The ISO 27001 audit requires the use of a classic management tool, the Deming Cycle (also known as the Deming Wheel, the PDSA Cycle, and the PDCA Cycle), which has four rolling phases: Plan (risk analysis), Do (risk mitigation), Check (internal audit), and Act (adjust controls).
Organizations can select controls during the “Do” phase based on a pre-supplied list of best practice controls, but organizations can choose to skip controls in the list if they can provide sufficient justification for exclusion. Organizations are also encouraged under ISO standards to add new controls to ensure that they are adequately managing all risks. ISO 27001 audits also require organizations to identify and document a formal method of risk analysis.
ISO 27001 calls the IT security program the information security management system (ISMS). The ISMS must have certain standard features and roles, as defined in the standard. In general, ISO 27001 audits require more paperwork than any other audit. There is a strong emphasis on policy, procedures, and the creation of records related to the running of the ISMS.