Compare real experience, not just years on a resume
A strong ISO 27001 auditor understands how controls work in real environments. Ask about experience with:
- Cloud hosting and shared responsibility
- Identity and access management at scale
- Logging and monitoring in modern stacks
- Secure development practices and change control
- Supplier management for third-party processors and sub-processors
If you are a startup, ask whether they have audited lean teams without forcing unnecessary bureaucracy. If you are a healthcare company, ask how they validate risk treatment when privacy and security overlap.
Ask how they test, sample, and write findings
This is the most practical comparison point. Good auditors can explain their method in plain English.
Questions we recommend asking:
- How do you plan Stage 1 vs Stage 2? What do you validate in each stage?
- What does your evidence sampling look like for high risk controls like access control and vulnerability management?
- How do you handle remote audits? What does a remote walkthrough look like?
- How do you validate physical security if we have a small office footprint?
- How do you decide whether an issue is an observation, a minor nonconformity, or a major nonconformity?
- What does closure evidence look like in your process?
If they cannot explain this clearly, your audit will feel unpredictable.
Review the proposal like a control owner would
When you receive a quote or audit plan, review it for:
- Defined scope: systems, products, and locations. Watch for vague language.
- Audit days: how many audit days are allocated for Stage 1, Stage 2, and surveillance audits.
- Audit team: names, roles, and relevant competence.
- Remote vs on-site assumptions: confirm what is required and when.
- Evidence handling: secure sharing method, timelines, and expectations.
A common surprise is a proposal that assumes on-site time, multi-site sampling, or extra audit days based on headcount. You want alignment before kickoff.
Red flags that usually create rework
- Overpromising: “We can certify you in a few weeks” without asking about scope or evidence.
- No clear method: they cannot describe sampling, interviews, or closure.
- No industry context: they apply the same checklist to every business model.
- Pricing that is far below market: it often shows up later as change orders or missed expectations.
- Stage confusion: they treat Stage 1 like a full audit, or treat Stage 2 like a document review.
A fast auditor interview script
If you have 20 minutes with a certification body, use this structure:
- Describe your ISMS scope in two sentences.
- Ask what they will validate in Stage 1.
- Ask for two examples of evidence they expect for access control and vulnerability management.
- Ask how they sample across systems and teams.
- Ask how they handle findings and closure evidence.
- Confirm audit format: remote, hybrid, or on-site.
You should leave the call knowing how they will test you and what they will ask for.
How Neutral Partners helps
We help you choose a certification body that fits your business and timeline, then build an evidence package that holds up across auditor styles. That reduces debate, avoids surprise findings, and keeps your certification schedule predictable.
Since 2017, we have maintained a 100% audit success rate across more than 700 successful audits and assessments.
Key resources
Schedule a Discovery Session
If you want a second set of eyes on a proposal, or you want help choosing the right audit path for your scope, we can walk through it with you.
Schedule a Discovery Session