How to Prepare for an ISO 27001 Audit
Preparing for your first ISO 27001 audit can feel overwhelming, especially for NGOs and professional services firms who are new to formal information security management systems. The good news is that with proper preparation, the audit process becomes much more manageable — and you’ll likely discover valuable improvements to your security posture along the way.
Start with Your Documentation
Your Information Security Management System (ISMS) documentation is the foundation of your audit. Ensure your policies, procedures, and risk assessments are current and accurately reflect how your organisation actually operates. Auditors pay close attention to the gap between what’s written and what’s practiced, so avoid the temptation to create idealised documentation that doesn’t match reality.
Focus particularly on your Statement of Applicability (SOA) and risk treatment plan. These documents should clearly demonstrate how you’ve assessed your specific risks and chosen appropriate controls. For many New Zealand organisations, this includes considerations around remote work arrangements, cloud services, and compliance with the Privacy Act 2020.
Conduct Internal Audits First
Running internal audits before your certification audit is crucial. These help identify gaps in your implementation and give your team practice explaining your processes. Consider engaging someone external to conduct these internal audits — fresh eyes often spot issues that internal teams miss.
Document any non-conformities you find and demonstrate how you’ve addressed them. This proactive approach shows auditors that your ISMS is genuinely functioning as intended, not just existing on paper.
Prepare Your People
Your staff are your best advocates during an audit. Ensure team members understand their roles in information security and can explain the procedures they follow. Auditors often ask random staff members about security practices, so widespread awareness is essential.
Create a simple briefing document outlining key points about your ISMS, including where to find important policies and who to contact with questions. This helps everyone feel confident when speaking with auditors.
Gather Evidence of Continuous Improvement
ISO 27001 emphasises continuous improvement, so prepare examples of how your ISMS has evolved since implementation. This might include updated risk assessments following new technology deployments, enhanced incident response procedures, or improved security awareness training based on staff feedback.
Maintain logs of security activities such as access reviews, vulnerability assessments, and management reviews. These demonstrate that your ISMS is actively managed, not just maintained.
Plan for Practical Logistics
Coordinate with your auditor well in advance regarding their requirements. Ensure key personnel are available during the audit period and prepare a quiet space where auditors can work without interruption. Have both digital and physical records readily accessible — nothing slows an audit quite like hunting for missing documentation.
Remember that CERT NZ provides excellent guidance on information security frameworks that complement ISO 27001 requirements, particularly for organisations handling sensitive information.
The key to a successful audit is treating it as an opportunity to validate and improve your security practices, rather than something to simply endure. With thorough preparation, you’ll find the process valuable for strengthening your organisation’s security posture.
If you’d like to chat about preparing for your ISO 27001 audit or need support with your ISMS implementation, our team is always happy to help.
Chris Drowley
General Manager, Resolve Technology
Outside the office, Chris runs a highly organised empire of model trains — where the schedules are always on time, unlike the real thing.
