Reporting is an important part of the audit process, and an involved sub-process all by itself:
A typical ISMS audit report contains the following elements, some of which may be split into appendices or separate documents:
- Title and introduction naming the organization and clarifying the scope, objectives, period of coverage and the nature, timing and extent of the audit work performed.
- An executive summary indicating the key audit findings, a brief analysis and commentary, and an overall conclusion, typically along the lines of “We find the ISMS compliant with ISO/IEC 27001 and worthy of certification”.
- The intended report recipients plus (since the contents may be confidential) appropriate document classification or restrictions on circulation.
- An outline of the auditors’ credentials, audit methods etc.
- Detailed audit findings and analysis, sometimes with extracts from the supporting evidence in the audit files where this aides comprehension.
- The audit conclusions and recommendations, perhaps initially presented as tentative proposals to be discussed with management and eventually incorporated as agreed action plans depending on local practices;
- A formal statement by the auditors of any reservations, qualifications, scope limitations or other caveats with respect to the audit.
- Depending on normal audit practices, management may be invited to provide a short commentary or formal response, accepting the results of the audit and committing to any agreed actions.
It is important that there is sufficient, appropriate audit evidence to support the results reported. Audit’s quality assurance processes therefore ensure that ‘everything reportable is reported and everything reported is reportable’, normally based on a review of the audit file by a senior auditor. The wording of the draft audit report is checked to ensure readability, avoiding ambiguity and unsupported statements. When approved by audit management for circulation, the draft audit report is usually presented to and discussed with management. Further cycles of review and revision of the report may take place until it is finalized. Finalization typically involves management committing to the action plan.
In addition to the formal audit recommendations relating to any major non-conformance, auditors sometimes provide audit observations on minor non-conformance and other advice, for instance potential process improvements or good practice suggestions from their experience with other organizations. These may or may not be part of the formal audit report, depending on local practices. While such observations and advice will not preclude certification of the ISMS, they will be recorded on the audit file and may trigger follow-up audit work in a future surveillance or recertification audit. The auditors believe that it is in the organization’s best interests to address all recommendations and observations, although the organization’s management must decide about what to do and when to do it, if at all.
The output of this phase is a completed ISMS audit report, signed, dated and distributed according to the terms of the audit charter or engagement letter.
for more information please visit AECISO