• (0)

    ISO 27001 & ISO 22301 Blog

    Which questions will the ISO 27001 certification auditor ask?

    If you’re going to go through the process of an ISO 27001 certification audit in your company, surely you have wondered – What will the auditor ask me? And you know what? The auditor also has questions for himself, for example: What type of answers I will receive?

    Most auditors do not usually have a checklist of questions, because each company is a different world, so they improvise. The work of an auditor is reviewing documentation, asking questions, and always looking for evidence. ISO 27001 standard sets a series of requirements, which the company needs to comply with. To check the compliance with the standard, the auditor has to search procedures, records, policies, and people. Regarding the people – he will keep interviews to make sure the system is implemented in the organization.

    To understand how auditors think, this article might be interesting for you: Infographic: The brain of an ISO auditor – What to expect at a certification audit.

    Mandatory documentation

    The auditor will first do a check of all the documentation that exists in the system (normally, it takes place during the Stage 1 audit), asking for the existence of all those documents that are required by the standard. In the case of security controls, he will use the Statement of Applicability (SOA) as a guide. If you want to know what documents are mandatory, you can consult this article: List of mandatory documents required by ISO 27001 (2013 revision).

    In addition to the mandatory documents, the auditor will also review any document that company has developed as a support for the implementation of the system, or the implementation of controls. An example could be: a project plan, a network diagram, the list of documentation, etc.


    After checking which documents exist in the system, the next step is to verify that everything that is written corresponds to the reality (normally, it takes place during the Stage 2 audit).

    For example, imagine that the company defines that the Information Security Policy is to be reviewed annually. What will be the question that the auditor will ask in this case? I am sure you guess: “Have you checked the policy this year?” And the answer will probably be yes. But, the auditor cannot trust what he doesn’t see; therefore, he needs evidence. Such evidence could include records, minutes of meeting, etc. The next question would be: “Can you show me records where I can see the date that the policy was reviewed?”

    Regarding security controls – he will also seek evidence that they are implemented, although in this case the records can be logs, files in the system, diagrams of the network, configuration of platforms, agreements with suppliers or customers, legislation, etc.


    At this time, the auditor knows which documents the company uses, so he needs to check if people are familiar with them and use them while performing daily activities, i.e., check that the ISMS is working in the company.

    Therefore, perhaps one of the most important aspects of any ISO implementation, not only ISO 27001, is the awareness of the staff. Thus, the auditor should conduct interviews with staff members to learn about their degree of knowledge of, at least, the most important documents that apply to them: Security Policy, confidentiality clauses, acceptable use of assets, Access Control Policy, etc.

    An example of questions in an interview could be as follows:

    • “Do you have access to the internal rules of the organization in relation to the information security?”
    • “Can you show me some of the related policies?”
    • “Could you tell me what are the points that you consider most important in the policy?”

    ISO 27001 certification – Questions the auditor will likely ask

    On the other hand, the auditor can also interview those responsible for processes, physical areas, and departments, to get their perceptions of the implementation of the standard in the company. In these interviews, the questions will be aimed, above all, at becoming familiar with the functions and the roles that those people have in the system and whether they comply with implemented controls.

    How you need to prepare yourself

    In short, an auditor may request:

    • Documents required by the ISO 27001 standard and any document that exists in the ISMS
    • Records to check compliance with the documents (policies, procedures, etc.)
    • Interviews with personnel of the company

    Therefore, if you want to be well prepared for the questions that an auditor may consider, first check that you have all the required documents, and then check that the company does everything they say, and you can prove everything through records. Finally, it is very important that people know all the documents that apply to them. In other words, make sure your company really implemented the standard and that you have accepted it in your daily operations; however, this will be impossible if your documentation was created only to satisfy the certification audit.

    To see how to implement ISO 27001 through a step-by-step wizard, and eliminate most of the manual work through automation, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Antonio Jose Segovia
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.