During this phase, the ISMS auditors determine the main area/s of focus for the audit and any areas that are explicitly out-of-scope, based normally on an initial risk-based assessment plus discussion with those who commissioned the ISMS audit. Information sources include general research on the industry and the organization, previous ISMS and perhaps other audit reports, and ISMS documents such as the Statement of Applicability, Risk Treatment Plan and ISMS Policy.
The ISMS auditors should ensure that the scope ‘makes sense’ in relation to the organization. The audit scope should normally match the scope of the ISMS being certified. For example, large organizations with multiple divisions or business units may have separate ISMS’s, an all-encompassing enterprise-wide ISMS, or some combination of local and centralized ISMS. If the ISMS certification is for the entire organization, the auditors may need to review the ISMS in operation at all or at least a representative sample of business locations, such as the headquarters and a selection of discrete business units chosen by the auditors.
The auditors should pay particular attention to information security risks and controls associated with information conduits to other entities (organizations, business units etc.) that fall outside the scope of the ISMS, for example checking the adequacy of information security-related clauses in Service Level Agreements or contracts with IT service suppliers. This process should be easier where the out-of-scope entities have been certified compliant with ISO/IEC 27001.
During the pre-audit survey, the ISMS auditors identify and ideally make contact with the main stakeholders in the ISMS such as the ISM manager/s, security architects, ISMS developers, ISMS implementers and other influential figures such as the CIO and CEO, taking the opportunity to request pertinent documentation etc. that will be reviewed during the audit. The organization normally nominates one or more audit “escorts”, individuals who are responsible for ensuring that the auditors can move freely about the organization and rapidly find the people, information etc. necessary to conduct their work, and act as management liaison points.
The primary output of this phase is an agreed ISMS audit scope, charter, engagement letter or similar. Contact lists and other preliminary documents are also obtained and the audit files are opened to contain documentation (audit working papers, evidence, reports etc.) arising from the audit.