Home/Blog/Compliance Audit Preparation: SOC 2, ISO 27001, and PCI DSS Certification Roadmap
Compliance

Compliance Audit Preparation: SOC 2, ISO 27001, and PCI DSS Certification Roadmap

Master compliance audit preparation with evidence collection, control testing, and certification roadmaps. Covers SOC 2 Type II (6-12 months), ISO 27001 (3-year cycle), and PCI DSS QSA assessment.

By InventiveHQ Team
Compliance Audit Preparation: SOC 2, ISO 27001, and PCI DSS Certification Roadmap

Introduction

Audit preparation marks a critical transition from building compliance foundations to achieving formal certification and third-party validation. Whether you're pursuing SOC 2 Type II for enterprise customer requirements, ISO 27001 for international expansion, or PCI DSS compliance for payment processing, successful audit preparation requires meticulous evidence collection, strategic control testing, and expert execution.

This comprehensive guide covers the complete audit preparation lifecycle: pre-audit readiness assessment, evidence collection and organization, control testing and validation, framework-specific audit processes, common findings and remediation strategies, and post-audit corrective action management. We'll explore the distinct audit timelines and requirements for SOC 2 Type II (6-12 months observation), ISO 27001 (3-year certification cycle with annual surveillance audits), and PCI DSS QSA assessments (annual compliance validation).

Understanding the Audit Preparation Landscape

Audit preparation extends far beyond the formal audit period. Organizations typically begin collecting evidence and validating controls 3-6 months before the scheduled audit date. This preparation phase often reveals gaps that require remediation, necessitating thoughtful timeline planning and risk-based prioritization.

Key Statistics on Audit Timelines:

  • SOC 2 Type II audits require 6-12 months of control operation before audit commencement
  • ISO 27001 initial certification requires 1-3 months of control operation, then 3 months for Stage 1 and 2 audits
  • PCI DSS annual assessments typically span 4-8 weeks per level, with 12-month compliance windows
  • Organizations typically spend 3-6 months in pre-audit preparation before formal audit engagement
  • Average time from audit commencement to certificate issuance: 2-4 months for SOC 2 and ISO 27001

Audit Preparation Costs:

  • SOC 2 Type II: $30,000-$150,000 (external audit fees)
  • ISO 27001 certification: $50,000-$300,000 (certification body fees, consulting)
  • PCI DSS QSA assessment: $25,000-$500,000+ (depends on organization size and scope)
  • Internal preparation costs: $100,000-$500,000 (staff time, tools, remediation)

Pre-Audit Readiness Assessment

Before formal audit engagement, organizations should conduct comprehensive pre-audit readiness assessments to identify gaps and validate control effectiveness. This internal assessment phase typically spans 2-4 weeks and provides critical insight into audit readiness.

Readiness Assessment Framework

Phase 1: Control Inventory and Documentation Review (1 week)

Complete an exhaustive inventory of all security controls currently in place. This includes technical controls (EDR, SIEM, MFA), operational controls (access reviews, change management), and management controls (policies, risk assessments). For each control, document:

  • Control objective and requirement mapping
  • Current implementation status
  • Evidence sources and locations
  • Last validation date
  • Residual gaps or exceptions

Many organizations discover that controls exist operationally but lack proper documentation. Create a control registry mapping each framework requirement to implemented controls with evidence locations.

Phase 2: Evidence Collection (2 weeks)

Begin systematic evidence collection 4-6 weeks before the scheduled audit. Create evidence folders organized by control domain. Evidence types include:

  • Screenshots of system configurations (MFA enablement, encryption settings, access controls)
  • Log files and monitoring dashboards (authentication logs, change logs, audit logs)
  • Policy acknowledgments and training completion records
  • Vendor SOC 2 and ISO 27001 certifications (for critical third parties)
  • Penetration testing and vulnerability scan results
  • Incident logs and investigation reports
  • Change management tickets and approval records
  • Access review documents and recertification evidence
  • Business continuity plan test results and backup logs
  • Personnel files with background checks and NDA signatures

Establish a centralized evidence repository with version control and access restrictions. Many organizations use shared drives, GRC platforms (Vanta, Drata, Secureframe), or document management systems. Ensure evidence is dated, labeled clearly, and maps to specific control requirements.

Phase 3: Pre-Audit Gap Assessment (1-2 weeks)

Conduct an internal audit or engage an experienced consultant to perform a pre-audit gap assessment. This assessment typically evaluates:

  • Control operating effectiveness (do controls work as designed?)
  • Evidence completeness (does documentation support control claims?)
  • Compliance with framework requirements
  • Common audit findings specific to your industry
  • Severity rating for identified gaps (Critical, High, Medium, Low)

Rate findings against a standard severity matrix:

  • Critical: Control non-existent or completely ineffective (audit failure risk)
  • High: Control partially implemented or inconsistently applied (likely audit finding)
  • Medium: Control implemented with minor gaps or documentation issues (possible audit finding)
  • Low: Control implemented with documentation or presentation improvements needed (minimal audit impact)

Pre-Audit Control Testing

Validate that key controls operate as documented. Testing approaches depend on control type:

Technical Controls Testing:

  • Verify MFA enforcement on all systems by attempting authentication with disabled MFA
  • Review access control configurations in identity providers (Okta, Azure AD, Active Directory)
  • Validate encryption settings in transit (TLS 1.2+) and at rest (AES-256)
  • Confirm logging and monitoring are capturing expected events
  • Test incident response procedures with tabletop exercise or simulation

Operational Controls Testing:

  • Perform sample access reviews (audit 5-10 random user accounts for role appropriateness)
  • Review change management process by examining recent change tickets for completeness
  • Validate vendor SOC 2 reports are current (less than 1 year old for annual audits)
  • Confirm security training completion records are documented and current
  • Review incident logs for appropriate response procedures

Management Controls Testing:

  • Validate policy review dates and executive sign-off
  • Confirm risk assessments are documented and current
  • Verify DPIA completion for new data processing activities
  • Review board/committee meeting minutes for compliance governance discussions

Audit Readiness Scoring

Develop a readiness score across all audit domains (0-100 scale):

  • 90-100: Audit-ready, minimal remediation needed
  • 75-89: Good readiness, minor gaps to address
  • 60-74: Moderate readiness, significant gap remediation required
  • 40-59: Below target, substantial remediation effort needed
  • Below 40: Recommend delaying audit until critical gaps addressed

Track readiness across domains (e.g., Access Control: 92%, Change Management: 68%) to identify priority remediation areas.

Evidence Collection and Organization

Systematic evidence collection is the foundation of successful audit preparation. Auditors will spend 30-50% of audit time reviewing evidence. Well-organized, comprehensive evidence accelerates audit execution and reduces finding likelihood.

Evidence Collection Strategy

Organize Evidence by Control Domain

Group evidence using the audit framework's control structure:

SOC 2 Type II:

  • CC (Common Criteria) - Security: 7 control domains
  • A (Availability) - System uptime and performance
  • PI (Processing Integrity) - Complete, accurate processing
  • C (Confidentiality) - Sensitive data protection
  • P (Privacy) - Data handling and consent

ISO 27001:

  • A.5: Organizational controls (37 controls)
  • A.6: People controls (8 controls)
  • A.7: Physical controls (14 controls)
  • A.8: Technological controls (34 controls)

PCI DSS v4.0:

  • Requirement 1: Network security
  • Requirement 2: Configuration management
  • Requirement 3-4: Data protection
  • Requirement 5-9: Access controls and physical security
  • Requirement 10-12: Testing, monitoring, and policies

Create Control-Evidence Mapping

For each control requirement, document:

  • Control ID and description
  • Operating period and testing dates
  • Evidence items (with file names and locations)
  • Person responsible for evidence provision
  • Status (Evidence complete, In progress, Not applicable)

Example mapping for SOC 2 CC6.1 (Logical access controls):

  • Control: MFA enforced on all systems
  • Evidence:
    • okta-mfa-settings-2025-01-06.pdf (screenshot of MFA configuration)
    • mfa-policy-2024-signed.pdf (MFA policy with executive sign-off)
    • mfa-implementation-log-202412.xlsx (implementation dates by system)
    • failed-login-attempts-2024-12.csv (logs demonstrating MFA rejection)
    • user-training-acknowledgments-mfa.pdf (training completion records)

Evidence Types and Collection Methods

Automated Evidence Collection

Many compliance automation platforms collect evidence continuously:

  • Cloudflare Workers screenshots of security configurations
  • GitHub branch protection and code review evidence
  • AWS CloudTrail logs and security group configurations
  • Google Workspace admin console activity logs
  • Okta authentication and MFA logs
  • Slack message retention policies and access controls

Set up automated daily or weekly evidence collection through tools like Vanta, Drata, or Secureframe. Automated collection reduces manual effort by 40-60% and provides timestamped audit trails.

Manual Evidence Collection

Some evidence requires manual collection:

  • Policy acknowledgments (training records, security agreement sign-offs)
  • Interviews and attestations from key personnel
  • Historical incident investigation reports
  • Vendor SOC 2 and ISO 27001 certificates
  • Penetration test reports and remediation evidence
  • Business continuity plan test results

Create a collection template for consistency:

Evidence Item: [Control-Specific Description]
Evidence Type: [Screenshot, Log, Document, Attestation]
Collected Date: [Date collected or evidence date]
Collector Name: [Who collected this evidence]
File Name: [Standardized naming convention]
Control Mapping: [Which requirements this evidence supports]
Notes: [Relevant context or limitations]

Evidence Organization Best Practices

Standardize Evidence Naming

Use consistent naming conventions enabling quick reference:

[Control ID]-[Evidence Type]-[Date]
CC6.1-MFA-Config-2025-01-06.pdf
CC7.2-Access-Review-Q4-2024.xlsx
CC1.1-Risk-Assessment-Annual-2024.pdf

Version Control Critical Evidence

Track evidence versions for policies, assessments, and certifications that change over time:

Access-Control-Policy-v1.0-2023-01-15.pdf (approved 2023-01-15)
Access-Control-Policy-v2.0-2024-06-20.pdf (updated for SOC 2, approved 2024-06-20)
Access-Control-Policy-v2.1-2025-01-06.pdf (minor clarifications, approved 2025-01-06)

Maintain Audit Trail

Document evidence collection dates and sources for auditor validation:

  • Screenshots: Include timestamp, user logged in, URL/system shown
  • Logs: Include date range, log source system, full URL/query used
  • Certifications: Include certificate issue and expiration dates
  • Training: Include completion dates for each individual

Create Evidence Index

Develop a master index mapping all evidence to framework requirements:

Control IDControl DescriptionEvidence ItemFile LocationStatusNotes
CC6.1Logical Access ControlMFA Configurationevidence/cc6.1/mfa-config-2025-01-06.pdfComplete
CC6.1Logical Access ControlMFA Policyevidence/cc6.1/mfa-policy-signed-2024.pdfCompleteUpdated 2024-06-20
CC6.1Logical Access ControlFailed Login Logsevidence/cc6.1/failed-logins-2024-12.csvCompleteSample period: 12/1-12/31
CC6.2Prior to IssueAccess Reviewevidence/cc6.2/access-review-q4-2024.xlsxIn ProgressDue 2025-01-15

Control Testing and Validation

Control testing validates that security controls operate effectively during the audit period. Auditors test controls through multiple methods including inquiry, observation, inspection of evidence, and re-performance of control procedures. Organizations should perform similar testing during audit preparation.

Control Testing Approaches

Testing by Control Type

Preventive Controls (prevent unwanted activity):

  • Testing method: Verify configuration prevents prohibited action
  • Example: MFA prevents unauthenticated access
  • Test procedure: Attempt login without MFA (verify failure)
  • Evidence: Failed login logs, configuration screenshot

Detective Controls (identify unwanted activity after occurrence):

  • Testing method: Verify detection and alerting mechanisms function
  • Example: Monitoring detects unauthorized access attempts
  • Test procedure: Review logs for detection of failed logins
  • Evidence: Monitoring dashboard showing alerts, incident response

Corrective Controls (remediate identified issues):

  • Testing method: Verify response procedures are executed
  • Example: Incident response addresses detected breaches
  • Test procedure: Review incident investigation reports
  • Evidence: Incident logs, investigation reports, corrective actions

Testing Scopes and Sample Sizes

Auditors test controls across a defined operating period (6 months for SOC 2 Type II, 3+ months for ISO 27001). Testing includes:

  • Quarterly testing: Controls tested at least quarterly during audit period
  • Sample testing: 10-25% of transactions or access events sampled
  • Full-period testing: Some controls assessed across entire audit period

Example testing scopes:

  • Access reviews: Test sample of 3-5 reviews across audit period
  • Change management: Test sample of 10-25 changes across audit period
  • Incident response: Review all incidents during audit period
  • Training: Verify 100% of covered personnel trained

Key Testing Procedures by Domain

Access Control Testing

  • List all users with system access (get current user listings from 3-5 critical systems)
  • Sample 5-10 random users per system
  • Verify access aligns with job role (review job descriptions or role definitions)
  • Confirm access was approved before provisioning (examine approval tickets)
  • Verify access is reviewed and reapproved periodically (test one access review cycle)
  • Validate deprovisioning occurs upon termination (review 3-5 user offboarding records)

Change Management Testing

  • Request list of all changes implemented during audit period
  • Sample 10-20 representative changes
  • For each change, verify:
    • Change was documented in change management system
    • Risk assessment was completed before implementation
    • Approval was obtained from appropriate authority
    • Change was tested before production deployment
    • Change was documented in configuration management system
    • Change was communicated to relevant teams

Incident Response Testing

  • Request list of all security incidents during audit period
  • For each incident, verify:
    • Incident was detected and reported within established timeframe
    • Investigation was performed and documented
    • Root cause was identified
    • Corrective actions were implemented
    • Remediation was verified and evidence collected
    • Similar future incidents are prevented

Data Protection Testing

  • Verify encryption is enabled in transit (TLS 1.2+ on all data connections)
  • Verify encryption is enabled at rest (AES-256 or equivalent on databases)
  • Verify encryption keys are managed securely (key rotation policy, access restrictions)
  • Verify data classification is documented and applied consistently
  • Verify sensitive data handling is restricted to authorized users

Availability and Business Continuity Testing

  • Review backup procedures and verify backups are being taken
  • Test backup restoration procedures and verify data integrity
  • Review disaster recovery plan and verify it was tested during audit period
  • Document RTO (Recovery Time Objective) and RPO (Recovery Point Objective) achievements
  • Verify monitoring systems are detecting outages and alerting appropriate personnel

SOC 2 Type II Audit Process

SOC 2 (Service Organization Control) Type II audits provide trust service criteria (TSC) reports demonstrating that cloud, SaaS, and service organizations maintain security, availability, and confidentiality controls. Type II reports require a minimum 6-month control operation period before audit commencement (many auditors recommend 9-12 months).

SOC 2 Framework Overview

Trust Service Criteria (TSC)

SOC 2 evaluates controls against four or five trust service criteria depending on scope:

CC (Common Criteria) - Security (Always required):

  • CC1: Organization demonstrates commitment to competence
  • CC2: Leadership establishes structures, responsibilities, authority
  • CC3: Organization holds people accountable
  • CC4: Organization demonstrates commitment to competence
  • CC5: Organization obtains or generates, uses, retains, and maintains relevant information
  • CC6: Organization specifies objectives and analyzes risks to identify controls
  • CC7: Organization selects, develops, deploys, operates, and maintains controls
  • CC8: Organization obtains information about control performance and changes
  • CC9: Organization selects, applies, evaluates, and improves control activities

A (Availability): System is available for operation and use as specified

PI (Processing Integrity): Information processed is complete, accurate, timely, and authorized

C (Confidentiality): Information designated as confidential is protected

P (Privacy): Personal information is collected, used, retained, disclosed, and disposed in accordance with privacy objectives

Most organizations pursue SOC 2 Type II with Security (CC) and Availability (A) criteria.

SOC 2 Type II Timeline

Total Duration: 9-15 months

Months 1-3: Planning and Gap Assessment

  • Select auditor firm (Big 4, Schellman, A-LIGN)
  • Conduct gap assessment ($10K-$30K)
  • Develop remediation roadmap
  • Establish evidence collection systems
  • Assign evidence collection responsibilities

Months 4-9: Remediation and Evidence Collection

  • Implement identified control gaps
  • Collect baseline evidence for controls
  • Deploy automated evidence collection systems
  • Conduct internal pre-audit assessment
  • Prepare control narratives and evidence documentation

Month 10: Audit Commencement (Minimum 6 months control operation)

  • Auditor reviews control narratives and evidence
  • Auditor identifies testing procedures and sample sizes
  • Site visit scheduled (typically 1-2 weeks on-site for mid-sized organizations)
  • Auditor conducts control testing interviews and observations

Months 10-15: Audit Execution and Reporting

  • Auditor completes control testing (1-4 weeks)
  • Auditor drafts SOC 2 Type II report
  • Organization reviews draft report and provides comments
  • Auditor issues final report with opinion
  • Organization obtains opinion letter for customer distribution

Evidence Requirements for SOC 2 Type II

Required Evidence Elements

Control CategoryEvidence TypesFrequency
Access ControlUser access lists, approval documentation, access reviews, termination logsWeekly snapshots, quarterly reviews
Change ManagementChange tickets, risk assessments, test results, approval documentsPer change
Incident ResponseIncident logs, investigation reports, remediation evidencePer incident
Backup and RecoveryBackup job logs, recovery test results, RTO/RPO documentationDaily/Weekly/Quarterly
Monitoring and LoggingSystem logs, monitoring dashboards, alert configurationsContinuous
CryptographyEncryption configuration, key management procedures, certificate trackingQuarterly
Vendor ManagementVendor assessment records, SOC 2 reports, risk assessmentsQuarterly
Training and AwarenessTraining completion records, phishing simulation resultsQuarterly
Policy and DocumentationPolicy documents, sign-off records, version controlAnnual or per update

Common SOC 2 Type II Findings

Auditors frequently identify findings related to:

  • Incomplete or outdated policies (not signed/approved by leadership)
  • Gaps in access reviews (missing certain system types, incomplete documentation)
  • Change management exceptions (unauthorized changes, missing approval)
  • Inadequate monitoring (gaps in log retention, insufficient alerting)
  • Vendor control gaps (missing SOC 2 reports, no assessment documentation)
  • Backup validation gaps (backup test results, restore procedures)
  • Training documentation gaps (incomplete training records, no evidence of competency assessment)

Preparing for SOC 2 Type II Questions

Auditors will interview key personnel on:

  • Control design and operation
  • Lessons learned and process improvements
  • Incident response examples and effectiveness
  • Vendor assessment and management processes
  • How organization addresses control exceptions
  • Planned improvements and roadmap

Prepare interview teams (typically Security Officer, CIO/VP Engineering, Operations Manager) with talking points on control design, operation, effectiveness, and remediation of identified issues.

ISO 27001 Certification Process

ISO 27001:2022 is the international standard for Information Security Management Systems (ISMS). Unlike SOC 2, ISO 27001 is a certification (not an attestation) valid for three years, requiring annual surveillance audits. Initial certification involves two stages: Stage 1 (documentation review) and Stage 2 (on-site implementation assessment).

ISO 27001 Framework Overview

ISO 27001:2022 specifies 93 controls organized across four domains:

Organizational Controls (37 controls)

  • A.5.1-5.23: Governance, strategy, policies, roles, responsibilities
  • Key controls: Risk assessment, treatment plans, third-party management, compliance

People Controls (8 controls)

  • A.6.1-6.8: Competence, awareness, discipline, responsibilities
  • Key controls: Training, awareness, incident reporting

Physical Controls (14 controls)

  • A.7.1-7.14: Perimeter security, access control, environmental monitoring
  • Key controls: Physical access, surveillance, facility monitoring

Technological Controls (34 controls)

  • A.8.1-8.34: Cryptography, access control, monitoring, incident management
  • Key controls: Encryption, authentication, logging, incident response

ISO 27001 Certification Timeline

Total Duration: 4-9 months for initial certification

Month 1: Pre-Assessment and Planning

  • Select certification body (BSI, SGS, TÜV Rheinland, Bureau Veritas)
  • Pre-assessment scope: systems, locations, personnel count
  • Discuss audit schedule and requirements
  • Establish audit contact points and communication plan

Month 2: Stage 1 Audit (Documentation Review)

  • Duration: 2-5 days (on-site or remote)
  • Auditor reviews ISMS documentation:
    • Information security policy
    • Risk assessment and treatment plan
    • Control implementation statements (for each of 93 controls)
    • Procedures and work instructions
    • Evidence of competence and training
    • Vendor assessment documentation
  • Auditor identifies non-conformities or observations (findings)
  • Organization remediates Stage 1 findings

Months 2-3: Implementation Period

  • Organization implements controls if not already operational
  • Collect evidence of control operation
  • Build controls registry
  • Prepare personnel for Stage 2 interviews
  • Conduct internal audit

Months 3-4: Stage 2 Audit (Implementation Assessment)

  • Duration: 2-5 days (on-site)
  • Auditor performs on-site assessment of control implementation
  • Interviews personnel on control operation and effectiveness
  • Tests controls through evidence inspection and re-performance
  • Observes control operation in practice
  • Identifies non-conformities or observations

Months 4-5: Remediation and Certification

  • Organization addresses Stage 2 findings
  • Auditor confirms finding closure
  • Certification body issues ISO 27001 certificate (valid 3 years)

Annual: Surveillance Audits

  • Brief annual audit (1-2 days)
  • Auditor verifies ongoing control operation
  • Assesses management review and effectiveness
  • Identifies improvement opportunities
  • Certificate renewal assessment in year 3 (full assessment)

ISO 27001 Documentation Requirements

ISMS Documentation Package

Organizations must develop comprehensive ISMS documentation:

1. Information Security Policy

  • Executive-endorsed security policy
  • Aligns with organization's strategic objectives
  • Covers all 93 controls at high level
  • Signed and dated by senior management

2. Risk Assessment Report

  • Identifies and documents all information assets
  • Evaluates threats to each asset
  • Assesses vulnerabilities enabling threats
  • Calculates risk levels
  • Documents assumptions and methodologies

3. Risk Treatment Plan

  • Documents decisions for each identified risk
  • Determines if risk should be accepted, avoided, mitigated, or transferred
  • For mitigated risks, identifies which controls will reduce risk
  • Schedules control implementation
  • Designates responsibility for each control

4. Control Implementation Statements (Annex A)

  • Document for each of 93 controls:
    • How the control is implemented
    • What processes or systems enforce the control
    • How effectiveness is verified
    • What evidence demonstrates implementation
    • When the control was implemented or will be implemented
  • Use standard template for consistency

5. Procedures and Work Instructions

  • Detailed procedures for key security processes:
    • User access provisioning and deprovisioning
    • Change management
    • Incident response
    • Access review procedures
    • Vendor risk assessment
    • Data classification and handling
    • Encryption key management
    • Business continuity and disaster recovery

6. Personnel Competence and Training Documentation

  • Job descriptions defining security responsibilities
  • Training plan identifying required competencies
  • Training completion records for all personnel
  • Competency assessment results

7. Internal Audit and Management Review Documentation

  • Annual internal audit plan and results
  • Management review minutes (at least annually)
  • Records of corrective actions for findings
  • Evidence of continuous improvement

Common ISO 27001 Non-Conformities

Auditors frequently identify non-conformities (audit failures) related to:

  • Major non-conformities: Control not implemented or completely non-functional (must be remediated before certification)
  • Minor non-conformities: Control partially implemented or with documentation gaps (remediation timeline: 2-4 weeks)

Common Major Non-Conformities:

  • Risk assessment not completed (missing documentation)
  • Critical controls not implemented (e.g., MFA, encryption, backup testing)
  • No evidence of control operation during assessment period
  • Access reviews not performed
  • Incident response procedure not documented or tested

Common Minor Non-Conformities:

  • Policy not signed by latest management
  • Training completion records incomplete
  • Control procedures lack sufficient detail
  • Vendor assessment documentation incomplete
  • Evidence of control operation has gaps in specific time periods

PCI DSS QSA Assessment Process

PCI DSS (Payment Card Industry Data Security Standard) v4.0 requires annual compliance assessment by a Qualified Security Assessor (QSA) for organizations processing payment cards or handling cardholder data. Assessment scope depends on organization size and systems involved.

PCI DSS v4.0 Framework Overview

PCI DSS v4.0 (effective March 2024) specifies 12 requirements organized across 6 goals:

GoalRequirementsFocus
1. Secure Network1-2Firewall, network segmentation
2. Protect Data3-4Data encryption, tokenization
3. Manage Vulnerabilities5-6Antivirus, security updates
4. Implement Strong Access7-8Access control, authentication
5. Protect and Monitor9-12Logging, monitoring, testing
6. Maintain Security Program(Integrated)Policies, incident response, vendor management

v4.0 Key Changes (from v3.2.1):

  • 64 new requirements introduced
  • Shift from point-in-time to continuous validation (CTVs)
  • Expanded privileged access management
  • Enhanced multi-factor authentication
  • Improved vulnerability management with penetration testing requirements
  • Greater third-party security oversight

PCI DSS Assessment Timeline

Total Duration: 1-3 months for Level 1 organizations

Month 1: Pre-Assessment Planning

  • Define assessment scope (systems processing, handling, or transmitting cardholder data)
  • Determine PCI DSS level based on transaction volume
  • Select QSA firm (Trustwave, SecureWorks, Coalfire, Schellman)
  • Schedule on-site assessment dates
  • Provide system inventory and network diagrams

Month 1-2: Evidence Gathering

  • Complete Self-Assessment Questionnaire (SAQ) applicable to organization
  • Gather evidence for 12 requirements:
    • Network diagrams (current and validated)
    • Firewall and router configurations
    • System access logs and change management records
    • Encryption implementation documentation
    • Vulnerability scan reports (from approved scanner)
    • Penetration test report (annual, performed by independent tester)
    • Incident response plan and examples
    • Personnel training records
    • Vendor assessment documentation

Month 2: On-Site QSA Assessment

  • QSA performs on-site audit (2-8 weeks depending on scope)
  • Network reconnaissance and system verification
  • Interviews with key IT and security personnel
  • Control testing and evidence review
  • Observation of security controls in operation
  • Vulnerability scans and penetration testing (if needed)

Month 3: Reporting and Remediation

  • QSA issues PCI DSS Attestation of Compliance (AoC)
  • Organization remediates any identified non-compliances
  • Quarterly vulnerability scans are required
  • Annual reassessment validates continued compliance

PCI DSS Assessment Levels

Assessment scope and effort depends on organization level:

LevelTransaction VolumeAssessment TypeDurationCost
Level 1> 6M transactions/yearFull QSA audit on-site4-8 weeks$50K-$150K
Level 21-6M transactions/yearQSA-assisted SAQ or limited audit2-4 weeks$25K-$75K
Level 320K-1M transactions/yearSAQ with QSA validation1-2 weeks$10K-$40K
Level 4< 20K transactions/yearSAQ only (no QSA required)Self-assessed$5K-$20K

PCI DSS Compliance Control Categories

Network Security (Requirements 1-2)

  • Firewall deployment with rule documentation
  • Network segmentation isolating cardholder data environment (CDE)
  • No direct routes between internet and CDE
  • Documented access control lists and routing rules

Data Protection (Requirements 3-4)

  • Cardholder data minimization (collect only essential data)
  • Strong encryption in transit (TLS 1.2+, TLS 1.3 preferred)
  • Strong encryption at rest (AES-256, 3DES acceptable until June 2024)
  • Secure deletion procedures when data retention expires

Vulnerability Management (Requirements 5-6)

  • Antivirus on all systems (updated monthly)
  • Regular security patches (critical within 30 days)
  • Vulnerability assessments quarterly by approved scanning vendors
  • Annual penetration testing by independent tester
  • Web application firewall (for external-facing applications)
  • Secure development practices (code review, secure SDLC)

Access Control (Requirements 7-8)

  • Principle of least privilege (minimal access for each role)
  • Individual user IDs (no shared or generic accounts)
  • Multi-factor authentication (MFA) for all administrative access
  • Strong password policy (minimum 8 characters, complexity requirements)
  • Password change procedures

Monitoring and Testing (Requirements 9-12)

  • Access controls limiting CDE physical access (badge systems, surveillance)
  • Logging and monitoring all access to cardholder data
  • Log retention minimum 1 year (3 months readily available)
  • Network intrusion detection or prevention systems
  • Incident response plan including notification procedures
  • Information security policy covering all 12 requirements
  • Annual compliance assessment

Common PCI DSS Non-Compliances

Frequent PCI DSS findings include:

  • Network segmentation gaps: Cardholder data environment not properly segregated
  • MFA not enforced: Administrative access lacks multi-factor authentication
  • Vulnerability management gaps: Unpatched systems, missing vulnerability assessments
  • Encryption gaps: Weak encryption algorithms, unencrypted cardholder data transmission
  • Logging gaps: Insufficient logging or insufficient log retention
  • Access control failures: Shared accounts, excessive access, no quarterly reviews
  • Third-party security gaps: Vendors accessing CDE without validation
  • Penetration test gaps: No annual penetration test or insufficient scope

Common Audit Findings and Remediation

Across all frameworks, certain findings appear repeatedly. Understanding common findings and remediation strategies enables organizations to address gaps proactively.

Finding Categories and Remediation

1. Policy and Documentation Gaps

Findings:

  • Policies not current (outdated, not reflecting recent changes)
  • Policies not signed by executive leadership
  • Procedures lack sufficient detail for consistent execution
  • Policies not communicated to all affected personnel

Remediation Steps:

  1. Identify outdated policies through policy review process
  2. Update policies to reflect current practices and new requirements
  3. Secure executive sign-off (CEO, Board, or designated authority)
  4. Communicate updated policies to all personnel
  5. Obtain and document acknowledgments from all personnel
  6. Establish annual policy review schedule
  7. Integrate policy updates into onboarding process

Timeline: 4-6 weeks for policy updates, signatures, and acknowledgments

2. Access Control Gaps

Findings:

  • Users with excessive access not aligned to job duties
  • Access reviews incomplete, not performed regularly, or not documented
  • Terminated users retaining system access beyond termination date
  • No evidence of approval before access provisioning
  • Shared or generic user accounts used instead of individual accounts

Remediation Steps:

  1. Conduct immediate access review across all systems (sample 10-20% of active users)
  2. Document job descriptions and expected access for each role
  3. Remediate excessive access through deprovisioning or role adjustment
  4. Implement quarterly access review process
  5. Require written approval for all new access requests
  6. Automate access provisioning where possible
  7. Implement automated deprovisioning for terminated employees
  8. Migrate shared accounts to individual accounts

Timeline: 2-4 weeks for emergency access cleanup, ongoing for process implementation

3. Change Management Gaps

Findings:

  • Changes implemented without documented approval
  • Risk assessments not completed before changes
  • Production changes not tested in non-production environment
  • Change documentation is incomplete or post-implementation
  • No evidence of change communication to affected teams

Remediation Steps:

  1. Define change management process with clear approval authorities
  2. Implement change management tool (Jira, ServiceNow, Atlassian)
  3. Require change request submission before implementation
  4. Establish change advisory board (CAB) for approval
  5. Document testing procedures and results
  6. Require business and security approval before production deployment
  7. Maintain configuration management database (CMDB) with current state
  8. Conduct monthly change management audits

Timeline: 2-4 weeks for process definition, 8-12 weeks for tool implementation

4. Training and Competence Gaps

Findings:

  • Training completion records incomplete or missing
  • Personnel cannot articulate understanding of security responsibilities
  • No evidence that training was effective or that competency was assessed
  • Training content outdated or doesn't reflect current policies
  • New employees not trained before access provisioning

Remediation Steps:

  1. Establish training curriculum for each role (general awareness, role-specific, compliance-specific)
  2. Implement training tracking system (LMS) with completion records
  3. Conduct annual refresher training for all personnel
  4. Add new hire security orientation to onboarding process
  5. Assess competency through quizzes, practical exercises, or interviews
  6. Document training completion with dates and attendees
  7. Update training content annually based on changing threats and policies

Timeline: 4-8 weeks for LMS setup, 3-4 months for personnel training completion

5. Vendor Risk Management Gaps

Findings:

  • Missing vendor security assessments (no SAQ responses or SOC 2 reports)
  • Vendor SOC 2 reports outdated (> 12 months old)
  • No documented risk assessment for vendors accessing sensitive data
  • Third-party subprocessors not assessed or not approved
  • No contractual requirements for data protection

Remediation Steps:

  1. Conduct vendor inventory (identify all vendors accessing or processing data)
  2. Classify vendors by risk tier (critical, high, medium, low)
  3. Request security questionnaires (SIG Lite format) from all vendors
  4. Request current SOC 2 reports from critical vendors (< 12 months old)
  5. Assess vendor risk using scorecard (20+ criteria)
  6. Develop remediation plans for high-risk vendors
  7. Ensure Data Processing Agreements (DPA) for all data-handling vendors
  8. Conduct quarterly vendor assessments for critical vendors

Timeline: 4-8 weeks for vendor assessment completion

6. Monitoring and Logging Gaps

Findings:

  • Insufficient logging of security-relevant events
  • Logs not retained for required duration (typically 1 year)
  • No alerting or monitoring of suspicious activity
  • Logs not regularly reviewed for anomalies
  • Logging disabled on critical systems

Remediation Steps:

  1. Implement centralized logging (syslog, CloudWatch, Datadog, Splunk)
  2. Configure logging for all security-relevant events:
    • User authentication (successes and failures)
    • Access to sensitive data
    • Configuration changes
    • Administrative actions
  3. Establish log retention policy (minimum 1 year, 90 days readily available)
  4. Implement alerting for critical events (failed authentication attempts, privilege escalation)
  5. Conduct daily/weekly log review and analysis
  6. Generate trending reports for management review
  7. Integrate logs with SIEM (Security Information and Event Management)

Timeline: 2-4 weeks for logging infrastructure, 4-8 weeks for tuning and process

7. Backup and Recovery Gaps

Findings:

  • Backups not being taken (job failures not detected)
  • Backups not tested regularly (restore procedures not validated)
  • Backup recovery time and data loss not documented (no RTO/RPO)
  • Backups not encrypted or not stored securely
  • Backups stored on-site without off-site copy

Remediation Steps:

  1. Implement backup solution with automated, daily backups
  2. Verify backup jobs complete daily (implement monitoring/alerting)
  3. Test backup recovery quarterly (document RTO/RPO achieved)
  4. Maintain off-site backup copies (geographic diversity)
  5. Encrypt backups both in transit and at rest
  6. Restrict access to backups (follow least privilege principle)
  7. Document backup procedures and recovery procedures
  8. Train personnel on backup/recovery procedures
  9. Maintain backup logs with verification that recovery tested

Timeline: 2-4 weeks for backup solution implementation, 8-12 weeks for testing and validation

Post-Audit Corrective Action Management

Audit completion marks the beginning of remediation. Most audits result in findings that require correction and demonstration of remediation to auditors. Effective corrective action management ensures findings are addressed thoroughly and timely.

Corrective Action Framework

Classification of Audit Findings

Different frameworks classify findings differently, but generally follow this pattern:

SOC 2 Type II:

  • Non-conformities: Control not operating as designed (leads to audit opinion exception)
  • Observations: Control design improvement opportunity (noted in audit report)

ISO 27001:

  • Major non-conformities: Control not implemented (audit failure)
  • Minor non-conformities: Control partially implemented or documentation gaps
  • Observations: Improvement opportunities

PCI DSS:

  • Non-compliances: Control not met (prevents compliance status)

Corrective Action Planning Process

Step 1: Assess Finding Severity

For each finding, determine:

  • Is compliance status at risk? (critical, high-priority)
  • Is control completely absent or partially operating? (major vs. minor)
  • What is the business/security impact of the gap?
  • How long will remediation take?

Step 2: Root Cause Analysis

Determine why the control gap exists:

  • Was control designed but not implemented?
  • Was control implemented but not maintained?
  • Was control not designed at all?
  • Is there a process/procedure issue?
  • Is there a resource or training issue?

Step 3: Develop Remediation Plan

For each finding, document:

  • Remediation action (specific task to address the finding)
  • Root cause (why the gap occurred)
  • Responsible party (person/team accountable)
  • Target completion date
  • Success criteria (how will we verify remediation?)
  • Resource requirements (budget, tools, training)
  • Risk if not remediated (business impact of continued gap)

Example remediation plan entry:

Finding: Access reviews not performed in Q3 2024
Severity: Major non-conformity (access control critical)
Root cause: Change in responsibility, no documented procedure, no tool
Remediation action:
  - Document access review procedure (1 week)
  - Implement access review tool (2 weeks)
  - Conduct backdated Q3 2024 access review (2 weeks)
  - Establish quarterly review schedule (ongoing)
Responsible: CISO
Target date: 2025-02-15
Success criteria: All users reviewed, exceptions documented, manager sign-off
Resources: Access review tool license ($5K/year), 40 hours staff time

Step 4: Implement Remediation

Execute remediation actions according to plan:

  • Assign specific tasks to team members
  • Establish milestones and checkpoints
  • Track progress against timeline
  • Document all remediation activities
  • Verify remediation effectiveness before closure

Step 5: Gather Remediation Evidence

Collect evidence demonstrating remediation completion:

  • Screenshots showing control implementation
  • Log evidence of control operation post-remediation
  • Testing results validating control effectiveness
  • Documentation of remediation activities
  • Approval/sign-off of remediation

Step 6: Audit Follow-Up and Verification

Provide remediation evidence to auditors for verification:

  • Submit evidence to auditors 1-2 weeks post-audit
  • Allow auditors to verify control operation
  • Address any additional questions or requests for clarification
  • Auditors issue remediation completion confirmation

Corrective Action Timeline

Remediation timelines depend on finding severity:

Finding SeverityISO 27001 TimelineSOC 2 TimelinePCI DSS Timeline
Major/Critical4-6 weeksBefore report issuedBefore AoC issued
Minor8-12 weeks90 days post-report4-12 weeks
Observations6-12 monthsImprovement opportunityNo deadline

Most auditors expect major findings to be remediated before final report issuance or certification, while minor findings can be addressed within a defined post-audit window.

Corrective Action Tracking

Maintain a corrective action log tracking:

  • Finding ID and description
  • Severity and audit framework
  • Remediation status (open, in progress, completed)
  • Target completion date
  • Actual completion date
  • Evidence location
  • Verification date
  • Responsible party

Use this tracking in management reviews and board reporting to demonstrate progress addressing audit findings.

Continuous Compliance Monitoring Post-Certification

Achieving certification is not an endpoint—it marks the beginning of continuous compliance monitoring and maintenance. Organizations must maintain control effectiveness between audits and demonstrate continuous improvement.

Post-Certification Compliance Maintenance

Monthly Activities:

  • Monitor control effectiveness through automated systems
  • Review security logs and alerts
  • Track open incidents and remediation
  • Monitor patch deployment and vulnerability remediation
  • Verify backup job completion and test restoration procedures

Quarterly Activities:

  • Conduct access reviews
  • Update risk assessment based on new threats
  • Review vendor security posture
  • Perform vulnerability scans
  • Update awareness training content
  • Report compliance metrics to management

Annual Activities:

  • Comprehensive internal audit
  • Policy review and updates
  • Security awareness training completion
  • Vendor security assessments
  • Penetration testing (PCI DSS required)
  • Management review and strategic planning
  • Prepare for annual surveillance audit

Surveillance and Re-Certification Audits

ISO 27001 Surveillance Audits

Annual 1-2 day audits occurring each year post-certification:

  • Auditor verifies continued control operation
  • Tests sample of controls (not full audit)
  • Reviews management review and effectiveness assessment
  • Assesses preventive and corrective actions
  • Identifies any new non-conformities

SOC 2 Type II Annual Reports

Annual SOC 2 audits provide continuous assurance:

  • Auditor performs full control testing over 12-month period
  • Reports on full observation period (July of prior year - June of current year)
  • Organization receives new SOC 2 Type II report annually
  • Reports provide continuous assurance to customers

PCI DSS Annual Assessments

Annual QSA assessments or self-assessments validate continued compliance:

  • Quarterly vulnerability scans required year-round
  • Annual penetration testing by independent tester
  • Annual network verification and configuration review
  • Updated Attestation of Compliance each year

Connecting Audit Preparation to the Broader Program

Audit preparation is the final stage in the Compliance Risk Assessment Program workflow. This article builds on the foundational work from previous stages:

  • Stage 1: Framework selection establishes which certifications your organization pursues
  • Stage 2: Gap analysis identifies control gaps requiring implementation
  • Stage 3: FAIR risk quantification justifies investment in control remediation
  • Stage 4: Vendor risk assessment identifies third-party control gaps
  • Stage 5: Budget planning funds audit fees and remediation costs
  • Stage 6: Incident response planning ensures breach notification readiness
  • Stage 7: Continuous monitoring provides ongoing evidence collection
  • Stage 8: Audit preparation (this article) executes evidence gathering and control testing

Essential Tools for Audit Preparation

Three tools support critical audit preparation activities:

1. Incident Response Playbook Generator

Use the Incident Response Playbook Generator to develop framework-specific breach response procedures:

  • GDPR data breach notification procedures (72-hour timeframe)
  • HIPAA breach notification requirements (60-day timeframe)
  • PCI DSS incident response procedures
  • Incident severity classification and escalation procedures
  • Automated RACI matrix for incident response roles
  • Notification templates for regulatory authorities and affected individuals
  • Timeline checklists for compliance with regulatory requirements

This tool accelerates development of incident response documentation that auditors evaluate during control testing.

2. SLA/SLO Calculator

Use the SLA/SLO Calculator to establish and document service level targets:

  • Define incident response SLOs (e.g., response time < 30 minutes for critical incidents)
  • Calculate availability targets and downtime budgets
  • Define compliance SLAs (e.g., access request fulfillment < 30 days)
  • Document RTO and RPO targets for business continuity
  • Generate SLA tracking dashboards for management review
  • Create SLO monitoring baselines before audit period

Documented, measured SLOs provide concrete evidence of control effectiveness during audits.

3. Cybersecurity Budget Calculator

Use the Cybersecurity Budget Calculator to justify remediation investments:

  • Calculate total cost of compliance program (tools, personnel, external assessments)
  • Model audit costs and certification fees
  • Estimate remediation costs for identified gaps
  • Demonstrate ROI through risk reduction quantification
  • Benchmark against industry standards and peer organizations
  • Forecast budget requirements for multi-year compliance program

This tool supports management and board engagement needed to fund audit preparation and remediation activities.

Best Practices for Successful Audits

  1. Start Planning Early - Begin audit preparation 6 months before target audit date
  2. Automate Evidence Collection - Implement continuous monitoring tools to reduce manual effort
  3. Engage External Support - Auditors or consultants can identify gaps and accelerate remediation
  4. Document Everything - Auditors prioritize organizations with clear evidence trails
  5. Test Controls Before Audit - Pre-audit testing identifies gaps for remediation
  6. Assign Clear Responsibilities - Designate evidence collection owners for each control
  7. Maintain Executive Engagement - Compliance requires sustained leadership and budget commitment
  8. Build Compliance Culture - Educate personnel on importance of control compliance
  9. Plan for Findings - Expect findings and build time for remediation into timeline
  10. Monitor Post-Audit - Maintain controls and evidence collection between audits

Conclusion

Audit preparation transforms compliance foundations into formal, third-party validated certification. Whether pursuing SOC 2 Type II for enterprise customers, ISO 27001 for international operations, or PCI DSS for payment processing, successful audits require systematic evidence collection, rigorous control testing, and expert execution.

The key to audit success is treating preparation as a strategic, planned initiative—not a last-minute scramble. Organizations that begin planning 6 months before the audit date, implement continuous evidence collection, and conduct pre-audit gap assessments achieve compliance with fewer findings and at lower cost than those that delay preparation.

By understanding your framework's specific requirements, establishing clear evidence collection processes, and testing controls before the formal audit begins, you can navigate the audit process confidently and achieve the certification that differentiates your organization in the market.

Ready to prepare for your compliance audit? Use our Incident Response Playbook Generator, SLA/SLO Calculator, and Cybersecurity Budget Calculator to accelerate audit preparation and ensure control effectiveness.

Simplify Your Compliance Journey

Our vCISO services help you navigate complex regulations and maintain continuous compliance.

Explore Compliance ServicesLearn About vCISO

Related Tools

📋

Incident Response Playbook & Runbook Generator

Create customized IR playbooks for ransomware, data breaches, DDoS, and operational runbooks for deployments and outages. Includes compliance guidance (GDPR, HIPAA, PCI-DSS), team roles, and export to PDF/Markdown

SecurityTry it →
🎯

SLA/SLO Calculator

Calculate service level objectives, error budgets, burn rates, and downtime costs. Compare multi-tier SLAs based on Google SRE best practices

PlanningTry it →
💰

Cybersecurity Budget Calculator

Calculate recommended cybersecurity budget based on industry benchmarks, compliance needs, and risk factors

PlanningTry it →

Related Articles

SOC 2 Compliance Services - Get Certified in 3-6 Months

SOC 2 Compliance Services - Get Certified in 3-6 Months

We help B2B SaaS and technology companies achieve SOC 2 Type I and Type II certification in months, not years — turning compliance from a sales blocker into your competitive advantage.

How to conduct a GDPR compliance audit?

How to conduct a GDPR compliance audit?

A step-by-step guide to conducting a comprehensive GDPR compliance audit, including assessment frameworks, documentation review, and remediation planning.

How often should you reassess vendor security?

How often should you reassess vendor security?

Develop effective vendor security assessment schedules, understand reassessment frequency requirements, and implement continuous monitoring strategies.