ISO 27001 pre-audit

What is an ISO 27001 pre-audit?

An ISO 27001 pre-audit — also called a mock audit or audit-readiness check — is a full dry run of the certification audit. An independent auditor tests your information security management system (ISMS) against the requirements of ISO/IEC 27001: from context and scope, the risk assessment and the Statement of Applicability to the operation of your controls, the internal audit and the management review. The crucial difference from the real audit: a pre-audit carries no certificate and no formal non-conformity. You get the same critical scrutiny, but in a safe setting where mistakes are still free. So before the certification body arrives, you know whether you are genuinely audit-ready or whether there is still work to do.

Why do a pre-audit?

The certification audit is expensive, formal and unforgiving: a single major non-conformity can delay or block your certificate. A pre-audit pulls that risk forward. First, you avoid surprises on audit day — you know in advance what the auditor will see and where it pinches. Second, you remove non-conformities early, at a point when fixes are still cheap and pressure-free, rather than in a panicked corrective window after the real audit. Third, it gives you a realistic plan: you base your certification date on facts, not hope. And perhaps most important, a pre-audit trains your team. People who have already experienced an audit day once perform more calmly and convincingly during the real one.

What you get: report, severity and remediation plan

After the pre-audit you receive a clear report — not a checkbox sheet, but a workable document. Every finding is named, backed by evidence (or the lack of it), and linked to the relevant requirement in the standard. More importantly, every finding is given a severity rating. We distinguish major non-conformities (which put your certificate at risk), minor non-conformities (which must be resolved within a set period) and observations or opportunities for improvement. On top of that we deliver a remediation plan: for each finding a concrete action, an owner and a priority, so your team can get straight to work on what truly matters. Not 200 scattered remarks, but a prioritised route to a clean certification audit.

Pre-audit vs internal audit vs certification audit

These three are often confused, yet each serves a distinct purpose. The internal audit is a mandatory requirement of ISO 27001 (clause 9.2): you must periodically and independently test your own ISMS. It is your own quality assurance and produces required audit evidence. The pre-audit is not mandatory but is wise: it simulates the certification audit to show you whether you are ready for the real thing — it is a readiness test, not a formal requirement. The certification audit, finally, is carried out by an accredited certification body (CB) and leads — on success — to the official ISO 27001 certificate. In short: the internal audit is something you must do, the pre-audit is something you do smartly to sail through the third one — the certification audit.

The process in steps + who it's for

A pre-audit at Secrotec runs in four steps. 1) Scope and planning — we agree which parts and sites are in scope and schedule the audit day(s). 2) Document review — we assess policy, risk assessment, SoA and records up front. 3) Audit on site or remote — through interviews and sampling we test the actual operation, exactly as the CB would. 4) Reporting and debrief — you receive the findings report with severity and remediation plan, plus a conversation to walk through the priorities. A pre-audit is ideal for organisations certifying for the first time, for teams shortly before their stage 2 audit, and for companies that, after a gap analysis and building their ISMS, want certainty before the real audit. Feel free to combine the pre-audit with an independent internal audit, or have it carried out by our ISO 27001 Lead Auditor. Read more about the full journey on our ISO 27001 audit page.