Auditor FAQ

ISO Auditor FAQ

Everything you need to know about ISO certification auditors, from choosing one to surviving the audit.

Frequently Asked Questions

What's the difference between an auditor and a consultant?

A consultant helps you prepare for certification but cannot issue it. An auditor independently assesses your ISMS and issues the official certification. To maintain impartiality, the same organization typically cannot do both.

Key Concept

How do I choose a certification body?

Look for accredited certification bodies (check UKAS, ANAB, or your local accreditation body). Consider their experience in your industry, auditor availability, cost, and reputation. Ask for references from similar-sized companies.

What happens during a Stage 1 audit?

Stage 1 is a documentation review. The auditor checks if your ISMS documentation meets ISO requirements, reviews your scope, and identifies any major gaps. It's usually done remotely and takes 1-2 days.

What happens during a Stage 2 audit?

Stage 2 is the main assessment where auditors verify your ISMS is implemented and effective. They interview staff, review evidence, check processes, and test controls. This is on-site (or hybrid) and takes 2-5 days depending on scope.

How long between Stage 1 and Stage 2?

Typically 1-3 months. Stage 1 identifies gaps you need to fix before Stage 2. You need enough time to address findings but not so long that your documentation becomes outdated (usually max 6 months).

What are 'nonconformities' and how bad are they?

Nonconformities are gaps between your ISMS and ISO requirements. Major nonconformities must be fixed before certification (e.g., missing required policy). Minor nonconformities can be fixed after certification within a timeframe. Observations are improvement suggestions, not requirements.

Can I fail an ISO audit?

Yes, if you have major nonconformities that aren't addressed. However, most auditors work with you to identify issues early. A good Stage 1 audit helps prevent Stage 2 failures. Focus on fixing major findings promptly.

What evidence do auditors want to see?

Auditors look for: documented policies and procedures, records showing implementation (e.g., access reviews, training records), risk assessments and treatment plans, internal audit results, management review minutes, and incident records.

How should I prepare my team for auditor interviews?

Train staff on: what the ISMS is, their role in security, key policies that affect them, who to escalate security issues to. Practice with mock interviews. Tell them to answer honestly—if they don't know something, it's okay to say so and offer to find out.

What happens after we're certified?

You'll receive annual surveillance audits (smaller scope) and full recertification every 3 years. You must maintain your ISMS continuously—certification can be suspended or withdrawn if you fall out of compliance.

How much do auditors cost?

Audit costs vary widely: $15,000-$45,000 for initial certification (Stage 1+2) depending on company size and scope. Surveillance audits are $5,000-$15,000 annually. Get quotes from multiple certification bodies.

Can I use a remote/virtual audit?

Post-pandemic, hybrid audits are common. Stage 1 is often fully remote. Stage 2 may be hybrid—some activities remote, some on-site. Fully remote Stage 2 is possible for smaller scopes but auditors may require some on-site presence.

Audit Survival Tips

Before the Audit

  • Conduct a thorough internal audit 4-6 weeks before
  • Fix all major nonconformities from internal audit
  • Ensure all documentation is current and accessible
  • Prepare evidence packages organized by control
  • Brief staff on audit process and their role

During the Audit

  • Have a dedicated escort/guide for auditors
  • Answer questions concisely—don't over-explain
  • If you don't know, say so and offer to find out
  • Take notes on all findings and observations
  • Stay calm—auditors want you to succeed

After the Audit

  • Review findings report carefully
  • Create action plan for nonconformities
  • Submit evidence of corrections promptly
  • Celebrate your certification!
  • Plan for continuous improvement

Common Audit Mistakes

  • 1
    Over-documenting: Quality over quantity. Auditors prefer concise, accurate docs over lengthy policies no one reads.
  • 2
    Policies don't match practice: Document what you actually do. Auditors will interview staff and check reality vs. documentation.
  • 3
    Not preparing staff: Brief all interviewees on the process, their responsibilities, and key policies.
  • 4
    Rushing the internal audit: Give yourself 4-6 weeks before the external audit to fix internal audit findings.
  • 5
    Hiding problems: Auditors appreciate honesty. Show you've identified issues and have plans to address them.

Sample Auditor Questions

Prepare your team for questions like these:

  • “Can you explain what the ISMS is and your role in it?”
  • “Walk me through what you would do if you received a suspicious email.”
  • “How do you request access to a new system?”
  • “Who do you report security incidents to?”
  • “When was your last security awareness training?”
  • “Can you show me evidence of [specific control]?”

Ready to Prepare for Your Audit?

Our course includes dedicated modules on audit preparation with checklists and mock interview exercises.

Related Guides

Planning Guide →Timeline Guide →Cost Breakdown →