90 days before an ISO 27001 audit: everyone is working, but no one really knows where
the company stands.
It’s not a problem of goodwill, it’s a problem of management.
« Where are we at ? »
Monday morning meeting, 9am. The CIO asks a trivial question :
- « In practical terms, what is the current status of ISO 27001 ? »
Round table discussion. The teams have been working hard, that much is clear :
- the risks are analysed… in several files ;
- the procedures exist… in three different versions ;
- The evidence is “somewhere”… in emails, a quality tool, shared files.
Everyone has part of the answer, but no one has the full picture.
Tension is mounting: the audit is in three months, and the project feels more like a jigsaw puzzle
without a reference image than a clearly defined path.
A lot of work, little oversight
If you dig a little deeper, you will find a common pattern :
- Each team manages its own tables ;
- the action plans are not aligned with each other ;
- the evidence is not clearly linked to the requirements of the standards ;
- Management receives reassuring slides… which do not always reflect the reality on the ground.
Result:
As the audit approaches, everything turns into a race to catch up: we search, we reconnect,
we revalidate.
Not because the company is really ‘behind’, but because nothing is, in fact,
centralised or managed.
A single foundation for requirements, risks, actions, and evidence
This type of situation always points in the same direction :
- As long as standards, risks, actions and evidence do not exist
in a single repository, compliance remains fragile.
A robust system does not necessarily mean “more documentation”.
Above all, it means :
- a consolidated view : what requirements, what associated risks, what actions,
what evidence ; - A simple overview for management : where we are strong, where we are exposed, where we
need to invest. ; - continuous audit preparation, as you go along, rather than a last-minute rush.
From this point onwards, the audit is no longer a death sentence, but a step towards formalising an already established way of working.
The outstanding issue
In our story, the company ended up reviewing its management approach: centralisation, clarifications, clear trajectory.
But the real question is this one :
- If someone asks you tomorrow, “Where are we with our compliance?”, will you be able to answer in one page… or ten files?
The answer is simple: you need to have a clear overview of your compliance status.
Key concept of the day
Maturity is not measured by the number of files, but by the ability to clearly answer a simple question. :
- « What do we truly master, and where are we still vulnerable? »
If this question makes everyone uncomfortable in a meeting, it is not necessarily a bad sign. :
- it is often the starting point for real groundwork
And it is precisely at this point that players such as KP Consulting can bring method, a foundation for management… and a little serenity to the discussion.
