Audit as compass¶
The ISMS exists. It runs, it passes its audits, the certificate is on the wall. At this point the strategic question changes from “how do we build this” to “what next”, and the audit changes jobs with it. For an organisation still building, an audit is an inspection to be passed. For one that has built, it may be the most underused sensing instrument in the building: a periodic, structured, externally calibrated reading of where the system and reality have drifted apart.
Findings as sensing¶
A finding is a place where the organisation’s model of itself failed a check. Read as homework, it generates a task. Read as a signal, it generates a question: what did we believe about ourselves that this contradicts? The second reading is where the next steps live. A programme that only ever does the first reading will stay busy and learn nothing, closing the same class of finding in new costumes for years.
Three readings of a finding¶
The audit playbooks rehearse the pattern stage by stage; here is the executive version. A finding can be read at three depths. Correction fixes the surface: the stale contact list is updated. Corrective action fixes the cause: the process that let it go stale gets an owner. The third reading asks what the organisation believed that made the gap seem impossible, because that belief is still out there, quietly producing the next finding somewhere else. Many audit programmes price only the first two readings. The third is where audits start paying for themselves.
The loudest signals¶
Two kinds of finding deserve disproportionate executive attention. The recurring one: a nonconformity that returns after its corrective action was verified closed is not a fact about the finding, it is a fact about the organisation’s way of closing things, and it is usually the loudest line in the report. And the trivial ones, in aggregate: minor findings are individually boring and collectively a drift map. Five small documentation mismatches in one area rarely mean five careless people; more often they mean the process keeping that area’s model aligned with reality stopped working a while ago and nobody has said so yet.
Clustering by assumption¶
Audit reports arrive sorted by clause, which is the standard’s shape, not the organisation’s. Before turning a report into a plan, it is worth re-sorting the findings by the assumption they broke: everything that traces to “we believed the documentation tracked reality” in one pile, everything that traces to “we believed people would escalate” in another. Clause-sorted findings produce twenty tasks. Assumption-sorted findings produce two or three actual decisions, which is a quantity a leadership team can genuinely take.
The treadmill¶
The failure mode of audit-as-compass is audit-as-driver. It sets in quietly: finding closure becomes the security programme’s operating rhythm, the audit calendar becomes its planning calendar, and initiative drains out of the system because anything not raised by an auditor struggles to get funded. The tail wags the dog, politely, with excellent documentation. A simple diagnostic: if the security roadmap and the audit findings list are the same document, the compass has been promoted to captain.
Drift detection is a shared practice¶
Used well, this stops being an annual event. The same reading of small divergences, procedure versus practice, diagram versus deployment, belief versus behaviour, can run continuously in the hands of the people doing the work, with the formal audit as its calibration rather than its entirety. That is no longer really an audit programme; it is an organisation aware of its own drift, which is what resilience beyond the checklist looks like from the inside. The audit does not create that awareness. It checks, once a year, whether it exists.
Last updated: 8 July 2026