Common issues include unclear ISMS scope, inconsistent risk methodology, weak justification of Annex A controls, and insufficient evidence of management review or internal audit activities.