CIAM Compliance Audit Prep: A 45-Day Playbook for SOC 2, ISO 27001, GDPR Readiness

CIAM is the access-control surface that auditors scrutinize first, authentication, MFA, session management, audit trails, user lifecycle, and privacy controls all live here. A 45-day audit prep playbook gets the CIAM evidence in shape before the auditor arrives. This applies to SOC 2 Type II, ISO 27001, HIPAA Security Rule, GDPR Article 32, and the various regional equivalents; the controls are largely the same surface area.

Phase 1, Control mapping and gap analysis (10 days)

Before collecting evidence, know what controls apply and where the CIAM contributes.

Framework selection. Which compliance framework drives the audit? SOC 2 Type II is the most common for B2B SaaS; ISO 27001 is common in Europe and enterprise contracts; HIPAA for health data; PCI DSS for payment data; GDPR for any EU data. Start with the primary framework; secondary frameworks usually share controls.

Control catalogue. Map the framework's controls to the CIAM's contribution. SOC 2 Trust Services Criteria most relevant to CIAM:

• CC6.1, Logical and physical access controls
• CC6.2, Authentication of users
• CC6.3, Authorization of access
• CC6.6, Logical access additions / removal
• CC6.7, Restriction of access (logging, monitoring)
• CC7.2, Detection and monitoring of security events
• A1, Availability commitments

ISO 27001 Annex A: A.5.15 (access control), A.5.16 (identity management), A.5.17 (authentication information), A.5.18 (access rights), A.8.5 (secure authentication).

GDPR: Article 25 (data protection by design), Article 32 (security of processing), Article 30 (records of processing).

Gap analysis. For each in-scope control, document the current state:

• Implemented and evidence available
• Implemented but evidence not collected
• Partially implemented
• Not implemented

The first category needs verification; the others need work in subsequent phases.

Phase 2, Evidence collection automation (14 days)

Audit evidence collected manually doesn't scale. Build the automation that makes evidence reproducible.

Audit log retention. Confirm CIAM audit logs are retained per the compliance period (SOC 2: 12+ months typically, HIPAA: 6 years). Auditors will ask for samples covering the audit window.

MFA enrollment evidence. Per-user MFA status report. Auditors will ask "what percentage of privileged users have MFA enrolled", have the query ready.

Access review evidence. Quarterly access reviews where an admin verifies user access is appropriate. Most CIAM ship some access review tooling; many teams supplement with Vanta/Drata/Secureframe automation.

Provisioning and deprovisioning evidence. SCIM event logs showing user provisioning and deprovisioning round-trips. Auditors check that deprovisioning happens within the policy window (typically 24 hours for B2B SaaS, 1 hour for high-sensitivity).

Session management evidence. Session timeout configuration, refresh token rotation enabled, password policy meeting the framework's requirements (typically 12+ chars, breached-credential check).

Encryption evidence. TLS 1.2+ everywhere, encryption at rest for the user database, password hashes in approved algorithms (bcrypt, argon2id, PBKDF2 with sufficient iterations).

Authentication event reports. Successful sign-ins, failed sign-ins, MFA challenges, suspicious activity detected. Aggregate reports for the audit window.

Compliance platform integration. Vanta, Drata, Secureframe integrate with major CIAM (Okta, Auth0, Microsoft Entra) and pull evidence automatically. For self-hosted or smaller CIAM, write the integration: an audit script that queries the CIAM's API and pushes to the compliance platform's evidence library.

Phase 3, Policy documentation and runbooks (14 days)

Auditors want documented policies with evidence of operation. Documentation is half the audit.

Access control policy. Who can access what, under what conditions. The policy document references the CIAM's role model, MFA requirements, session management, and recovery procedures.

Identity lifecycle policy. How users are provisioned (signup, invite, SCIM), how they're deprovisioned (off-boarding, SCIM removal, manual revocation), how access reviews happen.

Authentication policy. Required factors per role tier, password policy, MFA requirements, session lifetime, recovery flow.

Incident response policy. What happens when a credential is compromised, when MFA is bypassed, when an admin account is suspected breached. Reference the CIAM's session invalidation, token revocation, and audit log query procedures.

Data protection policy. GDPR/CCPA-mandated procedures: data export on request, data deletion on request, consent management, data retention, breach notification timeline.

Vendor management. If the CIAM is managed (Auth0, Microsoft, Stytch, etc.), the vendor's SOC 2 / ISO 27001 attestation is part of the audit evidence. Collect the vendor's compliance reports; document the vendor risk assessment.

Runbooks for ops. Documented procedures the on-call team follows: MFA reset, password reset for locked-out admin, suspected account compromise, signing key rotation. Auditors interview ops staff to confirm runbooks are followed in practice.

Phase 4, Mock audit and remediation (7 days)

Before the real auditor arrives, run a mock audit with internal or external review.

Sample evidence requests. Pull a random sample of users and produce evidence: when they were provisioned, what role they have, last sign-in, MFA status, last access review. Confirm the evidence is retrievable in minutes, not days.

Sample deprovisioning trace. Pick a recently off-boarded user. Trace: notice of off-boarding, deprovisioning timestamp in the CIAM, SCIM event from the IdP, downstream service revocations. Confirm the trace is complete and within the policy window.

Sample suspicious activity response. Pull a recent flagged authentication event. Trace: detection, alert, response action, ticket, resolution. Confirm the workflow followed the incident response policy.

Auditor walkthrough rehearsal. With a colleague playing the auditor, walk through the controls. Where the team stumbles, the documentation needs improvement.

Remediation. Issues identified in the mock audit are fixed before the real audit. Common gaps: stale access reviews, missing deprovisioning evidence for one-off off-boardings, undocumented exceptions to the password policy.

Anti-patterns to avoid

• Treating compliance as a one-time event. Audits recur annually; the controls need to operate continuously, not just look good for the audit window. Evidence automation is the difference.
• Skipping the gap analysis. Going into the audit without knowing where the gaps are guarantees findings.
• No vendor evidence collection. Auditors will ask about vendor compliance posture; have SOC 2 reports for every vendor in the access path ready.
• Manual evidence collection. Pulling reports by hand for each control doesn't scale; the audit takes weeks instead of days, and the next audit starts from scratch.
• Documenting policies the team doesn't follow. Auditors interview ops staff; if the policy says one thing and the practice is different, the auditor flags it.
• Underestimating the access review burden. Quarterly access reviews are a recurring obligation; without tooling, they consume meaningful engineering time.

What success looks like at day 45

• Control catalogue mapped to CIAM contributions for the target framework.
• Evidence automation pulling evidence on a recurring basis (compliance platform or scripted).
• Policy documentation comprehensive, current, and matching practice.
• Runbooks tested via mock interviews; ops team can answer auditor questions.
• Mock audit complete with findings remediated before the real audit.
• Vendor compliance evidence collected for the CIAM and adjacent vendors.

For specific compliance contexts, see the GDPR and CIAM guide, the CCPA and CIAM guide, and the data residency guide. For the audit-relevant CIAM operational primitives, see the SCIM provisioning guide and the session management guide.