Your ISO 27001 certification audit is scheduled for next week. The policies are written. The risk treatment plan is documented. The Statement of Applicability is up to date. But when you look at the training evidence folder, you see a collection of sign-off sheets, LMS completion dates, and a spreadsheet that says "100% acknowledged."
Then you read what the auditor will actually check: Clause 7.2 (Competence) requires evidence that people performing work affecting information security have the necessary competence. Clause 7.3 (Awareness) requires evidence that all personnel are aware of the information security policy, their contribution to the ISMS, and the implications of not conforming.
Your sign-off sheets prove distribution. The auditor wants evidence of competence and awareness. You have one day to close the gap.
This guide walks through what ISO 27001 auditors request for policy-related controls, what evidence satisfies them, and how to generate that evidence quickly.
What the Auditor Will Do on Audit Day
ISO 27001 auditors do not review every control in a single session. They pick a few controls and trace them end-to-end: policy intent, implementation, execution records, and corrective actions. For training and awareness, the audit typically follows this pattern:
Step 1: Request the policy. The auditor asks to see the information security policy. They check whether it is current, approved by management, and accessible to personnel.
Step 2: Request the distribution evidence. How was the policy communicated? Through what channels? Is there a record of who received it?
Step 3: Request the acknowledgement evidence. Did employees confirm they received and read the policy? When? What version?
Step 4: Interview staff. This is where most organizations fail. Experienced auditors ignore the CISO and walk up to the receptionist or a junior employee. They ask: "What are your responsibilities for information security?" If the answer is "I don't know, ask IT" - that is a non-conformity.
Step 5: Check the training records. The auditor looks for a signed record showing what was taught, who taught it, and how the learner demonstrated their new skill.
The gap between Step 3 (acknowledgement) and Step 4 (interviews) is where checkbox evidence falls apart. An employee can acknowledge a policy without reading it - and the interview reveals whether they actually understood it.
Confusing Clause 7.2 (Competence) with Clause 7.3 (Awareness) is a guaranteed non-conformity. Competence is role-specific: can this person do their job securely? Awareness is universal: does everyone understand the ISMS, the policy, and their role in it? The auditor checks both - and they require different evidence for each.
The Evidence Auditors Actually Request
Based on ISO 27001 audit checklists and auditor guidance, here is what you need to produce for the training and awareness controls:
For Clause 7.2 (Competence)
| Evidence Item | What It Proves | Where to Find It |
|---|---|---|
| Competency matrix per role | Required competencies are defined | HR/security team documentation |
| Training records per person | Training was delivered | LMS, training folders |
| Certificates or completion evidence | Training was completed | LMS exports, certificates |
| Evidence of effectiveness assessment | Training "stuck" | Quiz results, practical assessments, reading analytics |
| Records of corrective action | Gaps were identified and addressed | Training remediation records |
For Clause 7.3 (Awareness)
| Evidence Item | What It Proves | Where to Find It |
|---|---|---|
| Policy distribution records | Policy was communicated | Email logs, intranet postings, document sharing records |
| Acknowledgement records | Personnel confirmed receipt | Sign-off forms, LMS completion, digital acknowledgement |
| Evidence of ongoing awareness | Awareness is maintained over time | Regular communications, updated training, reading analytics |
| Version-specific records | Current policy version was acknowledged | Version-tracked acknowledgement system |
The Common Gaps
Frequent audit findings include training records that show completion but do not match role relevance, corrective actions that are recorded but not tracked to closure, and evidence that policies exist but are not demonstrably applied in daily operations.
The last point is critical. Auditors check whether policies are on paper or are actually being applied in daily operations through interviews, observations, and examining logs. A policy that exists in the document management system but that employees cannot describe during interviews is a policy that has not been effectively communicated.
The One-Day Evidence Plan
You have one day before the audit. Your policies are written. Your LMS shows completions. What you lack is engagement evidence that connects specific employees to specific policies with proof they read the content. Here is how to generate it.
Hour 1-2: Identify the Critical Policies
Not every policy needs reading analytics. Focus on the ones auditors most frequently examine:
- Information Security Policy (the overarching ISMS policy - audited in every assessment)
- Acceptable Use Policy (staff interviews will reference this)
- Access Control Policy (auditors trace access grants back to policy awareness)
- Incident Response Plan (auditors ask staff "what do you do if you suspect a breach?")
- Data Classification Policy (auditors test whether staff know classification levels)
These five policies cover the controls most likely to be sampled. If your organization has specific risk areas - remote work, BYOD, third-party access - add those policies to the list.
Hour 2-4: Distribute Tracked Links
Upload each critical policy document to a document sharing platform with reading analytics. Generate tracked links - one per department or one per individual, depending on your organization's size.
Distribute the links through your normal channel: email, Slack, the company intranet. The message is straightforward: "In preparation for our ISO 27001 audit, please review these policies. Click the link to read each document."
This is not unusual. Organizations routinely redistribute policies before audits. The difference is that this time, you are capturing reading data - not just sending attachments.
Hour 4-6: Monitor Completion
Watch the analytics dashboard as employees open and read the policies. Track:
- Who has opened each policy
- How long they spent reading
- Whether they viewed all pages
- Who has not yet opened the documents
Send targeted reminders to employees who have not yet opened the links. Focus on the departments most likely to be sampled in interviews - IT, HR, operations.
Hour 6-8: Generate Reports
Export a compliance report for each policy showing:
- Employee name, department, role
- Date and time of reading
- Pages viewed, time per page, completion percentage
- Whether the current policy version was read
This report becomes your Clause 7.3 evidence: proof that personnel were aware of the information security policy, with engagement data showing they read the content - not just acknowledged a prompt.
For Clause 7.2, pair the reading report with existing competency records (role descriptions, training certificates, practical assessments). The reading analytics strengthen the competency evidence by showing that role-specific personnel engaged with role-relevant policies.
One day is enough to generate reading evidence for the audit. But the long-term approach is to capture this data continuously - distributing policies through tracked links as standard practice rather than as audit preparation. Organizations that do this year-round face every audit with evidence already collected.
What Good vs. Weak Evidence Looks Like
When the auditor sits down and requests training evidence for Clause 7.3, the quality of your response determines whether you get a conformity or a non-conformity:
Weak evidence (common, often questioned):
"Here is a spreadsheet showing all 150 employees acknowledged the Information Security Policy on January 15. See the 'Acknowledged' column."
The auditor's follow-up: "How do you know they read it? What specifically did they acknowledge? Did they read the current version?"
Strong evidence (less common, rarely questioned):
"Here is a per-employee reading report. 142 of 150 employees opened and read the Information Security Policy v4.2. Average reading time was 11 minutes across 14 pages. 8 employees have not yet opened the document - here are their names and our follow-up plan. Here is the version-specific record showing this is the current approved version."
The auditor's follow-up: they move on to the next control. The evidence answers the question before it is asked.
The Five Policies and What Auditors Check for Each
| Policy | Auditor's Question | Weak Answer | Strong Answer |
|---|---|---|---|
| Information Security Policy | "How do you ensure staff are aware of this policy?" | "We email it annually and collect signatures" | "Per-employee reading report: 95% completion, avg 11 min, version 4.2" |
| Acceptable Use Policy | "Would a new employee know what's acceptable use of company systems?" | "It's in the onboarding pack" | "New hire reading data: completed within 3 days, all pages, 7 min avg" |
| Access Control Policy | "Does the person granting access understand the policy?" | "They completed the LMS module" | "IT team reading record: all 8 members read v3.1, Section 4 (approvals) revisited by 5" |
| Incident Response Plan | "What happens when your receptionist spots something suspicious?" | "They'd escalate to IT" | "All-staff reading report + per-page data showing Section 2 (reporting) viewed by 96% of staff" |
| Data Classification | "Does your developer know what 'Confidential' means here?" | "It's in the training" | "Engineering team reading analytics: classification policy completion 100%, avg 9 min" |
After the Audit: Building Continuous Evidence
One-day preparation works. But it creates a pattern the auditor will notice in surveillance audits: evidence concentrated around audit dates, with gaps in between.
The sustainable approach:
Distribute all policies through tracked links as standard practice. When a policy is approved or updated, the tracked link goes to affected employees immediately - not as audit preparation but as normal distribution.
Capture reading data year-round. The analytics accumulate continuously. When the auditor requests evidence, you export the full period - not a last-minute sprint.
Use version-specific links. When a policy updates, a new tracked link goes out. The system shows who read the previous version and who read the update. No manual tracking required.
Set automated reminders. Employees who have not read a distributed policy within the expected timeframe receive a reminder. The compliance team follows up with persistent gaps rather than discovering them before the audit.
The result: every surveillance audit, every recertification, every internal audit finds reading evidence already waiting in the system. Preparation time drops from one frantic day to a five-minute export.
The Receptionist Test
Remember: the auditor will walk up to a random employee and ask about their information security responsibilities. This is the moment that separates organizations with genuine awareness from those with checkbox compliance.
Reading analytics do not guarantee the employee remembers the policy during the interview. But an employee who spent 11 minutes reading the Information Security Policy last week is more likely to articulate their responsibilities than one who clicked "acknowledge" six months ago without opening the document.
The reading data also gives you a targeted preparation list. If the analytics show that three employees in the finance team never opened the data classification policy, you know who needs a five-minute conversation before the auditor arrives.
Evidence plus preparation equals a clean audit. The reading data provides both.
PaperLink tracks page-by-page viewing analytics for shared documents - including time per page, completion percentage, and tab visibility detection. Generate ISO 27001 policy reading evidence reports in minutes for Clause 7.2 and 7.3. Try it free.
