How to Prepare for ISO Certification Audit in 90 Days: Practical Week-by-Week Plan

Ninety days is the minimum runway you need to prepare for an ISO certification audit without burning out the team. With less time, you slip into firefighting mode and accumulate findings; with more, the team loses focus and starts polishing documents instead of strengthening real processes.

This article is the full 12-week roadmap: five phases, a master checklist with 50+ items, a separate compressed plan for those who only have 30 days, and notes on the Ukrainian market for bilingual readers. The material is built on 200+ certification audits we've supported across ISO 9001, ISO 22000, FSSC 22000 and industry standards over the last 12 years.

For a quick view of the logic, here is a week-by-week summary. Each phase is unpacked in detail below.

An ISO certification audit is an independent assessment performed by an accredited certification body (CB) to verify that a management system meets the requirements of a specific standard: ISO 9001, ISO 14001, ISO 45001, ISO 22000, FSSC 22000 and others. The audit runs in two stages: Stage 1 (documentation review) and Stage 2 (on-site implementation check). Based on the result, the certification body issues a certificate valid for three years, with annual surveillance audits in between.

The methodology itself is described in ISO 19011:2018, and the requirements for the certification bodies sit in ISO/IEC 17021-1 plus the IAF mandatory documents. Translation: the auditor's behaviour, the sampling depth and the evaluation criteria are not arbitrary. Your team can prepare for the exact structure the CB will follow.

The most common failure pattern: starting preparation only when the audit date is already on the calendar. Two or three weeks is not enough to gather three months of records, run a real internal audit, or close out corrective actions. The auditor sees a documentation-only system and writes major findings that block the certificate.

Across 200+ supported audits, we see a consistent split in how much runway clients give themselves:

• 38% start with about 30 days, panic, and typically collect 3-7 minor + 1-2 major findings;
• 42% start 60-90 days out and pass confidently, averaging 1-3 minor findings without any majors;
• 20% start 6+ months ahead and lose focus, the team burns out, documents get reorganised five times, and the real processes do not get any stronger.

Ninety days is the balance point: enough time to collect a full quarter of evidence, but short enough that the team keeps momentum. Less and you have no evidence; more and prioritisation breaks down.

The first three weeks are about an honest assessment of your starting position. Without that, any plan turns into 'treatment for imaginary illnesses'. The audit-readiness scan is a structured gap analysis against every clause of the standard, giving the team a map of what works, what works only on paper, and what is missing entirely.

Gap analysis methodology:

1. Build a table of clauses for the standard (for ISO 9001 that means clauses 4.1 to 10.3).
2. For each clause, assign a status: 'implemented + evidence', 'implemented on paper', 'partial', 'missing'.
3. For every 'partial' and 'missing', estimate the risk (major / minor / observation) and the workload in hours.
4. Run interviews with process owners (30-45 minutes each) to validate the self-assessment.
5. Walk the gemba: shadow 2-3 production processes with the operator.

The main deliverable for Phase 1 is a prioritised gap report. Without that document, the remaining nine weeks become chaotic. If the team has no experience running a gap analysis solo, this is the moment to bring in an independent readiness assessment. An external pair of eyes typically uncovers another 30-40% of gaps that the internal team no longer notices through habit.

Useful Phase 1 helpers:

• a clause-by-clause checklist of the standard with status fields;
• a process matrix (process owner, document, input, output, KPI);
• a top-15 risk map of gaps with a 'time vs priority' trade-off scoring.

From Phase 1 you walk in with a list of gaps. Phase 2 is the systematic closure of documentation and procedural shortfalls. The aim here is not to write elegantly, but to phrase procedures so that an operator can follow them without an extra explanation from the supervisor.

How to prioritise:

1. Major risks first, the gaps that lead to a major NCR (for example, no procedure for control of nonconforming product, or no management review in the last year).
2. Then minor risks, formal shortfalls that the auditor will flag as minor (outdated document versions, missing logs).
3. Finally, observations, items that do not block the certificate but improve the system.

Procedures that typically need rework:

• control of documented information (often outdated versions still in circulation);
• control of nonconforming product and CAPA;
• internal audit (programme and procedure);
• management review (agenda, inputs, outputs);
• risk management (risk register or equivalent);
• competence and training records.

We broke down the recurring problem zones that show up audit after audit in a separate guide, see the top 15 typical certification audit nonconformities for the detail.

The 'one process owner per document' principle: every procedure has a single owner accountable for keeping it current. If 'everyone is responsible', no one is, and that is the fastest route to outdated documents in circulation.

The Phase 2 deliverable is an updated documentation set with signed versions, numbered revisions and a clear distribution list. For businesses preparing for ISO 9001, the minimum pack is 6 mandatory documented procedures, plus the quality policy and objectives. For ISO 22000, add the full HACCP documentation, PRP programmes, and a verification plan.

Auditors do not believe words. They believe records: completed logs, protocols, reports, checklists with real dates and signatures. Phase 3 is the systematic collection of evidence covering the last three months of system operation, plus preparation for traceability tests.

Cadence of record collection:

For the three months before the audit, every key record needs to be maintained daily, per shift, or weekly, at the frequency the procedure prescribes. During Stage 2, the auditor will sample requests like 'show me the CCP monitoring log for 14 March at 14:00', and a single missed shift triggers an NCR against §8.5.4 of ISO 22000 or §7.1.5 of ISO 9001.

Evidence categories that are checked most often:

• process monitoring logs (temperature, pressure, time, concentration);
• calibration and verification records for measuring equipment;
• internal audit reports and management review minutes;
• training records with attendee signatures and effectiveness evaluations;
• supplier evaluation backed by actual data for the period;
• nonconforming product logs, customer complaints, and CAPA registers.

Traceability test: the auditor picks one batch of finished product and asks you to walk it back to raw materials, supplier, operators, equipment, and process parameters. In the food sector, this is a mandatory part of Stage 2. A ready traceability test is 4-6 hours of team work that reproduces the path 'shipment, warehouse, packaging, production, raw materials' with all supporting documents in a single pack.

The Phase 3 deliverable is the evidence pack: a folder (physical or electronic) with all completed records for the three-month window, sorted by clause, plus 1-2 ready traceability scenarios.

An internal audit is a mandatory requirement of any ISO standard and at the same time the best rehearsal for the certification audit. The CB auditor in Stage 2 will first check whether the internal audit ran, whether it covered all processes, and whether the findings were closed out.

Internal audit methodology (per ISO 19011):

1. Programme, a year ahead, with priorities based on risk and a frequency for each process.
2. Plan for a specific audit, area, clauses, auditor, date, duration, interviewees.
3. Checklist, clause + question + evidence point + result.
4. Audit on site, interviews + observations + records review + finding identification.
5. Report, finding-level (NC / OFI / observation), referencing the clause and evidence.
6. CAPA, correction + corrective action + verification of effectiveness.

A CAPA template that works:

Critical: by Stage 2, every CAPA from the internal audit must be either closed or in scheduled execution with documented progress. 'Planned and nothing done' is an automatic minor finding.

The Phase 4 deliverable is the internal audit report with all findings, a populated CAPA tracker, and evidence of corrective actions completed. It is worth holding a management review immediately after the internal audit, so top management formally records the results and approves resources for CAPA.

The last week is not for new system work, but for preparing the team as the audience the auditor will face. A mock interview is a simulation of the real audit: one of the internal auditors (or an external consultant) plays the CB auditor and asks the same questions that will come up in Stage 2.

Who to prepare first:

• top management (questions about policy, objectives, management review, resources);
• Quality manager (the whole system, broad sweep);
• process owners (their processes, in depth);
• operators (3-5 key questions on procedures they run every day).

Interview technique: the auditor is not running an exam, they are gathering evidence. The employee's job is to show that they know the procedure, where the document lives, and how the work is actually done day to day. There is no need to memorise clauses of the standard, just speak confidently about your own work.

Preparing the opening and closing meetings:

• a room with a projector, a workspace for the auditor, Wi-Fi and printer access;
• attendee list for the opening meeting (top manager + Quality + process owners);
• agenda and timetable agreed with the auditor in the audit plan;
• a 5-7 minute company presentation (structure, product, certification scope);
• an escort for the auditor on site (who walks them through the production area).

For a day-by-day breakdown of how a certification audit actually unfolds, see our piece on what to expect during Stage 2 of the certification audit. Knowing the sequence in advance lowers team anxiety and lets people demonstrate the system at work.

The Phase 5 deliverable is a confident team, an agreed audit plan, prepared logistics, and a ready evidence pack consolidated in one place.

This checklist consolidates all five phases. Use it as a working tool: tick off completed items, record the owner, and watch the deadline. The 'Hours' column gives a rough estimate for a business with 50-150 employees; for larger sites, multiply by 1.5-2.

Reality is sometimes harsh: the Stage 2 date is locked in, postponing is impossible, and you only have a month. In that scenario, the 90-day plan needs to be compressed, but not uniformly. Some phases must be cut hard, others should not be skipped at all. Here is the compressed plan we use as our 'Plan B'.

Week 1: Major risks only

• A rapid gap scan over the top-10 typical major zones (documented information, NCR, IA, MR, CAPA, scope, policy, objectives, resources, training).
• An external pre-audit is mandatory; it shows what to rescue first.
• Role split inside the team: who is responsible for what under tight deadlines.

Week 2: Documentation minimum

• Close only the procedures whose absence equals an automatic major NCR (DCP, NCP, IA, MR, CAPA, risk register).
• Resist the urge to rewrite everything; concentrate on 6-8 critical documents.
• Roll out the updated versions to the floor and pull the old ones.

Week 3: Records sprint + internal audit

• Collect every record that is genuinely being kept (do not invent the past, that is an automatic NCR).
• Run an internal audit in 2-3 days with 1-2 auditors.
• Close critical CAPAs at the correction level (systemic actions can follow after certification).

Week 4: Mock + logistics

• Mock interviews with top management and process owners (1-2 days).
• Assemble the evidence pack with what you actually have.
• Logistics, agenda, presentation.

What NOT to do under time pressure:

• Falsifying records retroactively. An experienced auditor spots it within a minute (one pen colour, one signature date, perfect handwriting).
• 'Polishing' documents for the fifth time. A working document beats a perfect piece of paper.
• Drilling staff to recite clauses the day before the audit. It produces hesitation, not evidence.

If rescheduling by even 4 weeks is possible, reschedule. Losing four weeks is cheaper than a major NCR and a repeat CB visit.

If you are operating in or supplying the Ukrainian market, three local nuances affect how your team should prepare. We have grouped them in one place rather than scattering them through the article, so that international readers can skip the section if it is not relevant.

1. Language during the audit

If the certification body is international (DNV, SGS, BV, TÜV, DQS), part of the interview can be conducted in English, especially with top management and the Quality manager. Local Ukrainian auditors typically run the audit in Ukrainian, but documentation for international bodies should be available in English, or at minimum with English-language summaries. Prepare 1-2 staff members who can speak confidently about the system in English; that alone removes half of the team's stress.

2. National accreditation vs international CB

In Ukraine, both nationally accredited certification bodies (under NAAU) and international CBs with IAF accreditation are active. The audit approach is similar, but there are differences in documentation depth and clause interpretation. Before selecting a CB, confirm that its certificate will be accepted by your customers, particularly for EU export markets that expect IAF-recognised accreditation.

3. Typical timelines for food + QMS

Based on our experience across 200+ audits, typical Stage 2 duration for Ukrainian companies looks like this:

• ISO 9001 (QMS) for businesses with 50-100 employees: 2 audit days;
• ISO 22000 / FSSC 22000 for food production (1 site): 3-4 days;
• IFS / BRCGS for retail suppliers: 2-3 days (more focus on product safety).

For multi-site or large operations, duration is calculated using IAF MD 5:2023, which is the mandatory reference for CBs when computing audit time.

For Ukrainian food companies there is one extra nuance: integration of the audit system with national food safety authority requirements. Monitoring logs already maintained for national supervision typically cover ISO 22000 §8 in roughly 80% of cases, provided the format is detailed enough.

If this is your first international audit, consider a pre-audit from a consultant with sector-specific experience: the difference between a DNV auditor's approach and a TÜV auditor's approach lives in the details that an experienced eye catches but a first-timer cannot anticipate.

We collected eight questions teams ask most often in the first weeks of preparation. If your situation is more specific, get in touch and we will look at your case directly.