformity.
Pitfall 2: SoA Claims That Don't Match Reality
What I Find: Controls marked "implemented" with no supporting evidence. Generic descriptions that don't reflect actual environment. Exclusions that don't hold up under scrutiny.
What I Check: Evidence matches claims, implementation descriptions are specific and verifiable, exclusions justified with evidence, SoA reflects current scope.
Fix: Be honest during creation and mark controls "not implemented" with treatment plans rather than claiming false implementation. Use precise descriptions referencing specific procedures and tools.
Red Flag: Sample six controls, find two mismatches = non-conformity against Clause 6.1.3(c).
Pitfall 3: Internal Audits That Never Find Problems
What I Find: Zero non-conformities across multiple audits. Generic checklists with yes/no questions. Auditors asking "do you follow the procedure?" instead of testing effectiveness.
What I Check: Audit scope covers full ISMS over time, reports identify real findings, auditors test effectiveness (not just document existence), corrective actions address root causes with verified effectiveness.
Fix: Train auditors on sampling techniques. Rotate auditors across departments for independence. Expect findings. They should find problems before I do.
Red Flag: Three clean internal audits = I'll re-audit the same areas and write non-conformities for what your auditors missed.
Pitfall 4: Management Reviews That Are Passive Briefings
What I Find: Minutes showing "CISO presented, management acknowledged." No decisions, no resource allocations, no analysis of trends. Same template every time.
What I Check: Coverage of all Clause 9.3 mandatory inputs, evidence of explicit decisions, analysis (not just data), assigned actions with accountability, follow-up from previous reviews.
Fix: Use Clause 9.3 as agenda template. Present proposals requiring approval, not just status. Record decisions explicitly. Assign actions with owners and deadlines.
Red Flag: Three reviews without at least two explicit decisions each = non-conformity against Clause 9.3.
Pitfall 5: ISMS Documentation Describing a Company That No Longer Exists
What I Find: Scope excludes new offices or cloud migrations. Asset inventory lists decommissioned servers. Risk assessment doesn't cover new technologies. Departed CISO still listed as accountable.
What I Check: Current scope statement, asset inventory matching reality, risk assessment covering current context, documentation reflecting current organization, process linking changes to ISMS review.
Fix: Integrate ISMS into change management and require security impact assessment for system deployments, acquisitions, new offices.
Review documentation quarterly, not annually.
Red Flag: Three significant changes in past 12 months not reflected in ISMS = major non-conformity against Clause 4.4.
Pre-Surveillance Checklist (90 Days Before Audit)
Verify completion evidence for all risk treatments due in past 12 months
Test 10 SoA controls. Can you produce evidence in 24 hours?
Review last 3 internal audits. Did they find meaningful issues?
Count management decisions in last 3 reviews. Do you have at least 2 per review?
Compare ISMS docs to current reality. Does the scope, assets, risks, and org structure match reality.
Certification audits check your documentation. Surveillance audits check whether you're actually operating what you documented.
Make it real before I arrive.