Step 10 to certification: external audit
The final important step to certification
December 2, 2025
Stephan Brinkhuis
An auditor is not an adversary but acts as a mirror to show you how your organization functions
The final step to certification:
External audit
Step 10: The external audit - what is really happening behind the scenes?
This is Step 10 in our series “In 10 Steps to Certification”. You have made all the preparations: policy is in place, risks have been assessed, control measures are in place and improvement cycles are running. Then comes the moment that matters: the external audit. For many organizations, this feels exciting - and I understand that. As lead auditor, I see daily how teams prepare, what they run into and what questions they didn't see coming. That's why I take you through what the process looks like, what we do as auditors, and most importantly, how you stay relaxed and audit-proof.
What does the audit process look like?
The certification that follows is not only official proof that you meet the standard, but also that your organization is living up to its own commitments. But what exactly happens during those audits? What steps do you go through? And what questions can you expect?
Year 1: The initial audit - Phase 1 and Phase 2
Phase 1: Documentation review
This is the “design check.” I look to see if your management system is logically built and ready for the practice test in Phase 2. Consider:
- Is the scope clear?
- Are risks properly identified and assessed?
- How do you ensure that employees know policies?
Phase 2: The practical test
Now it gets exciting: is your organization working as agreed? I check this through interviews, sampling and evidence. Examples of questions:
- How do you monitor KPIs?
- Can you give examples of incidents and how they were handled?
- To employees, “What do you do if you discover a security incident?”
Years 2 and 3: Surveillance audits.
These audits are smaller, but I check that your system is alive. Typical questions:
- What changes have there been since the last audit?
- How do you ensure continuity during growth or personnel changes?
Year 4: Restarting the cycle
The recertification audit is similar to Phase 2, but often slightly less in-depth. Still, those who make continuous adjustments need not stress here.
What I often see going wrong
- Too much focus on documents: A fancy handbook is not enough. It's about behavior.
- No evidence at hand: If I ask for a log or vendor review, I want to see it right away.
- Unprepared employees: They do not need to know norm texts, but they do need to know their roles.
How uComply helps to be audit-proof
With uComply, you have everything in one place: documentation, risks, supporting documents. And thanks to the AI consultant, you can even simulate audit questions and find answers instantly. That saves stress as well as time.
Conclusion
Think of an audit not as an exam, but as an opportunity to show how well your organization is working. An auditor is not an adversary, but a mirror. The better prepared you are, the more value you get from that mirror.
👉 Getting started right away? Chat with us using the chat button on this page!
This blog is part of the "In 10 Steps to Certification" series. Discover all the steps 👇
Want to experience for yourself how uComply can help your organization move toward certification in 10 concrete steps? Contact us for a demo or try it out for yourself!
Our mission to compliance
Ensuring availability, integrity and confidentiality
With the uComply App, you ensure that data is protected and only available in your organization's Microsoft 365 environment.
Innovative AI technology
uComply Bot uses advanced AI technology to provide smart answers and enhanced user instructions, with, of course, live support from the uComply team.
Seamless integration
Integrates seamlessly with Microsoft 365 making uComply a versatile and efficient choice for businesses of all sizes.
