Common Findings Defense

Understanding typical audit findings helps you prevent them—or respond effectively when they occur. This lesson covers the most common ISO 27001 findings and how to address them.

Understanding Audit Findings

Finding Classifications

Observation/Opportunity for Improvement:

• Not a nonconformity
• Suggestion for enhancement
• Good practice recommendations
• No formal response required (but consider them)
• Doesn't affect certification decision

Minor Nonconformity:

• Isolated lapse or deviation
• Single occurrence
• Partial implementation of requirement
• Documentation gap
• Impact: Can still be certified with correction plan
• Timeline: Usually 90 days to close

Major Nonconformity:

• Systematic failure
• Complete absence of requirement
• Multiple related minor NCs
• Critical control failure
• Effectiveness significantly compromised
• Impact: Certification denied until corrected
• Timeline: Requires verification, possibly additional audit

How Findings Are Written

Typical Finding Format:

Finding ID: NC-2025-001 Clause/Control: A.8.8 Management of Technical Vulnerabilities Type: Minor Nonconformity

Observation: "Review of vulnerability scan results from January 2025 identified 3 critical CVEs (CVE-2024-XXXX, CVE-2024-YYYY, CVE-2024-ZZZZ) on production web servers that were discovered 45 days ago but remain unpatched. Organization's vulnerability management procedure states critical vulnerabilities shall be remediated within 7 days."

Requirement: "ISO 27001:2022 Annex A.8.8 requires information about technical vulnerabilities shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities shall be evaluated, and appropriate measures shall be taken."

Evidence:

• Vulnerability scan report dated 2025-01-15
• Screenshots of affected servers showing unpatched status
• Interview with IT Manager confirming awareness of vulnerabilities

Top 15 Most Common Findings

1. Incomplete or Inadequate Risk Assessment

Common Issues:

• Generic risks not specific to organization
• Missing risk assessment for new projects/systems
• Risk register not updated
• No documented methodology
• Missing asset identification

What Auditors Find:

• "Risk assessment dated 12 months ago with no updates despite cloud migration project"
• "Risk register shows generic risks like 'cyber attack' without specifics"
• "No risk assessment conducted for new CRM system implemented in November"
• "Methodology document doesn't define likelihood and impact scales"

How to Prevent:

1. Conduct specific, detailed risk assessment
2. Update quarterly or when changes occur
3. Document clear methodology
4. Assess risks for all new projects/systems
5. Keep risk register current and specific

If Found - How to Respond:

Root Cause Analysis: "Risk assessment became outdated because we didn't have a defined trigger for updates. Our risk management procedure specified annual reviews but not change-triggered reviews."

Immediate Correction:

1. Conduct updated risk assessment covering all current systems
2. Add specific risk assessment for cloud migration project
3. Document methodology with clear scales
4. Review all changes in past 12 months and assess related risks

Preventive Action:

1. Update risk management procedure to require:
   • Quarterly reviews
   • Assessment for any system/project changes
   • Specific change triggers (new system, major upgrade, business change)
2. Assign risk assessment coordinator
3. Add to ISMS calendar with reminders
4. Include in change management process

Evidence of Correction:

• Updated risk register dated [date] covering all current environment
• Cloud migration risk assessment dated [date]
• Updated risk management procedure v2.0
• Calendar showing quarterly review schedule
• Email to change management team requiring risk assessment for all changes

2. Statement of Applicability Issues

Common Issues:

• Controls marked "applicable" without implementation
• Exclusions without justification
• No link between controls and risks
• Implementation status not current
• Missing controls

What Auditors Find:

• "A.8.13 Backup marked as 'implemented' but no backup testing records found"
• "A.7.4 Physical Security Monitoring excluded with justification 'not needed' - insufficient justification"
• "A.8.8 Vulnerability Management listed as applicable but no link to any identified risk"
• "SoA shows only 85 of 93 controls - missing 8 controls"

How to Prevent:

1. Complete all 93 controls in SoA
2. Provide specific, detailed justifications
3. Link each applicable control to specific risks
4. Keep implementation status current
5. Cross-reference with evidence

If Found - How to Respond:

For Missing Justifications:

Immediate Correction: Update SoA with specific justifications

Before: "A.7.4 not applicable - not needed"

After: "A.7.4 Physical Security Monitoring - Not Applicable

Justification: Organization operates 100% in cloud infrastructure (AWS US-East-1 and US-West-2 regions). We have no physical data centers, server rooms, or networking equipment within our ISMS scope. All physical infrastructure is provided by AWS.

Risk R-030 'Physical Security of Infrastructure' has been identified and the treatment decision is to TRANSFER this risk to AWS under the shared responsibility model. AWS holds ISO 27001 certification and implements 24/7 physical monitoring at their facilities, as documented in their SOC 2 Type II report (reviewed annually).

Physical security monitoring is therefore AWS's responsibility per our service agreement dated 2024-03-15, Section 7.2 'Physical Security.'

If the organization opens physical offices with infrastructure within ISMS scope, this control will be reassessed for applicability."

3. Internal Audit Not Conducted or Inadequate

Common Issues:

• No internal audit conducted
• Internal audit too shallow
• Auditor not independent
• Not all ISMS areas covered
• Findings not followed up

What Auditors Find:

• "No internal audit conducted prior to certification audit (Clause 9.2)"
• "Internal audit conducted only by ISMS Manager auditing their own work - not independent"
• "Internal audit report shows only policies reviewed, no operational controls verified"
• "Internal audit from 3 months ago identified 5 nonconformities - none have corrective actions initiated"

How to Prevent:

1. Conduct internal audit 1-2 months before certification
2. Use independent auditor (external or independent internal)
3. Cover all ISMS clauses and applicable controls
4. Test controls, don't just review documents
5. Track and close all findings

If Found - How to Respond:

If No Internal Audit:

Immediate Correction: "Conduct internal audit within 2 weeks"

Action Plan:

1. Engage external ISO 27001 lead auditor for internal audit
2. Schedule 2-day internal audit covering:
   • All ISO 27001 clauses 4-10
   • All applicable Annex A controls from SoA
   • Sample testing of operational controls
   • Interviews with process owners
   • Review of ISMS records
3. Document findings in internal audit report
4. Initiate corrective actions for any NCs found
5. Update internal audit schedule for annual audits

Preventive Action:

1. Establish annual internal audit calendar
2. Define internal audit procedure with:
   • Independence requirements
   • Scope requirements
   • Sampling methodology
   • Reporting format
3. Identify internal audit resources (internal staff or external)
4. Add internal audit to management review agenda

Evidence:

• Internal audit report dated [date]
• Internal audit schedule for next 12 months
• Internal audit procedure v1.0
• Corrective action records for audit findings

4. Management Review Not Conducted

Common Issues:

• No management review conducted
• Top management didn't attend
• Missing required inputs
• No decisions or actions documented
• Not conducted at planned intervals

What Auditors Find:

• "No evidence of management review per Clause 9.3"
• "Management review meeting held but CEO (top management) did not attend"
• "Management review minutes don't include risk assessment results (required input per 9.3.2f)"
• "Management review conducted but no decisions or actions documented"

How to Prevent:

1. Conduct management review at least annually (quarterly recommended)
2. Ensure top management attends
3. Cover all required inputs (9.3.2)
4. Document decisions and actions (9.3.3)
5. Follow up on previous actions

If Found - How to Respond:

Immediate Correction: "Schedule and conduct management review within 1 week"

Action Plan:

1. Schedule management review meeting with CEO/top management attendance
2. Prepare management review pack including all required inputs: a) Status of actions from previous review (if applicable) b) Changes in external and internal issues c) ISMS performance feedback including:
   • Nonconformities and corrective actions
   • Monitoring and measurement results
   • Audit results d) Feedback from interested parties e) Results of risk assessment f) Status of risk treatment plan g) Opportunities for continual improvement
3. Conduct meeting - ensure top management participates
4. Document decisions on:
   • Continual improvement opportunities
   • Any need for ISMS changes
   • Resource needs
5. Assign owners and deadlines for all actions
6. Distribute minutes to attendees

Preventive Action:

1. Establish quarterly management review schedule
2. Create management review procedure
3. Develop standard agenda template with required inputs
4. Add to CEO calendar with 90-day advance notice
5. Assign ISMS Manager responsibility to prepare review pack

Evidence:

• Management review meeting minutes dated [date] signed by CEO
• Management review presentation slides
• Attendance record showing top management participation
• Action item tracker from management review
• Management review procedure v1.0
• Calendar showing next scheduled review

5. Inadequate Documentation Control

Common Issues:

• Documents not version controlled
• No approval process
• Outdated documents in use
• No document register
• Can't find controlled version

What Auditors Find:

• "Access Control Policy v1.0 shown to auditor, but employees have v0.9 (draft) on their computers"
• "Vulnerability Management Procedure has no version number, date, or approval signature"
• "No document register or master list of controlled documents"
• "Five different versions of Backup Procedure found in different locations"

How to Prevent:

1. Implement document control system (SharePoint, DMS, etc.)
2. Define version numbering scheme
3. Require approval before publication
4. Maintain document register
5. Remove obsolete documents from circulation

If Found - How to Respond:

Immediate Correction:

1. Create document register listing all ISMS documents
2. Verify current version of each document
3. Ensure all documents have:
   • Version number
   • Date
   • Approval signature
   • Review date
4. Remove obsolete versions from all locations
5. Publish controlled versions to single location

Action Plan:

1. Establish SharePoint site as document control system
2. Update document control procedure:
   • Version numbering scheme (v1.0, v1.1, v2.0)
   • Approval workflow (author → reviewer → approver)
   • Document template with standard header
   • Process for obsolete document removal
3. Migrate all ISMS documents to SharePoint with proper versioning
4. Communicate to all staff where to find controlled documents
5. Set read-only permissions - only document controller can upload
6. Add document review schedule to ISMS calendar

Evidence:

• Document register v1.0 dated [date]
• Document control procedure v1.0
• SharePoint site with controlled documents
• Communication email to staff about document location
• Screenshot of access permissions
• Sample documents showing proper version control

6. No Evidence of Control Effectiveness

Common Issues:

• Controls implemented but not tested
• No monitoring or measurement
• Can't demonstrate controls work
• No metrics or KPIs
• No evidence of outcomes

What Auditors Find:

• "Security awareness training conducted but no evidence of effectiveness (no tests, phishing simulations, or metrics)"
• "Backup system configured but no successful restoration tests conducted"
• "Vulnerability scanning implemented but no evidence scans led to actual remediation"
• "Access control policy exists but no logs show access denials - unclear if working"

How to Prevent:

1. Define effectiveness criteria for each control
2. Monitor and measure key controls
3. Test controls periodically
4. Track and trend metrics
5. Document outcomes and results

If Found - How to Respond:

For Backup Testing:

Immediate Correction:

1. Conduct backup restoration test within 1 week
2. Document test procedure:
   • Backup selected for test
   • System/data restored
   • Test procedure followed
   • Success/failure results
   • Time to restore
   • Data integrity verification
3. Document successful restoration

Action Plan:

1. Update backup procedure to require quarterly restoration tests
2. Create backup test schedule
3. Define test success criteria
4. Assign responsibility for tests
5. Create test report template
6. Add to monitoring and measurement plan

Preventive Action:

1. For all critical controls, define:
   • What indicates the control is working
   • How to measure effectiveness
   • Testing/verification method
   • Frequency of verification
   • Who is responsible
2. Create monitoring and measurement procedure
3. Establish KPI dashboard
4. Review effectiveness in management review

Evidence:

• Backup restoration test report dated [date] showing successful recovery
• Updated backup procedure v2.0 including testing requirements
• Backup test schedule for next 12 months
• KPI dashboard showing backup metrics (success rate, restore time)

7. Incomplete or Missing Training Records

Common Issues:

• No training records
• Can't demonstrate competence
• Training not role-specific
• New employees not trained
• No evidence of awareness

What Auditors Find:

• "5 of 10 sampled employees have no record of security awareness training"
• "IT Security Manager role requires CISSP but no certificate on file"
• "New employee started 3 months ago, no evidence of security training"
• "Training records show course completion but no test scores or competency verification"

How to Prevent:

1. Define competence requirements for all roles
2. Maintain training records systematically
3. Include security training in onboarding
4. Track completion and verify competence
5. Keep evidence of qualifications

If Found - How to Respond:

Immediate Correction:

1. Immediately conduct training for untrained employees
2. Collect and file missing training certificates/records
3. Create training tracker with completion status

Action Plan:

1. Create competence matrix defining requirements for each role
2. Collect evidence of qualifications:
   • Certifications (CISSP, CISM, etc.)
   • Degrees/education
   • Training completion certificates
   • Work experience documentation
3. Update training database with all completion records
4. Add security training to onboarding checklist (day 1 requirement)
5. Implement learning management system to track training
6. Schedule annual refresher training for all staff
7. Require certification of completion + pass score for security training

Preventive Action:

1. Establish training procedure covering:
   • Onboarding training requirements
   • Role-based training requirements
   • Annual refresher requirements
   • Competence verification method
   • Record retention (3 years minimum)
2. Assign HR responsibility for tracking
3. Monthly compliance reports to management
4. Block system access for overdue training (if appropriate)

Evidence:

• Competence matrix v1.0
• Training records database/spreadsheet
• Certificates on file for key personnel
• Updated training completion showing 100% compliance
• Training procedure v1.0
• LMS implementation proof
• Onboarding checklist including security training

8. Weak or Non-Existent Access Controls

Common Issues:

• No access control policy
• Shared accounts
• No access reviews
• Excessive privileges
• Terminated users with active access

What Auditors Find:

• "Quarterly access review required by policy but last review was 9 months ago"
• "3 terminated employees from 2024 still have active accounts in AD"
• "Generic 'admin' account used by multiple IT staff with no individual accountability"
• "User with 'Viewer' job role has administrative privileges in production database"

How to Prevent:

1. Implement formal access request/approval process
2. Follow principle of least privilege
3. Conduct regular access reviews (quarterly)
4. Prohibit shared accounts
5. Promptly disable terminated user access
6. Link access provisioning to HR processes

If Found - How to Respond:

For Terminated User Access:

Immediate Correction:

1. Immediately disable/delete all accounts for terminated employees identified
2. Review all accounts to identify additional terminated users
3. Document review and actions taken

Root Cause Analysis: "IT was not consistently notified of terminations. HR offboarding checklist included 'IT access removal' but was manual process prone to being missed."

Action Plan:

1. Implement automated notification from HR system to IT on termination date
2. Create formal offboarding procedure:
   • HR initiates IT ticket on last working day
   • IT disables all access within 4 hours
   • IT confirms completion to HR
   • HR verifies before final pay processing
3. Integrate termination into access governance tool (if applicable)
4. Conduct immediate full account review against HR database
5. Establish monthly reconciliation of active accounts vs. active employees

Preventive Action:

1. Automate where possible (HRIS integration)
2. Weekly report of any accounts without matching active employees
3. Quarterly access reviews include verification against HR roster
4. Include in security awareness training: "Report terminated colleagues"

Evidence:

• Documentation of immediate account disabling
• Full account reconciliation report showing no terminated users with access
• Updated offboarding procedure v2.0
• HRIS integration specification/implementation proof
• Monthly reconciliation reports for past 3 months
• Screenshot of automated termination notification system

9. Vulnerability Management Failures

Common Issues:

• No vulnerability scanning
• Scans not regular
• Vulnerabilities not prioritized
• Critical vulnerabilities not patched
• No remediation tracking

What Auditors Find:

• "Critical CVE published 60 days ago remains unpatched on production servers"
• "Vulnerability scans run monthly but no evidence of remediation actions"
• "Patch management process documented but patch compliance is 45% for critical systems"
• "5 servers found with Windows Server 2012 (unsupported/end of life)"

How to Prevent:

1. Implement regular vulnerability scanning (weekly/monthly)
2. Define remediation SLAs (Critical: 7 days, High: 30 days, etc.)
3. Track remediation in ticketing system
4. Report metrics to management
5. Decommission unsupported systems

If Found - How to Respond:

Immediate Correction:

1. Emergency patch deployment for critical vulnerabilities identified
2. Isolate any unsupported systems from network until remediated
3. Complete vulnerability scan of all systems
4. Create remediation plan for all findings

Action Plan:

1. Update vulnerability management procedure:
   • Weekly vulnerability scanning
   • Risk-based prioritization
   • Remediation SLAs:
     • Critical: 7 days
     • High: 30 days
     • Medium: 90 days
   • Exception process for systems that can't be patched
2. Implement vulnerability tracking dashboard
3. Assign vulnerability coordinator role
4. Weekly vulnerability review meeting
5. Automated escalations for overdue remediations
6. Plan to decommission/upgrade unsupported systems
7. Testing process for patches before deployment

Preventive Action:

1. Automated vulnerability scanning integrated with asset management
2. Patch management automation where possible
3. Monthly vulnerability metrics to management:
   • Open vulnerabilities by severity
   • Mean time to remediate
   • SLA compliance rate
   • Trend over time
4. Include vulnerability metrics in ISMS objectives

Evidence:

• Updated vulnerability scan showing critical vulns remediated
• Vulnerability management procedure v2.0
• Remediation tracking dashboard
• Patch deployment evidence for emergency patches
• Decommission plan for unsupported systems
• Monthly vulnerability reports for past 3 months
• Escalation emails for overdue items

10. Incident Management Process Not Tested

Common Issues:

• Incident procedure exists but never used
• No incidents recorded
• No tabletop exercises
• Staff don't know their roles
• No evidence of effectiveness

What Auditors Find:

• "Incident response plan exists but no incidents recorded in past 12 months and no exercises conducted"
• "Interview with IT staff shows confusion about incident response roles"
• "Help desk tickets show 15 security-related tickets but none recorded as security incidents"
• "No evidence incident response contacts are current or have been tested"

How to Prevent:

1. Conduct tabletop exercises annually
2. Record all incidents (even minor ones)
3. Test incident response contacts
4. Train staff on incident procedures
5. Conduct post-incident reviews

If Found - How to Respond:

Immediate Correction:

1. Conduct tabletop exercise within 2 weeks
2. Review help desk/ticket system for security-related tickets
3. Reclassify security incidents properly
4. Update incident register

Tabletop Exercise Plan:

1. Scenario: Ransomware attack encrypts file server
2. Participants: IT team, management, communications, legal
3. Facilitated walkthrough of incident response procedure
4. Document decisions made and time estimates
5. Identify gaps or areas for improvement
6. Update procedure based on lessons learned

Action Plan:

1. Define what constitutes a "security incident":
   • Malware detection
   • Unauthorized access attempt
   • Data breach or suspected breach
   • Security control failure
   • Lost/stolen device with data
   • Phishing success
2. Update help desk to include incident classification
3. Train help desk staff to identify security incidents
4. Review past 12 months of tickets and properly classify incidents
5. Establish quarterly tabletop exercise schedule
6. Assign incident response roles and create contact list
7. Test emergency contacts (call drill)

Preventive Action:

1. Quarterly tabletop exercises with different scenarios
2. Annual full incident response test
3. Include incident response in security awareness training
4. Monthly review of incident classifications
5. Post-incident review process for all incidents
6. Update procedure based on lessons learned

Evidence:

• Tabletop exercise report dated [date]
• Attendance records
• Exercise scenario and results
• Updated incident response procedure v2.0
• Incident classification guide
• Updated incident register with properly classified incidents
• Incident response contact list with test results
• Quarterly exercise schedule

Responding to Findings: The Process

1. Understand the Finding

Ask Questions:

• "Can you clarify which specific requirement isn't met?"
• "What evidence would close this finding?"
• "Is this a minor or major nonconformity?"
• "Can you show me the specific gap you identified?"

Verify Accuracy:

• Review the evidence auditor referenced
• Check your own records
• Confirm you understand the issue

2. Acknowledge or Dispute

If Accurate:

• Acknowledge it professionally
• Don't make excuses
• Focus on correction

If Inaccurate:

• Politely explain the misunderstanding
• Provide additional context or evidence
• Seek clarification

How to Dispute Politely: "I appreciate you identifying this concern. I'd like to provide some additional context that might address this. [Explain]. Would this additional evidence address the finding, or do you still have concerns?"

3. Develop Corrective Action Plan

Root Cause Analysis:

• Why did this happen?
• What process failure allowed it?
• What was the underlying cause?

Use 5 Whys: Example: "User access not removed for terminated employee"

1. Why wasn't access removed? - IT wasn't notified
2. Why wasn't IT notified? - HR didn't complete offboarding checklist
3. Why wasn't checklist completed? - HR was busy and it was manual
4. Why is it manual? - No integration between HRIS and IT systems
5. Why no integration? - Budget priority, not automated Root Cause: Manual process without automation or failsafe

Corrective Action:

1. Immediate: Remove access, review all accounts
2. Short-term: Automate termination notification
3. Long-term: HRIS-IT integration, weekly reconciliation

4. Document the Response

Corrective Action Report Format:

Finding: [Copy from audit report]

Root Cause: [What was the underlying cause?]

Immediate Correction: [What was done to fix the specific issue?]

• Action: [Specific action taken]
• Evidence: [File name/screenshot]
• Date Completed: [Date]
• Completed By: [Name]

Corrective Action: [What will prevent recurrence?]

• Action: [Specific preventive action]
• Responsible: [Person name]
• Target Date: [Date]
• Evidence: [What will be provided]

Verification of Effectiveness: [How will you verify the corrective action worked?]

• Method: [How you'll verify]
• Timeline: [When you'll verify]
• Expected Outcome: [What success looks like]

5. Submit Evidence

What to Submit:

• Root cause analysis
• Immediate correction evidence
• Updated procedures/documents
• New records showing compliance
• Verification of effectiveness (if available)

How to Submit:

• Follow CB's process (usually email or portal)
• Organize by finding number
• Clear file names
• Cover letter explaining each piece of evidence

Timeline:

• Minor NCs: Usually 90 days
• Major NCs: As agreed with auditor
• Earlier is better - shows commitment

6. Verification

Auditor Will:

• Review your corrective action
• Assess adequacy
• May request additional evidence
• Approve or request revision

If Approved:

• Finding closed
• Certificate proceeds (if Stage 2)

If Not Approved:

• Additional work needed
• May need desk review or on-site verification
• Additional audit days may be charged

Prevention is Better Than Cure

Pre-Audit Checklist

90 Days Before Audit:

• Conduct gap analysis against requirements
• Review and update all documentation
• Conduct internal audit
• Complete any pending control implementations
• Ensure all procedures have been followed
• Collect and organize all evidence

30 Days Before Audit:

• Review internal audit findings - all closed?
• Conduct management review
• Verify all policies current and approved
• Check all required records exist
• Test evidence accessibility
• Brief all participants

1 Week Before Audit:

• Final documentation review
• Verify all evidence accessible
• Conduct mock interviews
• Prepare evidence index
• Confirm participant availability
• Final systems checks

Red Flags to Address

Before the audit, verify:

• No "TBD" or "Coming Soon" in documents
• No draft documents in use
• All required signatures present
• All dates are current
• No obvious gaps in records (e.g., no logs for 3 months)
• Version control is consistent
• Procedures match actual practice
• Staff know their ISMS roles
• Evidence tells a consistent story

Final Thoughts

Remember:

• Findings are learning opportunities
• Perfect is not required - good faith effort is
• Honesty and transparency build auditor trust
• Systematic problems are worse than isolated issues
• Prevention through good ISMS operation is key

Success Factors:

1. Operate your ISMS genuinely, not just for audit
2. Document what you do, do what you document
3. Monitor effectiveness continuously
4. Address issues promptly
5. Learn and improve constantly

Congratulations! You've completed Module 8: The Certification Battle. You're now prepared to successfully navigate your ISO 27001 certification audit.

Next Module: Maintaining the Kingdom - Keep your certification and continually improve your ISMS.