Skip to main content

Audit Preparation

Practical preparation for ISO 27001, ISO 22301, ISO 9001, ISO 42001 and other certification audits.

The weeks before a certification audit are when most organisations realise what’s missing. Documentation gaps, evidence that’s harder to produce than expected, control implementations that look good in theory but haven’t been operating long enough to demonstrate. Audit preparation exists to find those issues while you still have time to fix them.

Whether you’re approaching your first certification or a surveillance or recertification audit, an independent readiness review gives you a realistic picture of where you stand—and a clear path to closing any gaps before the auditor sees them.

What audit preparation involves

Our audit preparation engagements typically follow two phases.

Phase 1: Readiness assessment

We conduct a realistic review of your management system using the approach a certification auditor will take. That means:

  • Document review — checking that required policies, procedures, and records exist and are current
  • Evidence walkthrough — examining whether the controls you’ve documented are actually operating, with evidence to prove it
  • Staff interviews — sampling how people across your organisation understand and apply the policies (not just what’s in the manual)
  • Process observation — where relevant, watching key processes in action rather than just reading about them
  • Management system review — verifying that internal audits, management reviews, risk assessments, and corrective actions have been conducted and documented

You receive a clear report identifying conformities, nonconformities, and observations—mirroring the structure of an actual audit report. This means no surprises in how findings will be presented during the real audit.

Phase 2: Remediation support

Once findings are identified, you can address them yourselves or engage us to help. Typical remediation support includes:

  • Closing documentation gaps
  • Reviewing and improving operating evidence
  • Coaching staff on questions they’re likely to face
  • Helping management prepare for the management review elements of the audit
  • Sense-checking corrective actions before the audit

We work at the pace your audit date requires, focused on what genuinely needs to be fixed rather than gold-plating.

Why independence matters

Audit preparation should be conducted by an organisation independent from your selected certification auditor. Certification bodies are required to keep audit and consultancy work separate—engaging a certification body for prep would invalidate the certification.

The same logic also applies, in spirit, to your implementation consultants. The team that helped you build your management system has a vested interest in believing it works. An independent reviewer brings fresh eyes and the auditor’s mindset, which is exactly what the prep is meant to replicate.

That said, there’s no rule against using your implementation partner for prep if you trust their honesty. Many organisations use both: their implementation partner for build, an independent partner for the readiness check before audit.

How we work

We approach audit prep the way good external auditors do: structured, evidence-led, and direct about findings. We won’t flatter the work to make you feel good, and we won’t manufacture findings to look thorough. The report you receive is the report we’d write if we were auditing you ourselves.

Our team has experience across multiple certification bodies and standards, including ISO 27001, ISO 22301, ISO 9001, and ISO 42001. Where audits are integrated (multiple standards assessed together), we can support all of them in a single engagement.

We also conduct internal audits and supplier assessments, which can be used in concert with audit preparation depending on what your management system needs.

What to expect

A readiness review for a moderately sized management system typically takes 3-5 days on site (or remote, depending on your preference), with a written report delivered within a week. Remediation support is scaled to your audit timeline and the scope of issues found.

Where we identify findings that put certification materially at risk—and time is short—we’ll be honest about that with you and help you decide whether to remediate fast or postpone the audit. A delayed audit always costs less than a failed one.

Common questions

When should we start audit preparation?
For a first certification audit, ideally 8-12 weeks before your audit date—enough time to remediate any findings without a panic. For surveillance and recertification audits, 4-6 weeks is usually enough. If you're closer to the audit than that, we can still help; the work just gets more focused on the issues most likely to attract scrutiny.
What's the difference between audit preparation and an internal audit?
An internal audit is a formal requirement of the management system standard—you must conduct internal audits and document the results. Audit preparation is a readiness exercise: a realistic dry-run of what your external auditor will examine, focused on identifying and fixing problems before the certification audit. Internal audits can serve part of this purpose, but a dedicated readiness review goes deeper into how an auditor will actually look at your evidence.
Why use an independent partner rather than the consultancy that did our implementation?
Implementation consultants are close to the work they helped you build—that's both a strength (they know the detail) and a limitation (they may not see what an outside auditor will question). An independent readiness review brings a fresh perspective and replicates the auditor's mindset more faithfully. Some organisations use both: their implementation partner for build, an independent partner for readiness.
Can our certification body do audit preparation for us?
No. Certification bodies are required to maintain independence from the organisations they audit and cannot provide consultancy services that they then assess. Engaging your certification body for preparation would invalidate the certification. The audit prep partner must be a separate organisation.
What happens if you find serious gaps close to the audit date?
We'll tell you plainly. If gaps are minor, we'll work with you to close them before the audit. If they're significant enough to put certification at risk, the honest answer is sometimes to postpone the audit—a delayed audit costs less than a failed one. We'll help you make that judgement and, where possible, plan remediation realistically.
Do you liaise with the certification body or auditor?
Where it helps, yes. We can support audit logistics, help you frame responses to auditor questions, and accompany you through the audit itself if requested. We don't speak on your behalf—the audit is between you and the certification body—but we make sure you're not navigating it alone.
How much does audit preparation cost?
It depends on the scope of your management system and how thorough a review you want. A focused readiness review of a moderately sized ISMS is usually a defined-scope engagement of a few days; deeper preparation including remediation support is scoped to your timeline. We'll propose a realistic structure after an initial scoping conversation.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk