Got an ISO 27001 audit interview request - what should I expect?

In January 2025, Cyberday underwent an ISO 27001:2022 surveillance audit. Our company has had the ISO 27001 certification since 2021. For ISO 27001, certification is valid for three years, and a surveillance audit is to be done yearly. As we were recertified in 2024, this was our 1st surveillance audit on this 3-year certification period.  

In addition to the re-certification and surveillance audits, organizations should conduct an internal audit at least once a year.

To conduct the audit, the auditor requested us to have two separate employee interviews: a new employee interview and a role-based interview. I got invited to be part of the new employee interview and now, I want to take you there with me. 🚀

In this blog, we will talk about the importance of employee participation in the audit interview process, why auditors value employee insights, and look into possible questions asked in an ISO 27001 interview.

If you'd like to know more about the whole overarching process, check out our blog about the ISO 27001 certification process.

The importance of employee participation in security audits

Audits, particularly the ISO 27001, rely quite strongly on the active involvement of employees. They are the foundation of an organization's Information Security Management System (ISMS) and their involvement in audits promotes transparency and deepens their understanding of the company's security policies and procedures.

In this article we focus on employee involvement in audit interviews, but there are many other ways an organisation can involve employees, such as:

• Actively engaging employees in the preparation process to build and develop a proactive information security culture.  
• Possibility for training sessions and workshops related to framework: this way employees can better understand their roles in maintaining compliance and will more likely ask questions to clarify any uncertainties.
• Before audit employees should ensure that all documentation related to their own work is up-to-date and accurately reflects the security practices they follow.
• Engourage employees to provide feedback on the ISMS and the audit process. Employee insights can be valuable to identify possible improvements.

Audits are not just about completing requirements; they are made for continuous improvement. Employee engagement in these processes helps identify potential gaps in security that might otherwise go unnoticed. Empowering employees to give feedback on practical improvements and adjustments based on their hands-on experience, contributes to a more effective ISMS and fosters proactive information security culture.

Why auditors do employee interviews?

New employees may be involved in the audit process through interviews or by providing documentation.

Employee interviews are an important part of an ISO 27001 audit as they provide auditors with firsthand insights into how information security policies and verification if procedures are actually implemented in practice. Auditors assess whether employees understand their given roles and responsibilities in maintaining the organization's information security posture.

Through interviews, auditors can evaluate the effectiveness of the training programs and awareness initiatives that the organization has put in place. This helps identify any gaps in knowledge or areas where further training might be necessary, ensuring that all staff are adequately prepared to handle information security challenges. Employee interviews also offer a unique opportunity to uncover any discrepancies between documented procedures and actual practices. Employees can provide practical feedback on the usability and relevance of security controls, which can lead to improvements in the organization's information security management system.

Possible ISO 27001 audit interview questions

Next, let's look into what could be part of the information security audit interview questions. These questions can be categorized by role and topic. During the interview, auditor will interview to find if the employees have true awareness of the organization's information security policies, their roles and responsibilities towards security measures, and if the daily work tasks align with the framework, in this case with ISO 27001 controls.

General interview questions can be relevant in all audit interviews:  

These are just examples of the ISO 27001 audit interview themes. It is important that the employee is aware of and follows best security practices in the working routine.

Role based audit interview

Especially in a role-based interview, questions can be selected according to your professional role. This way, the interview can provide an insight into how you manage information security from the perspective of your specific role. Here's few role-based question themes:

IT team: ‍

• Questions can focus on technical controls and security measures. For example: What security measures are in place to prevent unauthorized access to IT systems? How often do you apply security patches and updates?

HR (Human Resources):

• HR can receive questions assessing security in hiring, training, and employee offboarding. For example: What security checks are conducted for new hires? How do you ensure new employees receive security training?

Finance & Purchacing teams:

• Questions can focus on transactions, financial security and vendor management, depending on the role. For example: How do you ensure that financial transactions are secure? How do you assess the security of third-party vendors before working with them?

Department Heads:

• This management level will answer questions based on data protection, risk management, and policy enforcement. For example: How do you ensure that employees in your department follow security policies, e.g. clean desk policy?

Sales team:

• ‍Sales team members handle customer data, contracts, and sensitive business information, making them a key focus for an ISO 27001 audit. Auditors will check how well they protect client information, follow security policies, and prevent data breaches. For example: Where do you store customer contracts and sensitive information? How do you ensure that customer data in the CRM is not misused or leaked?

Role-based interviews can verify that employees are consistently implementing security measures within their job responsibilities. These interviews are crucial for assessing specific security controls and identifying potential risks. They also help auditors determine whether the organization's training and awareness programs have effectively fostered In-depth knowledge of security in daily operations.

New employee audit interview

New employee audit interview questions consentrate on topics such as onboarding process, security awareness training, and policy communication. With these questions, auditor wants to ensure that security is taken account from day one and that new hires understand their responsibilities. Compared to a role-based interview, the new employee interview focuses on the basic organizational processes, especially in the early stages:

• Assessing how well the onboarding process covers security awareness: Could you describe your recruitment process/ your first days on the job?
• General information security awareness: Have you received any security training after joining the organization?  How soon and how the training has been conducted? Where can you find the company's information security policies? How do you stay updated on company security policies?
• Access control & Physical and Remote work: How do you request access to company systems or software? Are you allowed to use personal devices for work? How do you secure your workstation when stepping away from your desk?
• Questions can also test your information security knowledge so far, to check effectiveness of onboarding security training: What would you do if you received a suspicious email asking for your login credentials? What should you do if your company laptop or phone is lost or stolen?

Is there any way to prepare for the audit?

If you want to prepare for your upcoming interview, here are a few ways to help you.

• Re-read the guidelines: Make sure you have read and understood the guidelines provided by the organisation. Check also where you can find the relevant documents, e.g. information security policy

• Mock up interview: Nervous about the interview? Gather common audit interview questions, and either ask a colleague's help or go through the questions by yourself.
• Imaginary cyber threats: As the interviewer might ask your knowledge how to act when there's e.g. possible phishing attempt, or what should you do if you lose your phone or laptop, it's good to go over the best practices, and instructions.

As long as the ISO 27001 measures are well established in your organisation, preparing for an audit will also be easier. In the interview situation, remember : 

• You are not being tested. The interview is there to make sure your organization really does what they say they do.
• Remember to answer to the auditors questions honestly. If you don't know something, maybe you know who can help you with it?
• You can use real life examples, and what's even better - you can show applied security measures if possible.
• If you've gone through security trainings or know your organization is hosting any awareness programs, this is where you can mention those. These can highlight continuous improvement measures in the organization.

Key takeaways from my first audit interview

Before the audit, we went through a bit about the timetable for the audit days, as well as when each interview would take place. We went over the key themes of the audit and discussed the differences between the two interviews, checking that the participants felt comfortable about the interviews. We didn't really need to go into the specifics, as you could say that we work in the heart of Cyberday, and information security is pretty much a day-to-day matter for us.

As I was specifically interviewed from the new employee point-of-view, Interview started with me telling my role in the Cyberday and how long I've now worked here. Then we started from the beginning. And when I say beginning, I mean from the recruiting process.  From there we moved to onboarding and security training procedures, responsibilities, physical security and more detailed cases, example what to do if I get phishing emails. I was also what I personally see as areas for improvement in my working environment. Overall, the interview was more conversational and the last bit of nervous feeling melted away pretty quickly when I realised that I could answer the questions without any problems.

If you are about to be interviewed during an audit, you may be nervous, especially if the interview situation is a little more unfamiliar. But if ISO 27001 measures are in place in your organisation, you worry about nothing. The key is to be truthful to the auditor, if you don't know or remember something, it's good to know where to find the information.