Skip to main contentSkip to main content
    Checklist

    Audit Preparation Checklist

    A phased checklist for the run-up to a SOC 2 or ISO 27001 audit. It assumes your controls are largely in place (use the readiness assessment first) and focuses on evidence, dry runs, and fieldwork logistics.

    How to use this template

    • Run the phases in order; each assumes the previous one is done.
    • Name a single audit owner who tracks every open item to closure.
    • Keep a shared evidence folder mapped control-by-control — most delays are missing or mislabeled evidence.

    Phase 1 — ~8 weeks out: confirm scope & gaps

    1. Lock scope
      Confirm in-scope systems, criteria/controls, and the observation window with the auditor.
    2. Close readiness gaps
      Resolve every Partial/Not started item from your readiness assessment.
    3. Assign owners
      Map each control area to an owner responsible for its evidence.

    Phase 2 — ~6 weeks out: evidence & access

    1. Build the evidence index
      Create a control-to-evidence map; identify the system of record for each artifact.
    2. Run access reviews
      Perform and document access reviews for corporate and production systems; remediate exceptions.
    3. Verify logging & backups
      Confirm logging, alerting, and restore-tested backups are operating and produce evidence.

    Phase 3 — ~3 weeks out: dry run

    1. Sample-test yourself
      Pull the same samples an auditor would (changes, access grants, incidents) and check the evidence holds up.
    2. Tidy policies
      Confirm every policy is current, versioned, approved, and acknowledged.
    3. Prep interviewees
      Brief control owners on likely questions and where their evidence lives.

    Phase 4 — fieldwork week: logistics

    1. Provision auditor access
      Set up read-only/observed access or a secure evidence share ahead of time.
    2. Single point of contact
      Route all requests through the audit owner to avoid duplicate/conflicting answers.
    3. Track requests to close
      Log every auditor request (PBC list) and its status; respond promptly to avoid drift.

    Common last-mile misses

    • Offboarded users still have access somewhere.
    • Evidence screenshots without a timestamp or a source system.
    • A policy that references a control you don't actually operate.
    • Access reviews performed but not documented/retained.
    • Backups configured but never restore-tested.

    Related

    This template is general guidance to accelerate your compliance program and is not legal advice. Adapt it to your organization and your auditor's requirements.