Typical audit preparation in mid-market: 3 months of Excel collection, 1 month of polish, 1 week of audit, 4 weeks of follow-up. Half the effort exists because evidence is scattered across 12 tools. Here's the playbook that reduces this to 4 weeks total.
Why Classical Audit Preparation Takes 4 Months
- Evidence scattered: risk register in Excel, controls in Confluence, asset list in a third Excel, suppliers in a fourth, logs in 5 tools.
- Version chaos: which policy is in force? Who last signed it? When?
- Manual cross-mapping: ISO 27001 A.5.34 ↔ which control ↔ which evidence ↔ which finding from the last audit.
- Reviews overdue: 30 % of policies are over a year old without documented review.
- Employee survey: "When did you last do this?" as the source. Not audit-grade.
The 4-Week Playbook
Week 1: Inventory From the Platform
- Statement of Applicability (SoA): exported from the ISMS module. Control ↔ status ↔ responsible owner ↔ effectiveness rating.
- Risk register: current state with treatment status and last review date per risk.
- Asset list: complete, with protection need, lifecycle, owner.
- Supplier list: from the TPRM module with risk score, contract status, last reassessment.
- 12-month incident history: from Wazuh + audit log, no cherry-picking.
- Audit trail of all relevant approvals: risk acceptance, policy updates, change approvals.
If the platform can deliver these exports in a day, 75 % of the classical preparation time is gone.
Week 2: Gap Analysis and Quick Wins
- Close review-cycle gaps: identify all policies/controls/assets without current review, run review workflow with documentation.
- Add effectiveness evidence: for every claimed control a concrete evidence item in the system (screenshot, configuration export, log excerpt).
- Trigger supplier reassessments: anyone not updated > 12 months gets a self-service request.
- Awareness training evidence: training quotas and latest phishing simulation as PDF report.
Week 3: Cross-Framework Mapping and Pre-Audit
- Cross-framework mapping: ISO 27001 ↔ NIS-2 ↔ GDPR automatic from the multi-framework module. Gaps in one framework become visible in the others.
- Internal pre-audit: 2 days structured self-assessment with the audit question catalog. Findings are documented directly in the system.
- Fix top findings: typically 5–10 quick fixes (missing signature, outdated document, missing owner).
Week 4: Audit Companion
- Auditor access: read access to the trust center / dedicated auditor view. Auditor sees evidence live instead of waiting for PDF packages.
- Accompanying interviews prepared: owner per control knows where evidence lives.
- Track live findings: every finding immediately becomes a task in the system – follow-up starts during the audit.
The Two Most Common Findings That a Platform Avoids
- "Control claimed, but effectiveness not evidenced." With continuous platform maintenance: effectiveness is a mandatory field per control.
- "Review cycle overdue." With review cycle management: reviews are triggered and documented before the auditor asks.
The Effort Table
| Phase | Classic | With Platform |
|---|---|---|
| Collect evidence | ~40 PD | ~5 PD |
| Version/owner clarification | ~15 PD | ~2 PD |
| Cross-mapping | ~10 PD | ~1 PD |
| Gap closure | ~25 PD | ~10 PD |
| Pre-audit | ~10 PD | ~5 PD |
| Total | ~100 PD | ~25 PD |
75 PD (~€50,000 internal effort) saved per audit cycle. At an annual surveillance audit, the platform pays for itself purely through audit preparation time.
What Management Doesn't Want to Hear in the Audit
- "I'm still looking for the evidence for this control."
- "I can't reach the owner anymore, they left 6 months ago."
- "We have the policy but don't know which version is current."
- "The risk acceptance was decided verbally."
Each of these sentences leads to a finding. Findings in an ISO audit are expensive: re-checks, re-audits, in the worst case certificate delay.
Conclusion
Audit prep in 4 instead of 16 weeks isn't magic – it's a question of data hygiene. A platform that holds ISMS data in one source, with maintained reviews, audit trail, and cross-framework mapping, makes the audit a session – not a quarterly drama. The ROI comes purely from the saved internal preparation time, before the actual security upside of the platform is even counted.