Most ISO 27001 implementations focus on selecting and documenting controls. That is necessary work. It is also not what an external auditor is going to spend the most time on during a Stage 2 audit. The auditor's central question is not whether your control set is well-chosen. It is whether your selected controls actually function in practice — and whether the evidence supports that conclusion under sampling.
A.5 Organisational Controls: The Foundation Auditors Check First
A.5 covers policies, roles and responsibilities, classification, supplier relationships, incident management, and continuity. Auditors start here because if the organisational layer is weak, the other layers cannot hold up. The most common findings: policies that have not been reviewed in the past 12 months, ownership records that name people who have left, supplier registers that miss material suppliers, classification schemes that are documented but not used in practice.
A.6 People Controls: Where Documentation Often Diverges from Practice
A.6 covers screening, terms and conditions, training, disciplinary processes, and the joiner-mover-leaver lifecycle. The control set is not technically demanding — most organisations have HR processes that cover the basics. The audit issue is consistency. The auditor will sample recent joiners and leavers and check whether the process actually ran for each: was background screening done before access was granted? Were access rights revoked promptly when someone left? Did training happen and is there evidence?
A.7 Physical Controls: Often Underweight in Modern Implementations
A.7 covers physical perimeters, entry controls, working in secure areas, equipment siting, clear desk, and storage media handling. For organisations with significant physical infrastructure (data centres, offices with sensitive paper records, industrial environments) this matters substantially. For cloud-native organisations with distributed remote workforces, the controls still apply but look different — the question becomes how you handle distributed endpoint devices, home-office security expectations, and physical media that may exist even in primarily-digital workflows.
A finding we see repeatedly: the SoA (Statement of Applicability) excludes physical controls because the organisation does not own a data centre. But the company does ship laptops to remote employees. The auditor checks how those laptops are tracked, how loss is reported, what happens at offboarding — and finds that A.7 controls were excluded incorrectly. Physical controls have not gone away; they have moved to the endpoint estate.
A.8 Technological Controls: Where the Most Findings Live
A.8 is the largest control category and the source of the highest finding density in most audits. User endpoint devices, privileged access, identity and authentication, network security, cryptography, secure development, vulnerability management, logging, monitoring. The 2022 update added explicit controls for threat intelligence, cloud security, and information masking that older implementations sometimes miss.
How Auditors Actually Sample
- Joiner-mover-leaver records — sample 10–20% of recent transitions, look for end-to-end evidence
- Privileged access reviews — pull the most recent review, check coverage and remediation of identified issues
- Security incidents — pull every incident from the past 12 months, look for full lifecycle documentation
- Vulnerability management — sample critical findings, check time-to-remediate against SLA
- Supplier reviews — sample tier-1 suppliers, look for due diligence and ongoing monitoring evidence
- Internal audit findings — verify each was tracked through to closure with evidence
Preparing for the Audit That Actually Happens
The mistake organisations make is preparing for a documentation audit when they should be preparing for an effectiveness audit. Auditors care that you have documented procedures. They care more that the procedures are followed and produce the outcomes the controls demand. The strongest preparation is running an internal audit that mimics the certification audit's sampling approach. If the internal audit finds gaps, the certification audit will find more. Better to find them when you have time to fix them than during Stage 2.