This guide helps ISO 27001 implementers perform comprehensive consistency checks across ISMS documentation, challenge their preparation work, and verify audit readiness before initial certification or surveillance audits.
Who this is for
ISO 27001 implementers, information security managers, and compliance officers responsible for building and maintaining an ISMS and preparing for certification audits.
What you'll accomplish
You'll upload your complete ISMS documentation to ISMS Copilot, identify inconsistencies across policies and procedures, verify alignment with ISO 27001 requirements, and receive a realistic assessment of certification readiness with specific improvement areas.
The consistency challenge
ISMS documentation is created over months by different people referencing evolving requirements. The result: policies contradict procedures, the Statement of Applicability doesn't match implemented controls, risk treatments reference non-existent procedures, and nobody realizes until the auditor points it out.
ISMS Copilot analyzes your complete documentation set to identify gaps, contradictions, and misalignments before auditors find them.
Prerequisites
Completed ISMS documentation including policies, procedures, Statement of Applicability, risk assessment, and risk treatment plan
ISMS Copilot account with Premium access (recommended for unlimited file uploads)
All documents in PDF or DOC format
Step 1: Create a dedicated audit readiness workspace
Set up a workspace specifically for comprehensive ISMS review and audit preparation.
Create a new workspace named "Audit Readiness [Date]" or "Certification Prep [Year]"
Select the Implementer persona for implementation-focused analysis
Keep this workspace separate from daily operational ISMS work
Create separate readiness workspaces for initial certification, surveillance audits, and recertification to track your ISMS maturity evolution over time.
Step 2: Upload your complete ISMS documentation
Upload all ISMS documents to enable comprehensive cross-document analysis.
Critical documents to upload:
Mandatory documents: Information Security Policy, Statement of Applicability, Risk Assessment, Risk Treatment Plan
Core procedures: Access control, change management, incident response, business continuity, backup and recovery
Supporting documents: Asset inventory, vendor contracts with security clauses, training records, audit logs
Previous audit reports: If available, for tracking corrective actions
Ensure uploaded documents represent your current, approved versions. Uploading draft or outdated documents will produce inaccurate consistency analysis.
Step 3: Verify Statement of Applicability alignment
Check that your SoA accurately reflects what's actually implemented in your ISMS.
SoA verification prompts:
"Compare my Statement of Applicability against my uploaded procedures. Which controls are marked 'applicable' but have no corresponding procedure?"
"Are there any controls marked 'not applicable' in my SoA but referenced in my risk treatment plan?"
"Review my SoA justifications for exclusions. Are they adequate per ISO 27001:2022?"
"Which Annex A controls are mentioned in procedures but missing from my SoA?"
Address all SoA inconsistencies before the audit. The SoA is the auditor's roadmap—errors here create negative first impressions and audit focus areas.
Step 4: Identify cross-document inconsistencies
Find contradictions, gaps, and misalignments across your ISMS documentation.
Consistency check prompts:
"My access control policy says quarterly reviews, but my procedure says annual. Which documents contradict each other on review frequency?"
"Does my risk treatment plan reference any procedures that don't exist in the uploaded documents?"
"Compare data classification levels between my policy and backup procedure. Are they consistent?"
"My incident response procedure mentions an 'Incident Response Team'. Is this team defined anywhere in my documentation?"
"Check if all roles and responsibilities mentioned across documents are defined in my organizational documents."
Step 5: Verify ISO 27001 requirement coverage
Ensure your documentation addresses all mandatory ISO 27001:2022 clauses and applicable Annex A controls.
Coverage verification prompts:
"Check my uploaded documents against ISO 27001:2022 Clause 6 (Planning). What's missing?"
"Do my documents demonstrate how we determine and address risks and opportunities per Clause 6.1?"
"Verify coverage of Clause 9.2 internal audit requirements in my procedures"
"For each control marked 'applicable' in my SoA, is there documented evidence of implementation?"
"What Clause 7 (Support) requirements are not adequately documented?"
Focus on Clauses 4-10 mandatory requirements first, then verify Annex A controls marked applicable in your SoA. Don't waste time on excluded controls.
Step 6: Challenge your risk assessment and treatment
Validate that your risk management approach meets ISO 27001 requirements and makes practical sense.
Risk assessment challenge prompts:
"Review my risk assessment. Are the criteria for risk acceptance clearly defined and applied consistently?"
"Do my identified risks align with the ISMS scope and asset inventory?"
"Are the risk treatment options (avoid, transfer, accept, reduce) properly justified?"
"Check if my risk treatment plan includes owners, timelines, and status for each risk. What's missing?"
"Are there any residual risks that haven't been formally accepted by management?"
Step 7: Assess evidence of operation
Determine if you have sufficient evidence that your ISMS is actually operating, not just documented.
Evidence assessment prompts:
"What operational evidence would an auditor expect for my access control procedure? Do I have it?"
"Based on my incident response procedure, what records should I have? Are they mentioned in my documents?"
"Review my business continuity plan. What testing evidence will auditors expect?"
"Do my procedures specify record retention periods and formats? Is this consistent?"
Documentation alone doesn't prove compliance. Auditors will request evidence of operation: logs, records, meeting minutes, test results, training attendance, etc.
Step 8: Get a readiness assessment
Request an overall evaluation of certification readiness with specific improvement priorities.
Readiness assessment prompts:
"Based on all uploaded documents, assess my readiness for ISO 27001:2022 initial certification. What are the top 5 risks to certification?"
"What would likely result in major non-conformities if I went to audit today?"
"Which areas of my ISMS are weakest based on the documentation?"
"Create a pre-audit checklist prioritized by risk level"
"If you were an auditor reviewing these documents, what would you question or challenge?"
Step 9: Perform surveillance audit preparation
For surveillance audits, verify that changes since certification haven't introduced inconsistencies.
Surveillance-specific prompts:
"Compare my current procedures against the previous audit report. Have all non-conformities been addressed?"
"What changes have been made to my ISMS documentation since last audit? Are they reflected consistently?"
"Review my management review meeting minutes. Do they demonstrate continual improvement?"
"Are there any new risks or controls that should be in my SoA but aren't?"
Common inconsistencies ISMS Copilot identifies
Terminology mismatches: "Sensitive" vs. "Confidential" data used interchangeably without definition
Review frequency conflicts: Policy says quarterly, procedure says annually
Orphaned references: Documents cite procedures, teams, or systems that don't exist
Scope creep: Procedures reference locations or systems outside the defined ISMS scope
Version control issues: Documents reference outdated versions of other documents
Responsibility gaps: Procedures assign tasks to undefined roles or vacant positions
SoA misalignment: Controls marked "not applicable" but clearly needed based on risk assessment
Best practices for consistency checking
Upload everything at once: ISMS Copilot analyzes relationships across all documents simultaneously
Fix systematically: Address fundamental issues (terminology, roles, scope) before detail inconsistencies
Verify corrections: After fixing issues, re-upload updated documents and re-check
Document the review: Save the chat history as evidence of due diligence for auditors
Involve document owners: Share ISMS Copilot findings with the people responsible for each document
Don't over-rely on AI: Manual review by competent persons remains essential; ISMS Copilot assists but doesn't replace expertise
Preparing for the auditor's questions
Use ISMS Copilot to anticipate auditor questions and prepare evidence:
"What questions would an auditor ask about my change management procedure?"
"If an auditor samples my access reviews, what evidence should I have ready?"
"What documents will the auditor request during the Stage 1 documentation review?"
"Generate a list of likely interview questions for our IT manager based on our documented controls"
Conducting your own pre-audit using ISMS Copilot helps identify weak areas, giving you time to strengthen evidence and documentation before the real audit.
What ISMS Copilot can't verify
Important limitations to understand:
Actual implementation: ISMS Copilot reviews documents, not your actual systems, processes, or records
Effectiveness: AI can't determine if your controls actually work in practice
Cultural factors: Auditors assess security culture, management commitment, and employee awareness—not just documents
Technical configurations: ISMS Copilot doesn't audit firewall rules, server settings, or application security
Related resources
ISMS Copilot for Startup CISOs and Security Implementers - Implementation workflows and gap analysis
How to conduct ISO 27001 gap analysis using ISMS Copilot - Initial gap identification techniques
How to prepare for ISO 27001 internal audits using AI - Internal audit preparation for ongoing compliance
Next steps
After addressing consistency issues and verifying audit readiness, conduct a formal internal audit using your corrected documentation to validate that your ISMS operates as documented before scheduling the certification audit.