External audit preparation is the difference between a calm, predictable certification and a fire drill. Whether the audit is for ISO 27001, SOC 2 or another framework, the outcome is largely decided before the auditor arrives, by how methodically you planned, collected evidence and rehearsed. This checklist lays out a phased approach, from first planning through evidence collection to the audit itself, so you keep the business running while the audit runs.
One thing to settle first: the strongest preparation for an external audit is a proper internal audit. If you have not run one, start with our guide to the ISO 27001 internal audit, then come back to this checklist for the certification stage.
Know which audit you are preparing for
Preparation differs slightly by audit type, so name yours before you plan. Certification audits (ISO 27001, ISO 27701, TISAX) end in a formal certificate issued by an accredited body. Attestation audits (SOC 1, SOC 2, SOC 3) end in a report that gives assurance to stakeholders, often demanded by North American customers. Regulatory assessments (GDPR, NIS2 and sector-specific reviews) check compliance with the law and increasingly run with the rigour of a formal audit. The steps below apply to all three; the evidence and the assessing body change.
Phase 1: Plan (8–12 weeks out)
Good outcomes start well before the audit. Begin roughly 8 to 12 weeks ahead with four moves:
- Define scope and objectives. Fix which standards apply, which systems, processes and locations are in scope, what a successful outcome looks like, and confirm all of it with your auditor. Unclear scope is the leading cause of surprise findings.
- Assemble the team. Name an audit coordinator, an executive sponsor, subject-matter experts, evidence collectors and remediation owners, so both the technical knowledge and the authority to fix things are in the room.
- Run a pre-audit gap assessment. This is where your internal audit does the work: review previous findings, test controls, check that documentation is current, and prioritise the gaps to close.
- Build a timeline and communication plan. Set milestones and deadlines, decide who needs what information when, and schedule regular checkpoints.
Phase 2: Collect evidence (4–8 weeks out)
Evidence collection is the most resource-intensive part of preparation, so treat it as a structured process rather than a hunt. Start about 4 to 8 weeks out:
- Inventory the evidence. Map each requirement to the evidence it needs, set quality criteria, and build a traceability matrix linking evidence to controls.
- Collect it systematically. Assign owners and deadlines, standardise formats for common items, and track completion so nothing is missing on the day.
- Centralise it. Keep everything in one repository with sensible access controls, consistent file naming and version control, organised by control domain.
- Validate quality and completeness. Review the evidence with the same rigour the auditor will, and close any gaps before the auditor sees them.
This is also where continuous, automated evidence collection pays off most: if evidence is gathered in the background year-round, this phase becomes a review rather than a rebuild.
Phase 3: Get ready and run the audit (1–4 weeks out)
With evidence in place, the final weeks are about people and logistics:
- Prepare the people. Brief everyone who will speak with the auditor on scope and process, and rehearse answers to likely questions.
- Sort the logistics. Book rooms, arrange system access, build the audit schedule, and share contacts. Logistical chaos reads as control chaos, even when the controls are sound.
- Do a final readiness review. Confirm evidence is complete, gaps are closed, and demonstration environments work.
- Manage the audit live. Keep one coordinator running it, track evidence requests, and debrief daily to catch and fix issues as they surface.
Phase 4: After the audit
The work does not stop when the auditor leaves. Address findings by fixing root causes, not just symptoms, with named owners and deadlines, and keep evidence of the fixes. Then run a short lessons-learned review so the next audit is easier, and update your audit playbook with what you changed. Treating each audit as input to the next is how the cycle gets lighter over time.
From a scramble to a background process
Every step above can be done manually, but the teams that find audits painless have stopped doing it by hand. Continuous evidence collection connects to source systems and gathers proof year-round; automated control monitoring validates controls in real time and flags failures as they happen; and an integrated platform maps one control set across frameworks so a single audit serves several certifications. That is the shift from treating audits as periodic emergencies to treating them as routine confirmation that the programme already works.
Frequently asked questions
How far in advance should you prepare for an external audit?
Begin roughly 8 to 12 weeks out for planning and the gap assessment, 4 to 8 weeks out for evidence collection, and use the final 1 to 4 weeks for readiness and logistics. Continuous evidence collection shortens all of this.
What is the most common cause of audit findings?
Unclear scope and missing or hard-to-trace evidence, rather than absent controls. Many organisations have the controls but cannot readily prove them, which a pre-audit gap assessment catches.
Do I need an internal audit before an external audit?
For ISO 27001, yes: clause 9.2 requires it, and it is your best rehearsal. See the ISO 27001 internal audit guide for how to run one.
See how Kertos turns external audit preparation into a background process with continuous evidence and automated monitoring: book a demo.







