A security audit is not a one-time event or a last-minute test. It’s much more like training for a marathon. Not because of the day of the race, but because of everything that happens beforehand.
In a marathon, no one decides the day before that they are going to run 42 kilometers. You don’t train alone the last week, nor do you rely on motivation to fix everything. The body simply doesn’t work that way. It’s exactly the same with audits. No matter how well you know how to explain things or how convinced you are that “we already do this right”. If there is no prior training, it shows. And when the auditor arrives, it shows.
Therefore, in frameworks such as NIS2, ISO 27001, ENS or regulatory audits, the outcome is not decided at the meeting with the auditor. It is decided in the months – and often years – beforehand, on how the organization works when no one is observing.
1. Auditing is not telling a story, it is demonstrating a reality.
Another common mistake is to think that an audit consists of explaining what is being done. In reality, an audit does not validate speeches, it validates facts.
The auditor does not come to hear promises or good intentions. He comes to verify that what is written is fulfilled, that what is fulfilled leaves a trace and that this trace can be followed without effort. Documents, records and people end up forming the same conversation. When one of these elements does not fit, the system loses credibility.
Therefore, the problem is almost never the lack of controls, but the gap between what has been documented and what actually happens. When an organization works consistently, the evidence appears on its own. When it doesn’t, you have to go out and look for it in a hurry, and that always leaves a clue.
2. Evidence is not born for the audit
There is something that auditors detect very easily: evidence created “to comply”. Recent records, perfect documents but with no real use, controls that have left no trace until someone asked for them.
On the other hand, audits that are less stressful are those in which the evidence exists before the auditor arrives, because it is part of the day-to-day. They are not stored in a special folder and do not depend on a specific person. They are where they belong, linked to real processes and generated with continuity.
When that happens, the audit ceases to be a threat and becomes almost a confirmation. At this point, tools such as ithikios make a difference, not because they create artificial evidence, but because they help to organize it, relate it and make it visible when it is time to prove that the system works.
3. People are also part of the evidence
Sometimes it is forgotten that an audit is not just about documents. It is done on people and the systems they have designed. Auditors ask questions, observe and listen. They are not looking for rote answers or learned phrases, but consistency. That each person knows what applies to them, what they do and why they do it that way. This naturalness is not achieved with a last-minute talk. It comes when safety is integrated into the habitual way of working.
When documentation is created just to comply, people don’t recognize themselves in it. And in an informal conversation, that is perceived in seconds.
4. Auditing is not confrontation, it is collaboration.
Attitude during the audit matters more than is often believed. Auditors are not policemen or judges. They are professionals doing their job and, like anyone else, they react better when they are treated with respect, clarity and honesty.
Responding directly, not hiding problems and not wasting time on unnecessary explanations builds trust. And when there is trust, the audit flows better. There is even a legitimate space – often very valuable – in which the auditor can explain why something is not working or why a practice is sound. It’s not consulting, but it is learning. And that only happens when the relationship is collaborative.
5. Choosing the right auditing partner is also part of the journey.
Preparing for an audit does not end within the organization. Choosing the right certifying body is also part of the process. Price is important, but it is not everything. The auditor’s experience, industry knowledge, language or flexibility can make the difference between an audit that adds value and one that just consumes energy.
A poor choice can come cheap in the bill and very expensive in time, frustration and lost opportunities.
6. In the end, the audit is only a reflection of the previous work.
Passing a NIS2, ISO 27001 or ENS audit is not about gritting your teeth a few weeks beforehand. It is the natural result of working hard for a long time. Like a marathon, it’s not about running hard at the end, but about having trained hard enough to get there safely.
When the groundwork is done, the evidence exists, the people know what they are doing and the attitude is open, the audit ceases to be an examination. It becomes what it should be: the calm validation of a system that already works. And when the evidence is alive, ordered and connected, the road becomes much more bearable.
“Auditing doesn’t measure how you react when you’re being watched. It measures how you work when no one else does.”
