Study Document 08

Conducting the audit guide.

A practical ISO 27001 Lead Auditor guide to opening meetings, interviews, evidence collection, audit trails, sampling, difficult situations, and developing findings.

Core idea

Conducting an audit means following evidence, not assumptions.

The auditor should remain within scope, use the agreed audit criteria, ask clear questions, sample appropriately, verify evidence, and record facts before forming conclusions.

FVRREvidence should be fact-based, verifiable, reliable, and relevant.
4Core methods: interview, document review, observation, and system or record review.
TrailUse audit trails to connect requirements, process activity, records, and outcomes.

Audit conduct flow

Use a disciplined flow from opening meeting to conclusions.

This sequence helps answer "what should the auditor do next" questions in the lead auditor exam.

Prepare working documents

Review audit plan, scope, criteria, previous findings, sampling needs, and interview focus areas.

Conduct the opening meeting

Confirm objectives, scope, criteria, plan, communication channels, resources, confidentiality, and logistics.

Collect and verify evidence

Use interviews, documents, records, observation, system review, and sampling to gather objective evidence.

Follow audit trails

Trace processes, records, assets, incidents, suppliers, risks, controls, or changes from source to outcome.

Evaluate against criteria

Compare evidence with ISO 27001 requirements, internal procedures, SoA, risk treatment plan, contracts, and legal requirements.

Record findings and conclusions

Hold audit team discussions, prepare findings, confirm evidence quality, and prepare the closing meeting.

Opening meeting

The opening meeting sets control for the audit.

It confirms the audit arrangement and reduces friction during evidence collection. The auditor should be clear, professional, and concise.

Confirm audit basics

  • Introduce audit team and auditee representatives.
  • Confirm audit objectives, scope, criteria, plan, and timing.
  • Confirm guides, observers, resources, facilities, and system access.
  • Confirm communication channels and escalation points.
  • Explain sampling, reporting, grading, and closing meeting timing.

Confirm controls and constraints

  • Confidentiality, screenshot, recording, and evidence handling rules.
  • Health, safety, emergency, physical security, and visitor requirements.
  • Remote audit platform, screen sharing, network access, and backup arrangements.
  • Any unavailable people, restricted systems, or planned audit schedule changes.

Evidence methods

Use more than one method to verify implementation.

Auditors should not rely only on verbal statements. Strong evidence usually comes from combining interviews, records, observation, and system evidence.

Method
Use
ISO 27001 example
Interview
Understand process, responsibility, awareness, implementation, and exceptions.
Ask a risk owner how residual risk acceptance is approved.
Document review
Check policies, procedures, plans, registers, and controlled documents.
Review risk methodology, access control procedure, or incident response plan.
Record review
Verify that required activities occurred and were retained as evidence.
Review access reviews, backup test logs, training records, or internal audit reports.
Observation
Verify how work is actually performed.
Observe visitor access, secure disposal, incident triage, or change approval workflow.
System review
Check logs, tickets, configuration, dashboards, and technical control evidence.
Review SIEM alerts, EDR status, IAM roles, or MFA configuration.
Trace audit
Follow one transaction, process, asset, incident, or change end to end.
Trace a supplier onboarding case from request to risk review, contract control, and monitoring.

Audit trails

Audit trails connect evidence into a coherent story.

Use audit trails to test whether a process is designed, implemented, monitored, and improved across its real workflow.

Vertical

Follow one item across functions.

Example: supplier onboarding from request to risk assessment, approval, contract, and monitoring.

Horizontal

Test one requirement across departments.

Example: access control practices across HR, IT, Finance, and Operations.

Forward

Follow natural process flow.

Example: risk identification to treatment decision, Annex A control comparison, SoA update, and treatment plan.

Backward

Start from result and trace origin.

Example: start from access approval and trace back to request, role, authorization, and review.

Interview technique

Ask open, probing, and evidence-seeking questions.

Interviewing is not interrogation. The auditor should understand the process, test consistency, and ask for evidence respectfully.

Useful question styles

  • Can you explain how this process works?
  • What criteria do you use to accept risk?
  • How do you know the control is operating effectively?
  • Can you show me the evidence?
  • Who approves this activity?
  • What happens if the process fails?
  • How are exceptions handled?

Avoid these behaviours

  • Leading questions that suggest the answer.
  • Blaming individuals or arguing with auditees.
  • Asking two questions at once.
  • Accepting statements without evidence when evidence should exist.
  • Giving consultancy advice during a certification audit.

Evidence quality

Objective evidence must be good enough to support the finding.

A finding becomes weak when evidence is vague, not traceable, outside scope, unsupported, or unrelated to the audit criteria.

Relevant

Connected to criteria.

The evidence should relate directly to the requirement being evaluated.

Verifiable

Can be checked.

Evidence should be observable, recordable, or capable of confirmation.

Sufficient

Enough for judgement.

The sample should be adequate to support conformity or nonconformity.

Traceable

Source is clear.

Record sample, date, system, process, owner, and document reference where useful.

Evidence by clause

Know what evidence fits each clause family.

These examples help learners quickly connect audit evidence to ISO 27001 management system requirements.

Clause
Audit focus
Evidence examples
4
Context, interested parties, scope, ISMS processes.
Scope statement, context register, interested party register, process map, boundary justification.
5
Leadership, policy, roles, responsibilities.
Information security policy, role assignments, leadership review records, objectives communication.
6
Planning, risks, opportunities, risk assessment, treatment, objectives.
Risk methodology, risk register, SoA, risk treatment plan, objective tracking, change planning.
7
Support resources, competence, awareness, communication, documented information.
Training records, competence evidence, communication plan, document control and retention records.
8
Operational planning and control.
Operational procedures, change records, control operation evidence, outsourced process controls.
9
Performance evaluation.
Monitoring results, KPI reports, internal audit reports, management review minutes.
10
Improvement and corrective action.
NCR register, root cause analysis, corrective action evidence, effectiveness review.

Difficult situations

Stay calm, factual, and within the audit process.

Difficult audit moments should be handled through professional communication, evidence requests, audit scope, and agreed escalation channels.

Situation
Auditor response
What to avoid
Auditee avoids answering
Reframe calmly and request evidence.
Arguing, blaming, or making assumptions.
Evidence unavailable
Record objective facts and follow the audit process.
Accepting unsupported explanations as evidence.
Delay tactics
Escalate through agreed communication channel.
Changing scope informally or losing audit time silently.
Conflicting evidence
Investigate further and triangulate evidence.
Jumping to a conclusion before verification.
Scope disagreement
Refer to approved audit plan and audit scope.
Auditing areas outside scope without authorization.
Confidential records
Apply confidentiality controls and request appropriate demonstration.
Copying sensitive data without approval or need.

Finding development

Do not jump from evidence to conclusion too quickly.

  • Confirm the audit criteria first.
  • Check whether the evidence is relevant, verifiable, and sufficient.
  • Use additional sampling when evidence is conflicting or incomplete.
  • Separate isolated lapses from systemic weakness.
  • Discuss potential findings within the audit team before presentation.

Exam technique

The safest answer follows the audit process.

  • If evidence is insufficient, gather more evidence.
  • If the criteria is unclear, clarify the requirement before raising a finding.
  • If the auditee disputes evidence, explain the evidence and criteria calmly.
  • If evidence is sensitive, protect confidentiality and follow agreed handling rules.
  • If the issue is outside scope, escalate through the lead auditor or audit client route.

Quick memory aid

Conducting audit flow: open the audit, collect evidence, verify evidence, follow audit trails, compare with criteria, record findings, prepare conclusions. Never jump directly from suspicion to nonconformity.

Use note

This is a KISCyber learner guide.

This page is an original training summary using user-provided ISO 19011 audit guidance and ISO 27001 Lead Auditor study materials as references. Always use the authorised standard, official course material, and current exam provider guidance when preparing for certification.