Which method is NOT typically used by auditors to assess compliance?

The method of guessing based on past audits is not typically used by auditors to assess compliance because it lacks a structured and systematic approach. Auditing, particularly in the context of ISO/IEC 27001 compliance, requires objective evidence and a thorough examination of current practices against established criteria. This includes collecting concrete data through various means such as interviews with staff to gather firsthand insights about procedures and practices, reviewing documents for compliance with policies and procedures, and conducting surveys to collect broader feedback or insights from multiple stakeholders.

Guessing does not rely on empirical evidence or current conditions, rendering it ineffective for an accurate compliance assessment. Auditors must follow established methodologies to ensure that their evaluations are valid, evidenced-based, and capable of identifying areas of non-compliance or need for improvement. Proper assessment methods ensure a comprehensive understanding of the organization’s adherence to ISO/IEC 27001 requirements.