The overall ISMS scope is broken down into greater detail, typically by generating an ISMS audit workplan/checklist (please see the appendices for two generic examples).
Note: the generic example workplan/checklists supplied with this guideline are not intended to be used without due consideration and modification. This paper is merely a general guideline. It is anticipated that ISMS auditors will normally generate a custom workplan/checklist reflecting the specific scope and scale of the particular ISMS being audited, taking into account any information security requirements that are already evident at this stage (such as information-security relevant laws, regulations and standards that are known to apply to similar organizations in the industry). Also, the audit workplan/checklist may be modified during the course of the audit if previously underappreciated areas of concern come to light.
The overall timing and resourcing of the audit is negotiated and agreed by management of both the organization being audited and the ISMS auditors, in the form of an audit plan. Conventional project planning techniques (such as GANTT charts) are normally used.
Audit plans identify and put broad boundaries around the remaining phases of the audit. It is common to make preliminary bookings for the formal audit report/discussion meeting to allow participants to schedule their attendance.
Audit plans often also include “checkpoints”, that is specific opportunities for the auditors to provide informal interim updates to their management contacts including preliminary notification of any observed inconsistencies or potential nonconformities etc. Interim updates also provide opportunities for the auditors to raise any concerns over limited access to information or people, and for management to raise any concerns over the nature of the audit work. While the auditors are necessarily independent of the organization, they must establish a level of trust and a cooperative working environment in order to engage sufficiently and obtain the information necessary to audit the ISMS.
Finally, the timing of important audit work elements may be determined, particularly in order to prioritize aspects that are believed to represent the greatest risks to the organization if the ISMS are found to be inadequate.
The output of this phase is the (customized) audit workplan/checklist and an audit plan agreed with management.
for more information please visit AECISO