Why certified companies fail audits
Not for dramatic reasons. The risk register hasn't been touched since certification. Access reviews stopped after the second quarter. Evidence lives in someone's head, and that someone resigned. The surveillance auditor asks for twelve months of records and gets a scramble. None of it means security got worse — it means nobody owned the treadmill.
What I take off your plate
- The evidence habit: collected monthly, filed where the auditor expects it
- Scheduled access reviews, risk-register updates and control health checks
- Internal audits ahead of the external one, so findings surface when they're cheap
- Management review preparation — the meeting the standard requires and everyone forgets
- I sit with you through the surveillance audit itself
The honest pitch
This is a few disciplined hours a month that saves a panicked month a year. If you certified with me, I already know your ISMS. If you certified with someone else, the first month is me reading it properly before I promise anything.