What Happens If You Fail an ISO 27001 Audit?

What Actually Happens When You Fail an ISO 27001 Audit?

First, let us be clear: “failing” an ISO 27001 audit does not mean your organisation is permanently denied certification. In most cases, auditors identify areas for improvement, give you time to address them, and return to verify the fixes. The process is designed to be constructive, not punitive.

To understand what failure looks like, you need to understand the two types of nonconformity that auditors can raise.

Minor Nonconformities

A minor nonconformity is a gap that does not fundamentally undermine your Information Security Management System (ISMS). It might be an isolated documentation error, a single control that is not operating as described, or a small procedural oversight. Minor nonconformities are extremely common. Most organisations receive at least one or two during their certification audit, and they do not prevent you from achieving ISO 27001 certification.

When a minor nonconformity is raised, you will typically have 90 days to implement corrective action and provide evidence to your certification body. Once they are satisfied, certification proceeds as normal.

Major Nonconformities

A major nonconformity is far more serious. It indicates a fundamental failure in your ISMS, such as an entirely missing required process, a systematic breakdown in how controls are implemented, or a complete absence of risk assessment activity. A major nonconformity will prevent certification until the issue is fully resolved and verified through a follow-up audit.

Major nonconformities are less common, but when they occur, they require significant remediation effort and an additional audit visit, which adds both time and cost to your certification journey.

What Is the Difference Between Stage 1 and Stage 2 Failure?

The ISO 27001 certification audit is conducted in two stages, and the implications of nonconformities differ depending on when they are found.

Aspect	Stage 1 (Documentation Review)	Stage 2 (Implementation Audit)
Focus	ISMS documentation, scope, risk assessment, Statement of Applicability, policies and procedures	Whether controls are actually implemented, operating effectively, and embedded in daily operations
Common issues	Missing policies, incomplete Statement of Applicability, poorly defined scope, gaps in risk treatment plans	Staff unaware of policies, evidence of controls not being followed, no management review records, ineffective internal audits
Impact of failure	Stage 2 is delayed until documentation gaps are resolved. This is actually an opportunity to fix things before the main audit.	Certification is withheld. Minor nonconformities require corrective action within 90 days. Major nonconformities require a re-audit.
Typical outcome	Auditor provides a list of concerns to address before Stage 2 proceeds	Auditor issues formal nonconformity reports requiring documented corrective action

A Stage 1 setback is generally easier to recover from because it is focused on documentation rather than operational evidence. If your auditor flags issues at Stage 1, take it as a valuable early warning and address everything before Stage 2 begins.

What Are Auditors Really Looking For?

Auditors are not trying to catch you out. Their job is to assess whether your ISMS meets the requirements of ISO 27001 and whether it is genuinely embedded in how your organisation operates. They are specifically looking for:

Consistency — do your documented policies match what actually happens in practice?
Evidence — can you demonstrate that controls are operating through logs, records, meeting minutes, and reports?
Risk-based thinking — does your risk assessment drive your control selection, and is it kept up to date?
Top management commitment — is leadership visibly engaged in information security governance?
Continual improvement — are you identifying and acting on opportunities to strengthen your ISMS over time?

The good news is that none of this requires perfection. Auditors expect to find areas for improvement. What matters is that your organisation demonstrates a genuine, systematic approach to managing information security risks. If you are well prepared, you can learn more about how to pass your audit first time.

ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.

Get started

Why Do Organisations Fail ISO 27001 Audits?

Understanding the most common reasons for audit failure helps you avoid the same pitfalls. Based on typical audit findings, these are the areas where organisations most frequently fall short:

Bar chart showing the most common areas where organisations receive nonconformities during ISO 27001 audits — Source: DNV and NQA certification body audit data

1. Documentation Gaps

ISO 27001 requires a substantial body of documented information, including your information security policy, risk assessment methodology, risk treatment plan, Statement of Applicability, and records of management reviews and internal audits. Missing or incomplete documentation is one of the most common causes of nonconformity.

2. Inadequate Risk Assessment

The risk assessment is the foundation of your entire ISMS. If it is superficial, outdated, or does not clearly link identified risks to the controls in Annex A, auditors will raise concerns. A risk assessment that was done once and never revisited is a red flag.

3. Lack of Staff Awareness

If employees cannot articulate the basics of your information security policies when interviewed by the auditor, it suggests the ISMS exists only on paper. Training records, awareness programmes, and evidence of regular communication about information security are all essential.

4. Misalignment Between Documentation and Practice

This is perhaps the most damaging finding. If your documented procedures say one thing but staff do something different, it raises serious questions about the integrity of your ISMS. Auditors specifically test for this by comparing documented processes against observed practice and recorded evidence.

5. Incomplete Internal Audit Programme

Clause 9.2 requires organisations to conduct internal audits at planned intervals. If your internal audit programme is missing, incomplete, or has not covered all relevant areas of the ISMS, this will likely result in a nonconformity. Internal audits are your opportunity to find and fix issues before the external auditor does.

6. No Evidence of Management Review

Clause 9.3 requires top management to review the ISMS at planned intervals. Auditors will look for meeting minutes, action items, and evidence that management is actively engaged in information security governance. A missing management review is a common and easily avoidable nonconformity.

How Does the Corrective Action Process Work?

When a nonconformity is raised, ISO 27001 Clause 10.1 sets out the requirements for nonconformity and corrective action. The process follows a structured approach:

Step	What Is Involved	Key Consideration
1. Identify and contain	Acknowledge the nonconformity and take immediate action to contain any risk	Do not ignore or downplay findings. Respond promptly and document everything.
2. Root cause analysis	Determine why the nonconformity occurred, not just what happened	Go beyond surface symptoms. Was it a process failure, a training gap, a resource issue, or a management oversight?
3. Corrective action	Implement changes to address the root cause and prevent recurrence	The fix must be proportionate and sustainable. Quick patches that do not address the underlying cause will not satisfy auditors.
4. Verification	Provide evidence that the corrective action has been implemented and is effective	For minor nonconformities, evidence is submitted within 90 days. For major nonconformities, a follow-up audit visit is required.

What Are the Timelines and Cost Implications?

The timeline for resolving nonconformities depends on their severity:

Minor nonconformities: You typically have 90 days to submit evidence of corrective action. If the certification body is satisfied, certification is granted without an additional audit visit.
Major nonconformities: A follow-up audit is required, which must be scheduled and completed before certification can proceed. Depending on your certification body’s availability and the complexity of the remediation, this could add 3 to 6 months to your timeline.

The cost implications are significant. A follow-up audit visit means additional auditor fees, which can range from £2,000 to £10,000 or more depending on the scope and size of your organisation. There are also indirect costs: staff time spent on remediation, potential delays to customer contracts that depend on certification, and the reputational impact of a delayed certification. Understanding the full picture of audit costs helps you budget appropriately from the outset.

When you factor in these costs alongside the time already invested in how long certification takes, it becomes clear that investing in proper preparation upfront is far more cost-effective than dealing with the consequences of failure.

One of our onboarding specialists will walk you through our platform to help you get started with confidence.

Book your demo

How Can You Prevent ISO 27001 Audit Failure?

The best way to deal with audit failure is to prevent it from happening in the first place. Here are the most effective strategies:

Conduct Thorough Internal Audits

Your internal audit programme is your first line of defence. It should cover every aspect of your ISMS over a planned cycle, with findings documented and corrective actions tracked to completion. Treat internal audits as dress rehearsals for the external audit.

Schedule Regular Management Reviews

Management reviews should happen at least annually, with clear agendas covering ISMS performance, risk changes, audit findings, and improvement opportunities. Keep detailed minutes and track action items to demonstrate ongoing leadership engagement.

Maintain Living Documentation

Your ISMS documentation should be a living system, not a static collection of documents created for the audit and then forgotten. Review and update policies, procedures, and the risk register regularly. Version control and change logs demonstrate to auditors that your ISMS is actively maintained.

Invest in Staff Awareness

Run regular awareness sessions, track training completion, and test understanding through quizzes or simulated phishing exercises. Auditors will interview staff at all levels, so ensure everyone, from the board to new starters, understands their role in information security.

Prepare Thoroughly Before the Audit

In the weeks before your audit, conduct a readiness review. Check that all required documentation is current, evidence is accessible, and key personnel are available and briefed. Our guide on how to prepare for an ISO 27001 audit covers this in detail.

How Does ISMS.online Help You Pass Your Audit?

ISMS.online is purpose-built to help organisations build, manage, and maintain an ISO 27001-compliant ISMS. The platform directly addresses the most common causes of audit failure:

Corrective Action Workflows: When nonconformities are identified, whether during internal audits or external assessments, ISMS.online provides structured workflows to document the finding, assign ownership, conduct root cause analysis, and track remediation through to closure. Every step is time-stamped and auditable.
Automated Evidence Collection: The platform continuously gathers and organises the evidence auditors need, from policy acknowledgements and training records to access reviews and risk treatment progress. No more scrambling to compile evidence packs before an audit.
Built-in Audit Management: Plan, schedule, and execute your internal audit programme directly within the platform. Audit findings link automatically to corrective actions, creating a clear trail from identification through to resolution.
Live Compliance Dashboard: See your ISMS compliance status at a glance. The dashboard highlights areas that need attention, overdue actions, and upcoming review dates, so nothing falls through the cracks.
Pre-built Policy and Procedure Templates: Start with templates that are already aligned to ISO 27001:2022 requirements, then tailor them to your organisation. This dramatically reduces the risk of documentation gaps.
Dynamic Risk Management: Maintain a living risk register with built-in risk assessment methodology, risk treatment plans linked to Annex A controls, and automated reminders for periodic risk reviews.

Whether you are pursuing certification for the first time or preparing for a surveillance audit, ISMS.online gives you the structure, automation, and visibility needed to walk into your audit with confidence. If you are still weighing up the investment, our guide on whether ISO 27001 is worth it can help you make the case.

Why Choose ISMS.online?

Purpose-built for ISO 27001: Unlike generic GRC tools, ISMS.online is designed specifically around the requirements of ISO 27001:2022, so every feature maps directly to what auditors expect to see.
Faster time to certification: Pre-built templates, guided workflows, and automated evidence collection mean you can achieve certification in weeks rather than months.
Reduced audit risk: Continuous compliance monitoring and built-in internal audit tools ensure you are always audit-ready, not just prepared once a year.
Complete corrective action management: From identification through root cause analysis to verified closure, the entire Clause 10.1 process is managed in one place with full audit trails.
Real-time visibility for leadership: Compliance dashboards and reporting give management the oversight they need to fulfil their governance responsibilities under Clause 5.1.
Integrated risk management: Your risk register, risk assessments, and treatment plans all live within the platform, linked to controls and continuously updated.
Trusted by thousands of organisations worldwide: From startups to enterprises, organisations rely on ISMS.online to achieve and maintain ISO 27001 certification with confidence.

Ready to make audit failure a thing of the past? Book a demo to see how ISMS.online can support your certification journey.

FAQs

Can you still get ISO 27001 certified after failing an audit?

Yes. An audit failure does not permanently disqualify you from certification. For minor nonconformities, you typically have 90 days to implement corrective actions and submit evidence. For major nonconformities, you will need to remediate the issues and undergo a follow-up audit. Once the certification body is satisfied that all nonconformities have been resolved, certification can proceed.

What is the difference between a minor and major nonconformity?

A minor nonconformity is an isolated gap that does not fundamentally undermine your ISMS, such as a missing record or a single procedural oversight. A major nonconformity indicates a systemic failure, such as an entirely absent required process or a complete breakdown in control implementation. Minor nonconformities can be resolved with evidence submission, whilst major nonconformities require a follow-up audit visit.

How long do you have to fix nonconformities after an ISO 27001 audit?

For minor nonconformities, certification bodies typically allow 90 days to implement corrective actions and submit evidence of resolution. For major nonconformities, there is no fixed deadline, but you will need to schedule a follow-up audit once remediation is complete. The total timeline depends on the complexity of the issues and your certification body’s availability, but you should expect 3 to 6 months for major findings.

How much does it cost if you fail an ISO 27001 audit?

The direct cost depends on whether a follow-up audit is required. Additional auditor fees for a follow-up visit can range from £2,000 to £10,000 or more, depending on your organisation’s size and scope. Indirect costs include staff time spent on remediation, potential delays to customer contracts, and the opportunity cost of extended certification timelines. Investing in thorough preparation upfront is significantly more cost-effective.

What are the most common reasons for ISO 27001 audit failure?

The most common causes include documentation gaps (missing or incomplete policies and procedures), inadequate risk assessments, lack of staff awareness about information security responsibilities, misalignment between documented processes and actual practice, incomplete internal audit programmes, and missing evidence of management reviews. Most of these issues can be prevented with consistent ISMS maintenance and thorough pre-audit preparation.

Does failing a surveillance audit mean you lose your ISO 27001 certification?

Not immediately. If nonconformities are found during a surveillance audit, you will be given the opportunity to implement corrective actions. However, if major nonconformities are not resolved within the agreed timeframe, or if the certification body determines that your ISMS is no longer meeting the standard’s requirements, your certification can be suspended or withdrawn. Maintaining continuous compliance through regular internal audits and management reviews is essential to avoid this outcome.