Compliance Audit Preparation: A 90-Day Countdown
Days 90–60: Assessment and Scoping
Week 1: Review your framework requirements and identify evidence gaps. Week 2: Scope your penetration test to align with your compliance boundary (system description for SOC 2, CDE for PCI DSS, ISMS scope for ISO 27001). Week 3: Engage your testing provider and schedule the engagement. Week 4: Prepare the testing environment, create test accounts, and notify relevant teams. Begin collecting non-testing evidence (policies, procedures, access reviews).
Days 60–30: Testing and Remediation
Weeks 5–6: Penetration testing and vulnerability scanning execute. Findings appear in real time if using a TaaS platform like Penetrify. Begin remediation of critical and high findings immediately. Weeks 7–8: Complete remediation of all critical and high findings. Request retesting for completed fixes. Compile retest evidence confirming remediation.
Days 30–0: Documentation and Review
Weeks 9–10: Finalise the compliance report with methodology, findings, remediation, and retest evidence. Verify all framework control mappings are complete. Weeks 11–12: Conduct an internal review of all evidence. Verify that pentest dates fall within the audit period. Confirm that scope alignment matches the framework boundary. Prepare for auditor questions about findings and remediation.
Why Audits Fail
Starting pentesting too late (no time for remediation before the audit). Pentest scope misaligned with compliance boundary. Missing retest evidence for remediated findings. Evidence dated outside the audit period. Generic reports without framework-specific control mapping.
The Bottom Line
Audit preparation is a 90-day project, not a 90-minute task. Start early, align your pentest scope with your compliance boundary, and work with a provider—like Penetrify—that produces compliance-ready reports with built-in retesting so you don't scramble for evidence in the final weeks.