When I got into GRC almost ten years ago, Advisera’s free resources were some of the first things I studied. ISO 27001 guides, templates, articles — I probably read their website in my first week at work.

So when Dejan Kosutic, Advisera’s CEO, reached out to have me on his Secure & Simple Podcast, it genuinely felt surreal. A no-brainer to say yes, but still surreal.

We talked about something I get asked about constantly: what auditors are actually looking for in an ISO 27001 certification audit.

One thing I emphasized that I think surprises people — auditors don’t care about your documentation nearly as much as you think. What we’re really assessing is whether things are actually being done. A beautifully written procedure that nobody follows is a nonconformity waiting to happen. Execution beats paperwork, every time.

We also covered:

• How auditors gather objective evidence (and what that actually means in practice)

• How to challenge a finding you disagree with

• The difference between certifying a management system and certifying your security posture — these are not the same thing

If you’re preparing for a certification audit, or just want to understand what happens on the other side of the table, I think you’ll get something useful out of this one.

Listen here

From ZERO to AUDIT-READY in 12 Steps

If you are responsible for an ISO 27001 implementation project, you are fighting a battle against the clock.

The standard tells you WHAT must be done,

but it leaves the HOW entirely to your imagination.

This leaves you staring at a blank map, forced to build an ISMS from scratch while the deadline approaches.

Our ISO 27001 Lead Implementer Framework gives you the Roadmap, Project Plan, Templates and Training to be audit-ready in months, not years.

Get access now