1.   Scope & objective of the audit: Determine in advance what will be assessed

An audit only goes smoothly if it is clear in advance what exactly will be assessed. Therefore, defining the scope is one of the most important steps in your preparation.

The scope describes which processes, systems, activities, employees, and locations are included in the audit. This seems simple but can quickly become complex in organisations with multiple sites, cloud environments, or many external suppliers.

A well-defined scope is:

• aligned with your core activities
• clear to all involved

• logical and defensible to the auditor

A vague or poorly substantiated scope almost always leads to extra questions and unnecessary discussions during the audit.

For ISO 27001, the entire Information Security Management System (ISMS) is within scope. This includes, among other things, policies, risk management, security measures, and continuous improvement. For CyFun, the focus is more on concrete measures and the maturity level of your organisation.

Whatever framework you choose: clearly document what is in and out of scope. This prevents surprises and provides peace of mind during the audit.

2.   Risk analysis: Demonstrate that you understand and monitor risks

ISO 27001 and CyFun audits rely heavily on risk thinking. The auditor does not expect a theoretical model but a realistic picture of what can go wrong in your organisation and how you deal with it.

Concretely, this means your organisation must be able to explain which risks are relevant to its operations, why some risks are prioritised, and how the chosen measures contribute to risk mitigation.

A risk analysis that is alive in the organisation, evolves with changes, and is used as a management tool weighs far more than a one-time exercise. A purely theoretical exercise created only for the audit is quickly exposed.

3.   Make documentation workable and understandable

Policies and procedures are necessary but are not an end in themselves. During an audit, the focus is mainly on whether agreements are understandable and effectively applied. In other words: do they fit the daily reality of employees, and do they understand them?

Employees do not need to know every detail but should be able to explain in broad terms what is expected of them regarding information security.

Policies that no one reads or recognises increase risk rather than reduce it. Both for ISO 27001 and CyFun, a few documents are mandatory, but that number is smaller than many organisations think.

Fewer documents, clearly written and embraced by the organisation, build more confidence with the auditor than an overflowing folder rarely opened.

How do you ensure employees actually understand your policy?
The key lies in clear communication:

• Write policies in plain language, understandable for everyone in the organisation.
• Avoid unnecessary jargon and technical reasoning. Employees primarily focus on performing their own role.
• Emphasise concrete expectations: what must someone do, refrain from, or report? Also explain why, without going too deeply into technical aspects.

The simpler and more concrete your policy, the more likely it will actually be applied. And that is exactly what auditors are looking for.

4.   Actively involve employees and management

As also mentioned in the video, an audit is not an IT party. Employees play an important role in information security. They need to know which information is sensitive, how to handle it, and what is expected of them in case of incidents or deviations.

Management also plays a key role. Auditors explicitly check whether leaders take responsibility, provide direction, and make decisions based on risks. This does not mean management must know every detail inside out, but there must be demonstrable involvement, monitoring, and guidance.

When information security visibly forms part of meetings, decision-making, and priorities, it shows maturity. It gives auditors confidence that security is not a one-time exercise but an integral part of operations.

5.   Conduct an internal audit and practice before it really counts

An internal audit or preparatory evaluation is one of the most underestimated yet valuable steps leading up to an external audit. It is a moment to critically examine your own operations without external pressure.

During an internal audit, you test whether agreements are followed, documentation matches practice, and responsibilities are clear. This reveals potential risks or errors while you still have time to address them.

It is important that the results of such an exercise do not end up in a drawer. Auditors look not only at the findings but especially at what is done with them. Are improvement actions documented? Is there follow-up? Are adjustments made where necessary?

Organisations that can demonstrate they evaluate and improve themselves show maturity. This often weighs more than a situation where “everything seems in order” but has never been tested.