1.4 KiB
ISMS audit flags
This guideline supports practitioners conducting audits of Information Security Management Systems (ISMSs) built on ISO/IEC 27001. It provides practical reference material organised around two complementary audit tools: green flags — the evidence and documentation an auditor should expect to find in a functioning ISMS — and red flags — the indicators that signal a dysfunctional, failing, or nonconformant system.
The guideline does not prescribe how to audit, nor does it address the content of individual security controls. Its scope is the management system itself: whether it is properly designed, genuinely operating, and delivering value to the organisation. Because ISO/IEC 27001 is deliberately broad in its requirements, this document fills the interpretive gap with experience-based guidance on what adequate evidence looks like in practice, and what warning signs are worth investigating further.
Intended primarily for internal auditors and certification auditors working with ISO/IEC 27001-based ISMSs, it is also relevant to those assessing information service providers such as cloud and managed security vendors. The guidance draws on four decades of practitioner experience and is offered as a supplement to — not a replacement for — formal audit checklists and professional judgement.
