Checklist
Audit Preparation Checklist
A phased checklist for the run-up to a SOC 2 or ISO 27001 audit. It assumes your controls are largely in place (use the readiness assessment first) and focuses on evidence, dry runs, and fieldwork logistics.
How to use this template
- Run the phases in order; each assumes the previous one is done.
- Name a single audit owner who tracks every open item to closure.
- Keep a shared evidence folder mapped control-by-control — most delays are missing or mislabeled evidence.
Phase 1 — ~8 weeks out: confirm scope & gaps
- Lock scopeConfirm in-scope systems, criteria/controls, and the observation window with the auditor.
- Close readiness gapsResolve every Partial/Not started item from your readiness assessment.
- Assign ownersMap each control area to an owner responsible for its evidence.
Phase 2 — ~6 weeks out: evidence & access
- Build the evidence indexCreate a control-to-evidence map; identify the system of record for each artifact.
- Run access reviewsPerform and document access reviews for corporate and production systems; remediate exceptions.
- Verify logging & backupsConfirm logging, alerting, and restore-tested backups are operating and produce evidence.
Phase 3 — ~3 weeks out: dry run
- Sample-test yourselfPull the same samples an auditor would (changes, access grants, incidents) and check the evidence holds up.
- Tidy policiesConfirm every policy is current, versioned, approved, and acknowledged.
- Prep intervieweesBrief control owners on likely questions and where their evidence lives.
Phase 4 — fieldwork week: logistics
- Provision auditor accessSet up read-only/observed access or a secure evidence share ahead of time.
- Single point of contactRoute all requests through the audit owner to avoid duplicate/conflicting answers.
- Track requests to closeLog every auditor request (PBC list) and its status; respond promptly to avoid drift.
Common last-mile misses
- Offboarded users still have access somewhere.
- Evidence screenshots without a timestamp or a source system.
- A policy that references a control you don't actually operate.
- Access reviews performed but not documented/retained.
- Backups configured but never restore-tested.
Related
This template is general guidance to accelerate your compliance program and is not legal advice. Adapt it to your organization and your auditor's requirements.