What to check 90 days before your certification audit
A concrete countdown for the last 90 days before Stage 2, focused on what must already be true and cannot be manufactured at the last minute.
By Kellwick Team · April 15, 2026 · 3 min read
The Stage 2 certification audit tests whether your ISMS actually runs, not whether you can produce documents on request. Ninety days out is enough time to fix real gaps and too late to fake history. Here is what to check, in order of what hurts most if it is missing.
Confirm scope, risk and Statement of Applicability agree
These three documents have to tell the same story. Auditors read them side by side.
- Scope should reflect what you actually operate: products, teams, locations, cloud environments.
- Risk assessment should be current, with owners and treatment decisions, not a spreadsheet last touched a year ago.
- Statement of Applicability should justify every included and excluded control, and match the risks you identified.
If your scope says one thing and your SoA another, that is a finding waiting to happen. Reconcile them now.
Check that evidence exists across the whole period
This is the item you cannot rescue late. Certification expects your ISMS to have been operating, typically for at least three months. Auditors sample across that window, so evidence has to be continuous, not concentrated in the fortnight before the audit.
For the core operational controls, confirm you have records spread across the period:
- Access reviews performed on schedule.
- Vulnerability scans and remediation.
- Change and release records.
- Incident tickets, if any, handled per your process.
- Supplier and risk reviews at their stated cadence.
A cluster of activity dated last week tells the auditor the process is not real. Continuity is the point.
Run a genuine internal audit
An internal audit is mandatory, and it must be real. It should cover the ISMS clauses and the Annex A controls in scope, be performed by someone independent of the work they review, and produce written findings.
Do not run it as a rubber stamp. Findings are healthy - they show the system detects its own weaknesses. Give yourself enough time to close or credibly progress them before Stage 2.
Hold management review with real inputs
Management review is a required input to certification. It needs leadership present and genuine decisions recorded. At 90 days, confirm you have held one - or have one scheduled - that covers the standard inputs: audit results, risk changes, incidents, objectives, resources and improvement actions.
If your only management review is a thin calendar entry with no decisions, expect a nonconformity. Auditors read the minutes.
Work your corrective actions to closure
Every finding from internal audit, management review or day-to-day operation should sit in a tracked corrective action log with an owner, a root cause and a target date. Ninety days out:
- Close what you can, with evidence of the fix.
- For open items, show they are progressing, not stalled.
- Make sure nothing has been quietly dropped.
An empty corrective action log is not a good sign. It usually means the system is not looking hard enough at itself.
Rehearse the walkthrough
Pick a few controls and trace them end to end, as an auditor would. Can the named owner explain the control and produce evidence without a scramble? If a control owner cannot speak to their own control, no document will save the interview.
Bottom line
Ninety days is the window where readiness is still fixable. Scope alignment, continuous evidence, a real internal audit, a substantive management review and a live corrective action log are the things that cannot be assembled overnight. A focused readiness review now will tell you which of these is thin while there is still time to act.
Need a second pair of eyes before the auditor does?
A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.