Common ISO 27001 Audit Artefacts: Observations on SME Preparations

For SMEs and startups, ISO 27001 audits may feel overwhelming. Auditors generally look for evidence that controls, policies, and processes are being followed, rather than expecting perfection.

This guide provides examples of logs, records, and meeting artefacts that may be useful for demonstrating implementation of ISO/IEC 27001:2022 controls. Lean teams can use it as a reference for organising and maintaining relevant compliance artefacts in a practical way.

Why Evidence Matters

ISO 27001 certification typically focuses on having traceable records that show how risks were assessed, controls were applied, and policies were followed over time. During audits, reviewers commonly rely on sampled records rather than reviewing every document, so consistency and clarity often matter more than volume.

Tip: Think in terms of artefacts – the actual files, logs, registers, or meeting records that may help illustrate how controls are operating in practice.

The "Big Three" of ISO 27001 Evidence

Organising evidence around the ISO/IEC 27001:2022 control groups can help demonstrate that an ISMS reflects the current structure of the standard. The examples below focus on common evidence attributes such as ownership, frequency, and typical retention considerations, alongside relevant clause references.

1. Technological Proof (The Logs)

Auditors may review technical records that could indicate how security controls are monitored and maintained over time.

Common artefacts in this category may include:

• Access and security logs (e.g. access records, MFA status, firewall or endpoint alerts), typically managed by IT or security functions and reviewed on an ongoing basis, with retention periods aligned to organisational policy, risk context, and applicable legal and statutory requirements (such as data privacy laws).
• Vulnerability scan reports and cloud configuration snapshots (for example, AWS or Azure), generated on a recurring basis and retained for a defined period to support trend review.
• Change management records, such as tickets or approvals documenting system or configuration changes, retained in line with internal change control practices.

Relevant ISO 27001 references: Annex A.8 (Technological controls), including Control 8.9 (Configuration Management)

Tip: During audits, reviewers commonly rely on sampling. Providing a small set of representative logs or reports may help reviewers navigate examples without reviewing large volumes of raw data.

2. People and Organisational Proof (The Records)

Audits may explore whether people-related and organisational processes are defined, communicated, and applied consistently over time. Records in this category often help illustrate how responsibilities, awareness, and oversight are managed in practice.

Common artefacts in this category may include:

• Training records and role-specific learning evidence, such as attendance logs or certificates, which may illustrate that individuals have received training relevant to their responsibilities. These records are typically maintained by HR or security functions and retained in line with internal policy.
• Disciplinary or corrective action records, where applicable, may provide examples of how organisations address policy breaches or behavioural issues.
• External interest group participation, such as memberships or briefings, which may support organisational awareness of emerging security topics and good practice (e.g. Annex A.5.6 (Contact with special interest groups)).
• Supplier and third-party assessments, including risk reviews, contract checks, periodic reassessments, or termination records, supporting oversight of externally provided services.
• Legal and regulatory register, listing applicable statutory, regulatory, or contractual requirements (for example data privacy or sector-specific regulations) alongside references to how compliance is tracked or evidenced.

Relevant ISO 27001 references: Clause 7.2 (Competence); Annex A Organisational and People controls including A.5.2 (Roles), A.5.6 (Special Interest Groups), A.5.19 (Supplier Relationships), A.5.31 (Legal and Regulatory), and A.6.3 (Awareness).

Tip: Where no incidents, breaches, or issues were identified during a period, brief “nil return” records (such as a monthly review note stating no findings) may help indicate that monitoring activities took place.

3. The Paper Trail (The Meetings)

Audits commonly explore how decisions, oversight, and periodic reviews are documented and revisited over time. Meeting records and review outputs often help illustrate how governance processes operate in practice.

Common artefacts in this category may include:

• Internal audit reports, documenting how internal checks were planned, performed, and reviewed in advance of external assessments.
• Management review minutes, capturing discussions on risk posture, control performance, and agreed actions.
• Risk review and supplier review notes, linked to operational or sourcing decisions.
• Non-conformity and corrective action logs, recording identified issues, follow-up actions, and improvement activities.

Typical ownership: Senior management, ISMS owner, or compliance lead

Frequency and retention consideration: Internal audits and management reviews are commonly conducted in line with Clause 9.2 and Clause 9.3, with records retained in accordance with organisational policy and risk context.

Tip: Including a short “Readme” file at the root of the evidence repository that maps documents to the Statement of Applicability (SoA) may help reviewers navigate the evidence set more efficiently.

Practical Tips for SMEs: Streamlining Evidence Review

The following practices are commonly used by SMEs to help reviewers understand how controls are monitored, linked, and improved over time. They focus on clarity, traceability, and ease of navigation rather than additional documentation volume.

1. Negative Evidence (“Nil Returns”)

Maintaining records of periods with no findings or incidents can help demonstrate that monitoring activities are ongoing and systematic, rather than ad hoc or reactive.

Illustrative Examples:

• A brief monthly email or meeting note stating “No security incidents recorded this month.”
• A simple log in a shared folder noting no issues were identified during system checks or training exercises
  

Tip: Keep records timestamped, signed or acknowledged if possible, and linked to relevant policies or monitoring activities to show traceable oversight.

2. Evidence Chain for Offboarding

While onboarding records are usually straightforward, offboarding activities often span multiple systems and records. Grouping related artefacts together can help show how the process was followed end-to-end.

Common offboarding artefacts may include:

• Account revocation or access removal tickets
• Records of returned physical assets (e.g. laptop, access badge)
• Updates to the asset register or user inventory

Organising related artefacts together may help reviewers understand the lifecycle of a control across systems and teams.

3. Human-Centric Competence

Clause 7.2 (Competence) places emphasis on competence for specific roles, particularly where individuals perform security-relevant tasks.

Beyond CVs and training logs, organisations often track:

• Role-specific training, such as cloud platform security briefings or reviews
• Periodic refreshers for operational or privileged roles
• Evidence of completed exercises or reviews aligned to assigned responsibilities

This type of evidence may illustrate that competence is maintained over time, beyond initial onboarding.

4. Continual Improvement

ISO 27001 places value on learning from issues and adjusting processes over time (Clause 10 (Improvement)).

Artefacts in this area may include:

• Logged non-conformities
• Corrective or follow-up actions
• Notes on lessons learned or process improvements

Tip: A small number of documented and closed improvement actions may provide insight into how the ISMS evolves over time.

Examples of how some teams organise evidence

Many SMEs use simple, shared storage tools (such as Google Drive or SharePoint) to organise ISO 27001 evidence instead of dedicated GRC platforms. When structured clearly, these repositories can support review and navigation without adding unnecessary tooling overhead.

Common practices include:

• Folder structure by control reference, such as Annex A control numbers (e.g. A.5 or 8.9), to align evidence with the Statement of Applicability.
• Clear ownership indicators, for example an “Owner” or “Responsible Role” line within documents, to show accountability.
• Versioning and date markers, particularly for documents that evolve over time, such as risk assessments or the SoA.
• Sampling notes or highlights, drawing attention to representative logs or records rather than large volumes of raw data.
• Reviewer navigation aids, such as a short Readme file at the root of the repository that maps folders and documents to the Statement of Applicability.

Tip: Consistently structured and well-labelled evidence repositories are often treated as a “soft control,” helping reviewers understand how information is managed without relying on additional systems.

Key SME-Specific Artefacts to Track

The following artefacts are commonly maintained by SMEs to help illustrate how information security controls are implemented and reviewed over time. The exact scope and depth of records typically varies based on size, risk profile, and operating model.

1. Access and identity records – such as user creation and removal logs, MFA status, and periodic access reviews.
2. Asset management and physical security records – including device inventories and visitor or entry logs where applicable.
3. Supplier and vendor records – risk assessments, contract reviews, and periodic supplier evaluations.
4. Incident management records – incident reports, triage workflows, and post-incident review notes.
5. Training and awareness records – onboarding activities, refresher sessions, and awareness exercises (for example phishing simulations).
6. Internal audit and management review outputs – audit plans, findings, review notes, and documented decisions.
7. Statement of Applicability (SoA) – versioned copies showing how control applicability has been reviewed and updated over time.
8. Legal and regulatory register – a list of relevant statutory or contractual requirements with references to related supporting records.
9. Non-conformity and corrective action log – records of identified issues, follow-up actions, and improvement activities.
   

TL;DR – ISO 27001 Evidence at a Glance for SMEs

• Logs: Technological records such as access activity, change records, and cloud configuration snapshots.
• Records: Training and competence documentation, incident records, supplier reviews, and legal or regulatory registers.
• Meetings: Outputs from internal audits, management reviews, risk discussions, and corrective action tracking.
• Ownership and retention: Defined owners for key artefacts, with retention periods aligned to organisational policy and risk context.
• Presentation: Clear folder structures, versioned documents, and highlighted samples to support review.
• Negative evidence: Brief “nil” records for periods with no incidents or findings may provide insight into monitoring activities.
  

Taken together, this approach may help SMEs present evidence in a structured and understandable way that reflects how ISO/IEC 27001:2022 controls are commonly reviewed, even when using simple shared storage rather than dedicated compliance platforms. Results may vary depending on the organisation’s context and practices.

Next Step: Explore ISO 27001 template options to assess how they might help you organise policies, controls, and supporting artefacts more efficiently.

Next Article: In How ISO 27001 Is Commonly Used by SMEs in Enterprise Procurement and Vendor Security Assessments, we explore how SMEs can use ISO 27001 to support vendor due diligence, respond to security questionnaires, and streamline enterprise procurement reviews.

Related Guides

Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:

Start Here: Complete Guide

• ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.

Practical Checklists and Essential Documents – Detailed Guides by Topic

• ISO 27001 Without a Dedicated Compliance Team: What Small Teams Can Do – A pragmatic look at how startups can distribute security "hats" among existing staff and use templates to manage an ISMS without a full-time compliance hire,
• ISO 27001 for Small Teams: What to DIY and What to Outsource (The Hybrid Guide) – Practical guidance for SMEs on dividing ISO 27001 tasks between internal teams and external support to maintain oversight and efficiency.
• ISO 27001 Incident Management Workflow: A Practical Template for SMEs – Step-by-step guidance for small teams to handle security events, preserve records, and maintain a structured approach.
• Exploring Evidence Collection: A Perspective on ISO 27001 Annex A.5 for SMEs – Practical guidance for SMEs to capture digital, traceable evidence linking policies, roles, and operations for ISMS oversight.
  

Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.

This article also mentions examples of commonly used tools. Chill Compliance does not endorse any vendor and has no commercial or affiliate relationship with the providers listed. These examples are for general information only, and readers may wish to evaluate each tool independently, as features and pricing can vary.