Compliance Audit Preparation: A 90-Day Countdown

Days 90–60: Assessment and Scoping

Week 1: Review your framework requirements and identify evidence gaps. Week 2: Scope your penetration test to align with your compliance boundary (system description for SOC 2, CDE for PCI DSS, ISMS scope for ISO 27001). Week 3: Engage your testing provider and schedule the engagement. Week 4: Prepare the testing environment, create test accounts, and notify relevant teams. Begin collecting non-testing evidence (policies, procedures, access reviews).

Days 60–30: Testing and Remediation

Weeks 5–6: Penetration testing and vulnerability scanning execute. Findings appear in real time if using a TaaS platform like Penetrify. Begin remediation of critical and high findings immediately. Weeks 7–8: Complete remediation of all critical and high findings. Request retesting for completed fixes. Compile retest evidence confirming remediation.

Days 30–0: Documentation and Review

Weeks 9–10: Finalise the compliance report with methodology, findings, remediation, and retest evidence. Verify all framework control mappings are complete. Weeks 11–12: Conduct an internal review of all evidence. Verify that pentest dates fall within the audit period. Confirm that scope alignment matches the framework boundary. Prepare for auditor questions about findings and remediation.

Why Audits Fail

Starting pentesting too late (no time for remediation before the audit). Pentest scope misaligned with compliance boundary. Missing retest evidence for remediated findings. Evidence dated outside the audit period. Generic reports without framework-specific control mapping.