You’ve just learned you’re facing a security audit. Maybe a client is requiring it. Maybe your insurance provider wants an assessment. Maybe you’re pursuing a compliance certification.

If you’ve never been through this before, it can feel overwhelming. Here’s how to prepare.

Understanding What’s Coming

What is a security audit?

An audit is a systematic review of your security controls. Depending on the type, it might include:

• Document review (policies, procedures, records)
• Technical assessment (configurations, vulnerabilities)
• Interviews (how things actually work in practice)
• Testing (can controls be bypassed?)

Common audit types for SMBs:

• Essential Eight assessment: Evaluates your maturity across the ACSC’s eight strategies
• ISO 27001 audit: Formal certification of your information security management system
• Client security questionnaire: A client’s assessment of your security as a supplier
• Insurance assessment: Evaluation to qualify for or renew cyber coverage
• Penetration test: Technical testing for vulnerabilities (often part of broader audit)

Who conducts audits?

• External auditors (for certification or formal assessments)
• Your clients’ security teams
• Your insurance provider’s assessors
• Internal audit (for larger organisations)
• Consultants you’ve engaged

The Preparation Timeline

4-6 weeks before:

• Understand the scope. What specifically will be assessed? Which systems, processes, and time period? Get this in writing.

• Request the questionnaire or framework. If it’s a client assessment, ask for their questionnaire in advance. If it’s Essential Eight, review the maturity model.

• Assign responsibility. Someone needs to own the preparation. They’ll coordinate documentation, schedule interviews, and track readiness.

3-4 weeks before:

• Inventory your documentation. Gather existing policies, procedures, and records. Common requests include:

  • Information security policy
  • Acceptable use policy
  • Incident response plan
  • Access management procedures
  • Backup and recovery documentation
  • Training records
  • Previous assessments or audit reports
  • Network diagrams

• Identify gaps. Compare your documentation to audit requirements. What’s missing? What’s outdated?

• Start filling gaps. You probably won’t create everything from scratch, but you can update what you have and document what you’re actually doing.

2 weeks before:

• Review technical controls. For each area the audit covers, verify controls are actually in place:

  • Is MFA enabled where it should be?
  • Are patches current?
  • Are backups running and tested?
  • Are access permissions appropriate?

• Test your claims. If your documentation says you do something, verify it. Auditors will check.

• Prepare key staff. If there will be interviews, let people know what to expect. They should answer honestly, not try to game the audit.

1 week before:

• Organise evidence. Create a folder (physical or digital) with all documentation organised by audit area.

• Brief the team. Make sure everyone involved knows the schedule, what they might be asked, and who to contact with questions.

• Check the basics. Systems you’ll demonstrate should be working. Meeting rooms should be booked. Access for auditors should be arranged.

During the Audit

Be honest. If you don’t do something, say so. Auditors can tell when people are bluffing, and getting caught in a lie is far worse than admitting a gap.

Provide what’s asked for. Don’t over-share, but don’t be evasive. Answer questions directly and provide requested evidence promptly.

Document questions and requests. Keep a log of what the auditor asks for. This helps if there are disputes and informs future preparations.

Don’t make excuses. If there’s a gap, acknowledge it. Auditors appreciate directness. Save the explanations for when they’re relevant.

Ask for clarification. If you don’t understand a question or requirement, ask. It’s better than guessing wrong.

Common Audit Findings for SMBs

Based on audits I’ve seen, here are frequent issues:

Documentation gaps:

• No written security policy
• Incident response plan is outdated or untested
• No records of security training
• Access management is informal

MFA coverage:

• MFA not enabled everywhere it should be
• Admin accounts without MFA
• Exceptions without documentation

Patch management:

• Systems not fully patched
• No defined patching schedule
• Network devices forgotten

Access control:

• Over-privileged accounts
• Former employees with active access
• Shared accounts without accountability

Backup and recovery:

• Backups not tested
• Recovery time objectives not defined
• Backups accessible to potential ransomware

Vendor management:

• No inventory of third-party access
• No security requirements for vendors
• No review of vendor security

After the Audit

Review findings carefully. Understand what was identified and why. Don’t be defensive - most findings are legitimate improvement opportunities.

Prioritise remediation. You probably can’t fix everything immediately. Focus on high-risk findings first. Create a realistic timeline for others.

Document your response. For each finding, record:

• What the issue was
• What you’re doing about it
• Target completion date
• Who’s responsible

Track progress. Regular check-ins on remediation status. Leadership should see this reporting.

Plan for next time. What would have made this audit easier? Build those improvements into your ongoing security program.

Tips for Specific Audit Types

Essential Eight assessment:

• Self-assess against the maturity model before the audit
• Have evidence of each control’s implementation
• Be realistic about your maturity level - auditors will test claims

Client security questionnaires:

• Answer every question (no blanks)
• Where you don’t meet requirements, explain your compensating controls
• Be prepared to provide evidence for key claims
• Negotiate on unrealistic requirements (some are copy-pasted from enterprise standards)

Insurance assessments:

• Accuracy matters - misrepresentation can void coverage
• Document any controls you’ve implemented since last renewal
• Ask what would improve your premium or coverage

ISO 27001 certification:

• This requires an established ISMS (Information Security Management System)
• Allow 6-12 months of preparation for first certification
• Stage 1 audit reviews documentation; Stage 2 audit tests implementation
• Consider a consultant if this is your first certification

The Right Mindset

Audits aren’t about catching you out. They’re about identifying risks and opportunities for improvement.

A good audit should feel like a collaboration, not an interrogation. The auditor wants to understand your environment accurately. You want to understand where your real risks lie.

Even if the audit identifies significant gaps, that’s valuable information. Better to learn from an audit than from a breach.

Approach it with openness and curiosity. What will you learn about your security posture? What improvements will this drive?

That mindset transforms audits from stressful ordeals into valuable exercises. And it makes the next one much easier.