Widely Use Terms & Definitions in ISO 27001

Most ISMS-related terms used in ISO 27001 are.

[Note: various general audit terms that are defined in ISO 19011 should be referenced here in place of the following working definitions.]

  • Audit – the process by which a subject area is independently reviewed and reported on by one or more competent auditors on behalf of stakeholders
  • Audit checklist – a structured questionnaire or workplan to guide the auditors in testing the area being audited
  • Audit evidence – information gathered from the area being audited such as written documentation, computer printouts, interviews and observation
  • Audit finding – the auditor’s summary/description and analysis of an inadequately mitigated risk to the organization
  • Audit observation – an optional or advisory audit recommendation which carries less weight than an audit  recommendation
  • Audit plan or programme – a project plan for an audit laying out the main audit activities and heir timing
  • Audit recommendation – a corrective action that is proposed to address one or more identified audit findings, that must be addressed prior to certification or recertification of the ISMS
  • Audit report – a formal report to management documenting the key findings and conclusions of the audit
  • Audit risk – the potential for an audit to fail to meet its objectives, for example by using unreliable, incomplete or inaccurate information
  • Audit schedule – a diary of planned audits
  • Audit subject – the in-scope organization/s, or parts of an organization, which are being audited
  • Audit test – a check conducted by the auditors to verify whether a control is effective, efficient and adequate to mitigate one or more risks to the organization
  • Audit work papers – documents written by the auditors recording their examination, findings and analysis of the ISMS, including completed audit checklists
  • Compliance audit – a type of audit specifically designed to assess the extent to which the audit subject conforms to stated requirements
  • ISMS audit – an audit centred on the organization’s Information Security Management System (ISMS)
  • Risk-based audit – an audit planned on the basis of an assessment of risks

Leave a Reply

Your email address will not be published. Required fields are marked *