ISO 27001 audit preparation is the disciplined rehearsal before stage 1 and stage 2 — aligning scope, SoA, evidence, and interviewees so external auditors find a coherent story, not last-minute scavenger hunts.
Stage 1 checks documentation readiness; stage 2 samples operation. Internal dry-runs using the same sampling logic as certification bodies surface gaps weeks earlier when fixes are cheaper.
What does this mean?
Preparation spans logistics (audit plan, room, schedules), evidence packs indexed by SoA, and briefing process owners on how to answer with ticket references — not speculation.
Auditors select risks and controls from SoA and prior findings. They interview, inspect records, and observe — consistency between interview, policy, and system state is scored.
Corrective actions from internal audit should be closed or honestly in progress with dates — open majors at stage 2 are risky.
Stage 1 output is a gap list — use it to prioritise before stage 2 booking.
Who is this for?
ISMS manager orchestrates; CISO sponsors; process owners attend interviews; legal/compliance for privacy questions; engineering for SDLC and cloud demos.
SMEs: small interview pool but must cover IAM, changes, vendors, incidents. Enterprises: coordinate multi-site evidence without contradictions.
What steps or requirements apply?
Confirm audit scope and dates with certification body. Refresh evidence index — nothing older than policy requires.
Internal audit or consultant dry-run with written findings. Close or plan corrections for gaps.
Brief leadership on management review evidence and risk acceptance records. Prepare scope/context changes since last review.
Day-before check: access for auditors, NDA if needed, evidence pack URLs working.
Common mistakes
Booking stage 2 before internal audit completes. Wrong people in interviews — cannot explain process. Evidence pack unordered.
Hiding known gaps — auditors discover anyway. Scope changes not communicated to certification body.
Over-coaching interviewees to parrot policy without knowing tickets — breaks credibility on follow-up questions.
Practical action plan
Timeline: internal audit T-8 weeks; corrective actions T-6; evidence pack T-3; stage 2 T-0. Link evidence, SoA, certification.
Run mock interview: 30 minutes per process owner with random SoA control. Fix weak answers with better artefacts, not scripts.
Post-audit: log findings, root cause, corrective action — surveillance will check closure.
Relationship with ISO 27001, NIS2, GDPR or ISMS
Audit prep validates ISMS for certification. NIS2 supervisors ask similar evidence themes — reuse packs where possible.
GDPR questions may appear in privacy processing interviews. Vendor samples common in stage 2.
Audit agenda mapped to interviewees — IAM lead, engineering lead, HR for onboarding — no single person pretending to know all.
Opening meeting script: scope, exclusions, site tours virtual or physical — reduces day-one confusion.
Non-conformity response template ready before audit — speeds corrective action submission if needed.
Communications plan: who tells staff auditors on site, confidentiality rules — professional impression matters.
Previous surveillance findings closure pack ready first day — auditors check recurrence before new samples.
Stage 1 gap tracker with ticket IDs — show closure before stage 2 booking.
Laptop and VPN access for remote auditors tested day before — technical delay wastes audit days you pay for.
Evidence pack index with hyperlinks verified — broken SharePoint links on day one erode confidence.
Escalation contact during audit for urgent control questions — CISO availability calendar blocked.
Interview do-nots briefing: no guessing ticket numbers — say you will follow up with evidence reference.
Mock interview with random SoA control per process owner — weak answers fixed with better artefacts, not memorised scripts.
Stage 1 gap list with owners and dates closed before stage 2 booking — certification body sees progress, not repeated documentation debate.
Prepare a one-page ISMS overview for auditors arriving cold — scope, key processes, org chart of ISMS roles, and evidence index location.
Virtual audit logistics: screen-share permissions, read-only demo accounts, and backup links if primary evidence repository is slow — technical friction burns paid audit hours.
Corrective action from last internal audit closed or explicitly carried with MT-approved extension — open majors at stage 2 invite deeper sampling.
Build an audit timetable backwards from stage 2 date: internal audit complete eight weeks out, corrective actions six weeks, evidence pack refresh three weeks, mock interviews two weeks. Certification bodies notice when evidence timestamps cluster in the final fortnight.
Process owner briefing card: scope sentence, three controls you own, where evidence lives, last review date, open tickets. Interviewees who narrate ticket numbers outperform those reciting policy titles from memory.
Stage 1 output is a living backlog — assign each documentation gap an owner and merge into the same board as engineering work. Auditors revisit stage 1 themes at stage 2 if still open.
Remote audit screen-share checklist tested with IT beforehand — read-only demo accounts, backup evidence links, and secondary presenter if primary process owner is unavailable.
Designate audit liaison with authority to fetch evidence owners during stage 2 — prevents day-two delays waiting for approvers.
Auditor walkthrough of ticketing system beats static PDF — show one incident or change record live if virtual audit allows.
Designate an audit liaison with authority to fetch evidence from process owners — scrambling during stage 2 when IAM admin is on leave creates avoidable minors.
Prepare interviewees with scope, their controls and recent examples — not scripted answers but clarity on tickets, dates and decisions they personally made.
Stage 1 pack: scope, context, SoA, risk methodology, internal audit report, management review minutes — completeness matters more than volume.
Stage 2 rehearsal: walk auditors’ likely samples — access review, change record, incident, supplier review, backup test — collect proof in one session.
Corrective action from internal audit must show closure evidence before external audit — open majors from your own audit are red flags for certification bodies.
Auditor walkthrough of ticketing beats static PDF — show ticket to deployment to log review chain live if systems allow.
Audit schedule shared with process owners two weeks ahead — surprise audits internally are fine; external audit needs people available with system access.
Minor non-conformities from stage 1 closed with evidence before stage 2 — open documentation gaps compound under operational sampling pressure.
Physical and logical access samples: pick recent joiners and leavers — HR timing mismatches with IAM deprovisioning are frequent major findings.
Conference room or virtual war room during stage 2 with evidence index owner, IAM admin and engineering lead on standby — reduces idle auditor time.
Opening meeting agenda shared: scope confirmation, sampling plan overview, interview schedule — sets professional tone and avoids ad-hoc scope challenges.
Pre-audit communication to all staff: auditor presence, interview possibility, no shared passwords — reduces social engineering confusion and interview no-shows.
Backup laptop with read-only evidence exports for onsite audit — network outages should not stop sampling.
Interview prep sheet per role: three controls, two recent examples, one improvement action — builds confidence without scripting.
Close all internal audit findings with evidence before external stage 2 — certification bodies treat open majors from your own audit as systemic weakness.
Run a timed evidence drill two weeks before audit: five random controls, 45-minute collection window, debrief gaps immediately.