ISO 19011 section 4 covers the principles of auditing. Rather than duplicate ISO 19011, this section need only cover any aspects that are different or particularly relevant to ISMS audits such as …
- Important but generic audit principles e.g. independent evaluation against agreed criteria, plus more specific principles aimed at ISMS audits
- In all matters related to the audit, the ISMS auditor should be independent of the auditee in both attitude and appearance. The ISMS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment.
- Information security is a dynamic field with frequent changes to the risks (i.e. the threats, vulnerabilities and/or impacts), controls and environment. It is therefore important that auditors auditing information security controls should maintain knowledge of the state of the art (e.g. emerging information security threats and currently-exploited vulnerabilities) and the organizational situation (e.g. changing business processes and relationships, technology changes).