Most ISMS-related terms used in ISO 27001 are.
[Note: various general audit terms that are defined in ISO 19011 should be referenced here in place of the following working definitions.]
- Audit – the process by which a subject area is independently reviewed and reported on by one or more competent auditors on behalf of stakeholders
- Audit checklist – a structured questionnaire or workplan to guide the auditors in testing the area being audited
- Audit evidence – information gathered from the area being audited such as written documentation, computer printouts, interviews and observation
- Audit finding – the auditor’s summary/description and analysis of an inadequately mitigated risk to the organization
- Audit observation – an optional or advisory audit recommendation which carries less weight than an audit recommendation
- Audit plan or programme – a project plan for an audit laying out the main audit activities and heir timing
- Audit recommendation – a corrective action that is proposed to address one or more identified audit findings, that must be addressed prior to certification or recertification of the ISMS
- Audit report – a formal report to management documenting the key findings and conclusions of the audit
- Audit risk – the potential for an audit to fail to meet its objectives, for example by using unreliable, incomplete or inaccurate information
- Audit schedule – a diary of planned audits
- Audit subject – the in-scope organization/s, or parts of an organization, which are being audited
- Audit test – a check conducted by the auditors to verify whether a control is effective, efficient and adequate to mitigate one or more risks to the organization
- Audit work papers – documents written by the auditors recording their examination, findings and analysis of the ISMS, including completed audit checklists
- Compliance audit – a type of audit specifically designed to assess the extent to which the audit subject conforms to stated requirements
- ISMS audit – an audit centred on the organization’s Information Security Management System (ISMS)
- Risk-based audit – an audit planned on the basis of an assessment of risks