1 Scope
Defining the scope of the audit, audit types
The word audit comes from Latin "audire" = to listen.
Audit: a systematic and independent survey to determine whether activities and results comply with pre-established measures and are capable of achieving the objectives
Audits are mostly internal or external.
Internal audits, also called first party audits, are a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 27001 standard (cf. sub-clause 9.2).
External, customeranyone who receives a product (see also ISO 9000, 3.3.5) (or external provider) and certification audits, also called second and third party audits, are not within the scope of this module.
Internal audits are the most widespread tool for checking and evaluating the effectiveness of an information security management sustem (ISMS). It is never intended to find the weak points in personnel. The internal audit has entered many company's daily lives as it has become inseparable from:
- any management system
- internal communication
- daily improvement
- corporate culture
It's only through other people's eyes that one can really see one's weakness. Chinese proverb
An internal audit is of (cf. figure 1-1):
- the information security management system
- a process
- a product (service, project)
Figure 1-1. Internal audit types
Process: activities that transform inputs into outputs
The internal audit results are part of the inputs of the management review and allow the identification of fields in which to improve the information security management sustem as
No system is perfect
As shown in figure 1-2, for the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) "Perform an audit", top management (via the management review) is considered as an audit client with needs and expectations, which are themselves related to the processes and various requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2).
Figure 1-2. Perform an audit process
In the 1980s internal audits were mostly documentary - did you write down what you do?
Later, in the early 2000s, internal audits were more about conformity - does what you do meet the requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the standard?
Now internal audits are essentially about effectiveness - how do you improve your performance?