This section should document activities involved in managing (i.e. planning, controlling and overseeing) the ISMS audit such as …
- Advice on planning and scoping individual ISMS audits within the overall audit work programme, e.g. the idea of combining wide but shallow ISMS audits with more narrow but deeper audits on areas of particular concern.
- ISMS audits at multi-site organizations including multinationals and ‘group’ structures, where comparisons between the ISMSs in operation within individual business units can help share and promote good practices
- Auditing business partners’ ISMSs, emphasizing the value of ISO/IEC 27001 certification as a means of gaining a level of confidence in the status of their ISMSs without necessarily having to do the audit work
- Developing an internal program for auditing the ISMS. From an IRCA point of view you develop an Audit Plan when preparing to audit an organization. This plan is derived from the “Scope of Registration” document that an individual fills out when requesting a certification audit from a registrar. Besides the scope of registration the domain definition will also feed the audit plan.