Lead Auditor; ISO 9001, 27001, 22301, 42001

The audit certificate on the wall is only as good as the auditor who signed it. I've seen lead auditors spend 6 hours in a meeting room reviewing documents. Never walked the floor. Never spoke to an operator. Never tested a control. That's not an audit.

The Safety Culture Ladder assessment doesn't start when the auditor walks in. It starts in the car park. Is PPE worn without being told? Do workers greet the auditor or avoid eye contact? Does the site manager walk the floor or sit behind glass?

Your employees are not your biggest security risk. Your processes are. Phishing works because processes allow it: — No MFA — No clear escalation path — No culture of "when in doubt, ask" Stop blaming users for clicking. Start auditing the system that made clicking dangerous.

ISO 9001 · field story; I asked a quality manager to show me their corrective action register. Beautiful spreadsheet. 47 actions. Dates, owners, statuses. Then I asked: how many of these actually prevented a recurrence? Silence. A corrective action that doesn't address.

Three questions I ask every client before we start a Safety Culture Ladder trajectory: 1. What happens to someone who reports a near-miss? 2. When did leadership last visit the work floor uninvited? 3. Can an employee stop a job without asking permission first?

Contractors in construction and infrastructure are increasingly asked for both ISO 27001 and the Safety Culture Ladder. Tender requirement, not nice-to-have. Most organisations run these as two separate projects with two separate budgets.

Asked a site manager what happens when someone refuses to do a job because it feels unsafe. He said: "We thank them and figure out a different approach." Asked the same question at a different company last month. The answer was: "We find someone else who will."

Most companies climb the Safety Culture Ladder for the certificate. Level 3 looks great on a tender document. Level 3 feels safe in a board presentation. But level 3 means your people follow the rules when someone's watching. The ladder is a mirror.

ISO 27001 certification does not mean you are secure. It means you have a system for managing the risk of being insecure. I've audited certified companies with open RDP ports, shared admin passwords, and zero patch management. The certificate was real. The security was not.

Clause 6.1.2 of ISO 27001 trips up 80% of organizations. Asset-based risk assessment sounds simple. It isn't. Document your reasoning, not just your score The auditor wants to see thinking, not a spreadsheet.

Unpopular opinion: The audit report is the least important output of an audit. The conversation during the audit? That's where real change happens. I've seen 10-page reports ignored. I've seen one hallway conversation change a company's culture. Write less. Talk more.

ISO 27001 is not a cybersecurity certification. It's a management system for information security risk. The moment companies understand that distinction, their implementation improves by 60%. Stopped selling the certificate. Start managing the risk.

Most ISO 9001 audits find zero real problems. Not because companies are flawless. Because auditors are checking boxes. The standard asks *why* things work. Most auditors only ask *if* things work. Big difference.