Why an ISO 27001 audit fails twice before the auditor arrives

An ISO 27001 audit does not actually fail when the external auditor finds a gap. It fails twice, well before that — in two pre-audit silences that decide the outcome long before anyone opens the Statement of Applicability on audit day. Recognising those silences early is the difference between a clean certification and a remediation cycle that runs into the following financial year.

The first silence is in the management review. When the steering committee stops asking hard questions about risk treatment because everyone has heard the answers already, the ISMS calcifies. The agenda items get the same five-minute slot they always do; the same KPIs are read out; the same residual-risk assertions are accepted. The auditor walks in to find perfectly maintained documents and a culture that has stopped using them. The resulting findings cluster under Clause 9.3 — and they tend to be structural, not cosmetic.

The second silence is between the internal audit team and the operations team. When internal audits become a paperwork exercise — boxes ticked, findings logged in a register, nothing actually closed within the SLA — the cultural defect is already in place. The external auditor does not need to discover new gaps; the open and ignored internal findings are the gap. Nonconformities cluster under Clause 9.2 and Clause 10.1, and the pattern is unmistakable to any experienced lead auditor.

Neither silence is fixed during the audit itself. Both are fixed months earlier, by treating the ISMS as an operating practice rather than a documentation set: named owners, a written review cadence, a small number of meaningful KPIs that the steering committee is willing to argue about, and a closed-loop process for internal findings that the operations team can defend in front of a stranger. The audit then stops being an event and becomes a checkpoint.