The ISO/IEC 27001:2022 Audit Passed. But Did Security?

Most organizations know how to answer audit questions

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

Far fewer know how to answer risk questions.

After spending many years around information security programs, governance frameworks, certification efforts, and security transformations, I have developed a certain appreciation for audits. They create discipline. They force organizations to document decisions, clarify responsibilities, and establish repeatable processes. In many cases, they are the catalyst that moves security from good intentions to structured management.

That is valuable.

But it is worth asking a question that is often left untouched:

What exactly are we measuring when we perform an information security audit?

And perhaps more importantly:

What are we not measuring?

The Comfort of What Can Be Audited

Most information security audits are designed around a fundamental principle: evidence.

• Can a policy be shown?
• Can a process be demonstrated?
• Can a review be documented?
• Can a decision be traced?
• Can responsibilities be proven?

These are reasonable expectations.

An auditor must be able to assess something objectively. Evidence provides that objectivity.

The challenge begins when organizations unconsciously equate the existence of evidence with the existence of security.

• A documented process is not necessarily an effective process.
• A completed review is not necessarily a meaningful review.
• A risk register is not necessarily risk management.
• And a certified management system is not necessarily a secure organization.

Those distinctions are uncomfortable because they challenge one of the most deeply embedded assumptions in our profession: that compliance and security naturally move in lockstep.

They do not.

Why the Industry Prefers Standardized Audits

There is also an economic reality that deserves more attention.

Standardized audits are efficient.

They can be replicated across organizations, sectors, and countries. They provide consistency. They allow certification bodies and audit firms to train auditors against established methodologies and predictable scopes.

• From a business perspective, this makes perfect sense.
• Organizations receive a recognized assessment.
• Auditors receive a repeatable service model.
• Markets receive comparability.
• Everybody understands the rules.

The problem is that actual information security risk rarely behaves in a standardized manner.

The threats facing a manufacturing company differ from those facing a humanitarian organization.

The risks facing a cloud-native technology company differ from those of a government contractor.

The security exposure of an organization operating in stable markets differs dramatically from one operating in politically sensitive regions.

Yet many audits ultimately evaluate them through remarkably similar lenses.

The result is often a strong assessment of management-system maturity, but only a limited assessment of operational exposure.

The Risks That Rarely Appear in Audit Reports

Take a moment and think about the discussions that keep experienced CISOs awake at night.

Rarely do they revolve around document version control.

They are more likely to focus on questions such as:

• Could a sophisticated adversary compromise our identities?
• How dependent are we on a small number of cloud providers?
• Do we have visibility into our third-party ecosystem?
• Can we detect lateral movement inside our environment?
• How resilient are we against geopolitical disruption?
• What happens if critical digital services become unavailable for an extended period?
• How exposed are we to AI-driven attacks, misinformation campaigns, or large-scale automation?

These questions increasingly define the modern risk landscape.

Yet they often sit at the edge—or completely outside—the scope of traditional audit programs.

Not because auditors lack competence.

But because many audit methodologies were created for a different purpose.

They were designed to assess whether management systems conform to a defined standard.

They were never intended to serve as comprehensive threat assessments.

The Difference Between Governance and Exposure

This distinction matters more than many boards realize.

A governance audit primarily answers the question:

• “Are we managing security in a structured way?”
• A risk-focused assessment asks something different:
• “What is most likely to hurt us?”

Both questions are important.

But they are not interchangeable.

An organization may score highly on governance maturity while simultaneously carrying significant exposure to threats that have never been systematically examined.

This is particularly true in areas such as identity security, cloud concentration risk, supply-chain dependencies, detection capability, cyber resilience, and geopolitical exposure.

These subjects are often difficult to audit through traditional evidence-based approaches because they require judgment, context, and an understanding of adversarial behavior.

They do not fit neatly into checklists.

When Findings Become a Distraction

One phenomenon I have observed repeatedly over the years is what I call the “finding paradox.”

The more observations an audit generates, the more comprehensive it appears.

Yet the opposite can sometimes be true.

Large volumes of findings often drive organizations into administrative remediation efforts.

Teams become focused on closing observations, updating documents, obtaining approvals, and producing evidence.

All of these activities may be necessary.

But none automatically reduce the organization’s most significant risks.

In some cases, organizations become highly effective at managing audit findings while remaining uncertain about their actual threat exposure.

That is not a failure of auditing.

It is a failure of interpretation.

The Question Boards Should Be Asking

When boards receive audit reports, they often focus on the number of findings, their severity, and remediation timelines.

Those metrics matter.

But there is another question that deserves equal attention:

Which major risks were not examined at all?

That single question frequently reveals more than an entire audit report.

Because the greatest strategic risks are often not hiding within the findings.

They are hiding outside the audit scope.

Moving Beyond Compliance

None of this suggests that standards, certifications, or audits lack value.

They remain essential components of modern governance.

The problem emerges when they become the primary definition of security.

Compliance is evidence that a system exists.

Security is evidence that it works under pressure.

Those are related concepts.

They are not identical.

As our threat landscape becomes more complex, organizations will increasingly need both perspectives: rigorous governance audits and independent assessments focused on real-world risk exposure.

One without the other creates blind spots.

And blind spots have a habit of becoming tomorrow’s incidents.

Closing Thought

Perhaps the most important cybersecurity question for the next decade is not whether organizations are compliant.

It is whether they truly understand the risks that matter most.

Because attackers do not audit management systems.

They exploit weaknesses.

And the gap between those two realities may be one of the most underestimated risks in modern cybersecurity.

Publication Note & Disclaimer
This article was originally published on LinkedIn on June 2, 2026 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.