ISO 27001 Audit Interview Guide

Your Secret Weapon for Not Panicking

First Things First: Don't Panic

Remember, you're not being interrogated by MI5 - it's just an ISO auditor doing their job. They're more interested in how we run our security and protect information than in catching you out. Think of them as particularly thorough pentesters, but for processes instead of systems.

What They're Actually Looking For

The auditors aren't expecting you to recite the ISO 27001 standard backwards while juggling (though that would be impressive). They want to see that:

  • You understand your role in keeping information secure (even if you can't quote policy numbers)

  • You know what to do when things go wrong (and who to contact)

  • You're following the processes we've put in place (especially the ones crucial to your role)

  • You're aware of the main security risks in your role (and aren't using "password123" for everything)

The Golden Rules of Audit Interviews

1.

Be Honest (But Not TOO Honest)

  • Answer what's asked - but no need to give a speech

  • If you don't know something, say so - "I'm not sure, but I know where to find that information" is a perfectly good answer

  • Don't make up answers - auditors can smell fear and fiction from a mile away

  • Stick to what you know - it's fine to say "That's not part of my role, but I'd ask [relevant person] about that"

2.

Show Your Work

  • Keep relevant documentation handy - knowing where to find information is as important as memorising it

  • Reference specific processes when you can - "As per our incident response process..." sounds much better than "Um, I guess I'd tell someone?"

  • Use real examples when possible - "Last month when we had that phishing attempt..." shows processes in action

3.

Remember the Basics

Data Protection

  • Know what sensitive data you handle (customer data, financial info, intellectual property)

  • Understand how to classify different types of information

  • Be clear on what you can share, with whom, and through which channels

  • Remember: If in doubt, treat it as confidential

Access Control

  • Use strong, unique passwords for all systems (and yes, Slack counts as a system)

  • Enable 2FA/MFA wherever available (it's not optional)

  • Never share your credentials

  • Lock your screen when stepping away (yes, even at home)

Device Security

  • Keep your work devices for work (Netflix can go on your personal laptop)

  • Install updates promptly ("remind me tomorrow" isn't a security strategy)

  • Use approved security tools (antivirus, VPN, etc.)

  • Know what to do if your device is lost or stolen

Incident Reporting

  • Know how to spot potential incidents (unusual system behavior, suspected phishing, etc.)

  • Report incidents immediately through the proper channels

  • Document what you've observed (screenshots can be helpful)

  • Don't try to investigate or fix things yourself (that's what we have experts for)

Common Questions (And How Not to Mess Them Up)

Security Awareness

What would you do if you spotted a security incident?

  • Good answer: "I'd report it immediately through our incident management system and notify [security contact]"

  • Bad answer: "Delete everything and run for the hills"

Access Control

How do you handle access to systems?

  • Good answer: "Access is requested through our ticketing system and requires manager approval"

  • Bad answer: "I just ask Dave for his password"

Information Handling

How do you share sensitive information with clients?

  • Good answer: "We use our approved secure file sharing system and classify information according to our data classification policy"

  • Bad answer: "WhatsApp usually, or carrier pigeon for the really secret stuff"

Quick Fire Do's and Don'ts

Do:

  • Review recent security incidents and how they were handled

  • Know your main security contacts

  • Understand basic security procedures for your role

  • Keep your workspace tidy & secure during the audit (yes, they might ask about people overhearing conversations)

  • Take a breath before answering questions

Don't:

  • Try to memorise policies word-for-word

  • Make up processes on the spot - you could be asked for evidence

  • Volunteer unnecessary information

  • Panic if you don't know something

  • Argue with the auditor - leave that to the primary person overseeing the audit on your side!

If You Get Stuck

Remember these lifeline phrases:

  • "Let me refer to our documentation for the exact process..."

  • "That's handled by [team/person], but I know how to contact them if needed"

  • "I'd follow our documented procedure for that, which I can show you"

  • "I'm not certain about that specific detail, but I know where to find the information"

The Night Before Checklist

Review your role's security responsibilities

  • Know where to find relevant documentation

  • Clean your desk (seriously, do it)

  • Get some sleep (auditors can smell fear)

  • Remember: You've got this!

Final Thoughts

Remember, the auditor is checking our security system, not writing your performance review. They want to see that we're taking security seriously and have practical, working processes in place. You don't need to be perfect - you just need to show that you understand your part in keeping our information secure.

And if all else fails, remember: No auditor has ever actually turned someone into stone with their gaze. We're pretty sure about that. Almost entirely sure.

Good luck! (Though you won't need it because you're going to nail this)