Common Audit Findings

Learn from the most common ISO 27018 audit findings to avoid these pitfalls in your own certification journey.

Top 10 Most Common Findings

1. Inadequate Consent Management

Finding: "Organization lacks explicit consent mechanism for marketing communications. Terms of Service implies consent rather than obtaining explicit opt-in."

Why It Happens:

Existing systems predate privacy requirements
Consent bundled with terms acceptance
Pre-checked consent boxes
No consent records maintained

How to Fix:

Implement consent management system
Separate consent from terms acceptance
Un-check boxes by default
Maintain timestamped consent records
Provide easy withdrawal method

Prevention:

Regular consent process audits
User journey review for consent points
Consent database verification

2. Incomplete Data Processing Register

Finding: "Data processing register (ROPA) missing key information including data retention periods, legal basis, and sub-processor details."

Why It Happens:

Register created as one-time exercise
Not maintained as systems change
Lack of ownership
No regular review process

How to Fix:

Assign ROPA owner
Complete all required fields
Document all processing activities
Include all PII categories
Specify retention periods and legal basis

Prevention:

Quarterly ROPA reviews
Change management integration
New system/process checklist includes ROPA update

3. Missing Sub-processor Notifications

Finding: "Organization engaged new sub-processor without 30-day advance notice to customers. No customer objection process in place."

Why It Happens:

Procurement acts independently
No privacy review in vendor onboarding
Urgency overrides process
Unclear what constitutes "sub-processor"

How to Fix:

Establish vendor approval workflow
Require privacy team sign-off
Implement 30-day notification process
Create objection handling procedure

Prevention:

Integrate privacy into procurement
Sub-processor checklist for all vendors
Automated notification system

4. Inadequate Audit Logging

Finding: "Audit logs do not capture all PII access. Logs retained only 30 days, insufficient for compliance purposes."

Why It Happens:

Default logging settings
Storage cost concerns
Don't know what to log
Retention not considered

How to Fix:

Configure comprehensive logging
Log all PII access (read, write, delete)
Extend retention to 12 months minimum
Implement log aggregation
Secure logs against tampering

Prevention:

Logging requirements in development standards
Regular log review
Storage capacity planning

5. Weak Data Deletion Procedures

Finding: "Organization lacks documented and verified data deletion process. Backups not included in deletion. No deletion certificates provided."

Why It Happens:

Deletion is manual and inconsistent
Backups overlooked
No verification process
Assumes deletion = compliance

How to Fix:

Document deletion procedure
Automate deletion where possible
Include all storage locations (primary, replicas, backups)
Implement deletion verification
Generate deletion certificates

Prevention:

Test deletion procedure quarterly
Include deletion in data lifecycle policy
Regular backup audits

6. Insufficient MFA for PII Access

Finding: "Multi-factor authentication not required for personnel accessing sensitive PII. Single-factor (password only) authentication in use."

Why It Happens:

User convenience prioritized
Legacy systems
Gradual rollout incomplete
Exceptions not managed

How to Fix:

Implement MFA for all PII access
No exceptions for convenience
Use modern MFA (authenticator apps, hardware tokens)
Enforce at system level, not policy only

Prevention:

MFA requirement in access control policy
Regular access control audits
Conditional access policies

7. Inadequate Training Records

Finding: "Privacy and security training not documented. No evidence of annual refresher training. New employee training inconsistent."

Why It Happens:

Informal training
Training happens but not documented
No tracking system
Turnover in HR/training team

How to Fix:

Implement learning management system (LMS)
Document all training sessions
Require sign-in sheets or digital acknowledgments
Schedule annual refresher training
Track completion rates

Prevention:

Automated training reminders
New hire onboarding checklist
Annual compliance training requirement

8. Data Subject Rights Process Gaps

Finding: "Organization cannot demonstrate 30-day response time for data subject access requests. No tracking system for requests."

Why It Happens:

Requests handled ad-hoc
No centralized tracking
Manual, time-consuming process
Unclear ownership

How to Fix:

Implement DSAR tracking system
Assign clear ownership
Automate data retrieval where possible
Document standard procedures
Monitor SLA compliance

Prevention:

Dedicated DSAR management tool
Regular process testing
Quarterly SLA reporting

9. Undocumented Cross-Border Transfers

Finding: "Organization transfers PII to multiple countries without Transfer Impact Assessments. No Standard Contractual Clauses in place."

Why It Happens:

Cloud infrastructure spans regions
Sub-processors in multiple countries
Transfers not recognized as "international"
Complexity of transfer mechanisms

How to Fix:

Inventory all cross-border transfers
Conduct Transfer Impact Assessments
Implement appropriate transfer mechanisms (SCCs)
Document all transfers
Obtain customer approval

Prevention:

Transfer register maintenance
Vendor onboarding includes transfer assessment
Annual transfer review

10. Incomplete Incident Response Testing

Finding: "Incident response plan exists but has not been tested. No documented evidence of drills or tabletop exercises."

Why It Happens:

Plan created to check compliance box
"Too busy" to test
Fear of exposing weaknesses
No testing requirement understood

How to Fix:

Schedule annual incident response test
Conduct tabletop exercises
Document lessons learned
Update plan based on findings
Include breach notification in test

Prevention:

Quarterly tabletop exercises
Annual full-scale drill
Integrate testing into calendar

Findings by Category

Documentation Findings

Common Issues:

Policies outdated or unsigned
Procedures not detailed enough
Version control missing
Conflicting information between documents
No document review dates

Best Practices:

Document management system
Annual review cycle
Version control
Approval workflows
Consistent templates

Technical Findings

Common Issues:

Weak encryption (< AES-256)
TLS < 1.2
Unencrypted databases
Missing encryption key rotation
Inadequate access controls
Weak passwords accepted
No session timeouts

Best Practices:

Security configuration baselines
Automated compliance scanning
Regular security assessments
Security architecture review

Process Findings

Common Issues:

Procedures documented but not followed
Manual processes prone to error
Inconsistent execution
No process ownership
Lack of monitoring

Best Practices:

Process automation
Regular process audits
Clear ownership assignment
Process metrics and KPIs
Continuous improvement

Records Findings

Common Issues:

Insufficient record retention
Records not readily accessible
Incomplete records
No audit trail
Records not protected

Best Practices:

Centralized record system
Automated record generation
Regular record audits
Clear retention schedule
Secure storage

Severity of Findings

Major Non-Conformity

Definition: Absence or complete breakdown of required control

Examples:

No encryption for PII at rest
No access controls on PII databases
No data subject rights process
No privacy policy
No incident response capability

Impact: May prevent certification

Resolution: Must be corrected before certification issued

Minor Non-Conformity

Definition: Partial implementation of required control

Examples:

Incomplete audit logging
Some staff not trained
Documentation gaps
Process not fully consistent
Some records missing

Impact: Won't prevent certification

Resolution: Must be corrected within 90 days

Observation

Definition: Potential issue or improvement opportunity

Examples:

Manual processes that could be automated
Documentation could be clearer
Process efficiency improvements
Best practice suggestions

Impact: None on certification

Resolution: Consider for continuous improvement

Industry-Specific Findings

SaaS Companies

Common Issues:

Multi-tenancy data isolation not clearly documented
Customer data not segregated
Shared infrastructure concerns
API security gaps

Solutions:

Clear tenant isolation architecture
Per-customer encryption keys
API rate limiting and authentication
Regular penetration testing

Cloud Infrastructure Providers

Common Issues:

Physical access to data centers
Hardware disposal procedures
Hypervisor security
Customer data separation

Solutions:

Documented physical security controls
Certified data destruction procedures
Regular infrastructure audits
Clear responsibility matrix (IaaS model)

Marketplace/Platform Companies

Common Issues:

Third-party seller data handling
Unclear data controller/processor roles
Marketplace privacy policies
Seller compliance verification

Solutions:

Clear terms for sellers
Seller privacy requirements
Regular seller audits
Platform-level controls

How Auditors Find Issues

Document Review

Auditors read policies and procedures looking for:

Completeness
Currency
Consistency
Alignment with requirements

Interviews

Auditors ask staff to:

Explain procedures
Walk through processes
Demonstrate knowledge
Show where information is located

Technical Verification

Auditors check:

System configurations
Security controls
Access logs
Encryption in action

Sampling

Auditors select random samples of:

Training records
Incident reports
DSAR responses
Consent records
Audit logs

Responding to Findings

During Audit

When auditor identifies issue:

Listen carefully - Understand the finding
Take notes - Document what was said
Don't argue - Stay professional
Ask clarifying questions - Ensure understanding
Acknowledge - Accept valid findings
Provide context - Explain circumstances if relevant (but don't make excuses)

After Audit

For each finding:

Root Cause Analysis - Why did this happen?
Corrective Action - Fix the specific issue
Preventive Action - Prevent recurrence
Verification - Prove it's fixed
Documentation - Record everything

Corrective Action Plan Template

Finding ID: NC-001
Finding: Inadequate audit logging retention

ROOT CAUSE ANALYSIS:
- Default database configuration (30-day retention)
- No requirement specified in original system design
- Cost optimization prioritized over compliance
- Lack of awareness of ISO 27018 requirements

CORRECTIVE ACTION:
- Extend audit log retention to 12 months
- Migrate logs to long-term storage solution
- Update logging policy to specify 12-month minimum
- Verify log completeness for past 30 days

PREVENTIVE ACTION:
- Include logging requirements in system design standards
- Add log retention to compliance checklist
- Quarterly log retention audits
- Training for developers on logging requirements

TIMELINE:
- Immediate: Stop log deletion
- Week 1: Implement long-term storage
- Week 2: Update documentation
- Week 3: Train staff
- Week 4: Verification and evidence submission

RESPONSIBLE: IT Security Manager

EVIDENCE:
- Updated logging configuration
- Log retention verification
- Updated policy document
- Training attendance records
- Screenshot of current log retention

STATUS: Completed
VERIFIED BY: Auditor
DATE CLOSED: [Date]

Prevention Strategies

Proactive Measures

1. Regular Internal Audits

Quarterly sampling
Different area each quarter
Independent auditors
Findings tracked

2. Continuous Monitoring

Automated compliance checks
Security scanning
Log analysis
Metrics and dashboards

3. Change Management

Privacy impact assessment for changes
Compliance verification before deployment
Documentation updates
Communication to affected parties

4. Training and Awareness

Role-specific training
Annual refreshers
New hire onboarding
Regular communications

5. Management Commitment

Regular reviews
Resource allocation
Clear accountability
Culture of compliance

Next Lesson: Compliance Checklist**

A comprehensive checklist to verify readiness for certification and ongoing compliance.