1 Scope

Defining the scope of the audit, audit types

1

The word audit comes from Latin "audire" = to listen.

Audit: a systematic and independent survey to determine whether activities and results comply with pre-established measures and are capable of achieving the objectives

Audits are mostly internal or external.

Internal audits, also called first party audits, are a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the ISO 27001 standard (cf. sub-clause 9.2).

External, customeranyone who receives a product (see also ISO 9000, 3.3.5) (or external provider) and certification audits, also called second and third party audits, are not within the scope of this module.

Internal audits are the most widespread tool for checking and evaluating the effectiveness of an information security management sustem (ISMS). It is never intended to find the weak points in personnel. The internal audit has entered many company's daily lives as it has become inseparable from:

It's only through other people's eyes that one can really see one's weakness. Chinese proverb

An internal audit is of (cf. figure 1-1):

audit types
Figure 1-1. Internal audit types

Process: activities that transform inputs into outputs

The internal audit results are part of the inputs of the management review and allow the identification of fields in which to improve the information security management sustem as

No system is perfect

As shown in figure 1-2, for the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) "Perform an audit", top management (via the management review) is considered as an audit client with needs and expectations, which are themselves related to the processes and various requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2)processus

perform an audit
Figure 1-2. Perform an audit process

In the 1980s internal audits were mostly documentary - did you write down what you do?

Later, in the early 2000s, internal audits were more about conformity - does what you do meet the requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of the standard?

Now internal audits are essentially about effectiveness - how do you improve your performance?

Top of the page