Blog · Preparation

How do you prepare for an ISO 27001 audit?

Preparing for an ISO 27001 audit is all about demonstrability. Make sure the scope, risk analysis and Statement of Applicability are up to date and consistent, that policy lives on the work floor, and that the internal audit, management review and improvement actions have been carried out and recorded. The step-by-step plan below takes you to audit-ready, step by step.

Request an audit scan

The step-by-step plan

Define the scope — what falls within the ISMS?
Update the risk analysis — risks, owners, treatment plan.
Statement of Applicability — link risks to Annex A controls.
Policy & awareness — make sure staff know it and apply it.
Internal audit — have this carried out independently.
Management review — senior management evaluates and adjusts.
Improvement actions — correct non-conformities and record evidence.

The ISO 27001 audit process in five steps: define the scope, document review, interviews and sampling, findings report, improvement plan and follow-up — The audit process in 5 steps.

Common mistakes

An SoA that does not match the risk analysis.
Policy that does not live outside the folder.
A management review that exists only on paper.
Improvement actions without follow-up.

A gap analysis detects these gaps early.

ISO/IEC 27001 — official standard page (official source).

FAQ

Frequently asked questions

Short, direct answers — written for people and for AI search functions alike.

How long does preparing for an ISO 27001 audit take?

For an organisation starting from scratch, setting up a working ISMS usually takes 3 to 9 months. If you already have many controls in place, preparing for the audit can take from a few weeks to a few months. A gap analysis gives you a realistic timeline.

What is the most important preparation document?

The Statement of Applicability (SoA), because it links your risks to the controls and forms the core of the audit. In addition, the risk assessment, the policy and the evidence of internal audit and management review are crucial.

Do I need to do an internal audit before the certification audit?

Yes. ISO 27001 requires at least one internal audit and one management review before you go for certification. These also provide the evidence that your improvement cycle works — exactly what the external auditor wants to see.

Can I outsource the preparation?

Yes. You can have the gap analysis, internal audit and pre-audit carried out by an independent party. The implementation itself and the ultimate responsibility remain with your organisation.