Most ISMS implementations produce frameworks. Few produce evidence. The distinction matters — and auditors know it the moment they open your documentation package.
An ISO 27001 program can look complete on paper: a policy for every clause, a Statement of Applicability covering every control, an annual review cycle on the calendar. None of that tells an auditor what they actually need to know, which is whether the organisation does what its documents say it does, and whether it can prove that on the specific day being audited.
The gap shows up in a predictable place: the auditor asks for evidence of a specific control operating over a specific period, and the organisation produces a policy document instead of the artifact that proves the control ran. A policy says access reviews happen quarterly. Evidence is the signed access review from Q2, with the names of who reviewed what and what changed as a result. Auditors do not accept the first as a substitute for the second, and organisations that conflate the two lose time, credibility, and sometimes certification scope.
Closing that gap requires treating the control narrative and the evidence trail as two different deliverables that have to stay synchronized. The policy states intent. The Statement of Applicability states scope. The evidence — logs, tickets, signed reviews, change records — proves execution. A mature ISMS documentation architecture makes the link between these three explicit: every control maps to a named evidence artifact, a named owner, and a named collection cadence.
An auditor opening a well-built evidence package should be able to trace a single control from policy statement to the specific log entry that proves it ran — without anyone in the room explaining where to look.
This is where most ISMS programs actually break down — not in writing the policies, but in maintaining the traceability between policy, control, and evidence as the organisation changes. A new system gets deployed without its controls mapped. A control owner leaves and the evidence collection quietly stops. Traceability has to be a living structure, reviewed as part of change management, not a one-time mapping exercise done for the initial certification audit.
Certification readiness and audit-evidence readiness are not the same thing. The first requires policies that satisfy every clause. The second requires a documentation architecture that can produce, for any control on any day, the specific artifact proving it operated as written.