Lesson 1, Topic 1
In Progress

Audit planning

Not only do the controls described above help to maintain or even improve the ISMS, but an internal audit is also the best way to control the whole company and to check whether the ISMS is really lived and understood. For this purpose we offer you the document “Audit Program“, in which you can document your planned audits.

Tip: A plan could look like this:

  • Up to 9 weeks before the audit – Preparation of content and structure
  • Up to 6 weeks before the audit – Inform employees about the planning
  • Approx. 4 – 5 weeks before the audit – Performance of an internal audit (dress rehearsal)
  • Up to 2 weeks before the audit – Perform the management assessment
  • Up to 1 week before the audit – Communicate rules of conduct for the external audit to employees

Tip: In order to have more than one audit in your audit plan, you can also split up different departments and have, for example, five audits, because you audit five departments instead of just one large audit.

For the internal audit process there is a document “Procedure Audits” which should explain why regulations have been made and what quality expectations are placed on the implementation. In other words, the importance of the procedure should be explained. Good reasons for this are the control, maintenance and improvement of your information security level.

General questions arise:

  • What should be audited?
  • Which auditor or auditors should perform the audit?
  • What type of audit is chosen?
  • What costs are involved?
  • What does the formal agreement of an audit look like?

There are several possible answers to the question of what is to be audited, for example, the entire ISMS can be selected, individual business processes or individual departments. However, in most cases a limitation is less useful, but a complete ISMS audit can be more efficient.

The auditor(s) should always be objective and neutral. Therefore, you may not, for example, choose the previously selected consultant as auditor. For internal audits, there should be sufficient objectivity and neutrality with regard to the ISMS, but also sufficient expertise, such as IT knowledge. In some cases, however, neutrality is not possible, for example in very small companies, but this is then also sufficient for internal purposes. For external auditors, you can have the following qualifications demonstrated:

  • Realized projects
  • If available, accreditations of institutions
  • Completed training or certificates
  • Audit experience in industry XY available?

What types of audit are there?
There are the following five different types:

  • Pre-audit: To get knowledge about the status of the ISMS, which can usually be done at the beginning of an ISMS implementation. Is the standard conformity already given or not?
  • Internal audit: The internal audit is used for control after the ISMS has been introduced and as a dress rehearsal before the certification audit. This method can also be used to check conformity to standards.
  • Certification audit: Serves to certify the ISMS and is conducted by one or more external auditors
  • Surveillance audit: After successful certification, one or more external auditors are usually carried out at 12-month intervals throughout the validity of the certificate (3 years)
  • Re-certification audit: Before the certificate expires, compliance with the standard is checked again and, in case of conformity, extended for a further three years. External auditors are also used here

What costs are involved?
This question depends on many factors, such as who is certified, the constitution of the ISMS, the size of the company, whether it is first certified or re-certified, etc.
For a rough estimate of the total costs, you are welcome to contact us contact us.

The formal agreement of an audit provides for the following:

  • Written agreement with all key data, objectives, conditions and objects. You should also determine the dates and locations. Here the limits are the two extremes:
    On one hand coordinated locations, dates and contents or
    on the other hand surprise audit.
    You should also introduce an additional clause to ensure confidentiality, as the auditor will gain insight into your sensitive company data.
    You should also specify by when the audit report should be completed (e.g. up to two weeks after the audit), as details can be lost over time.
    For external audits, the written agreement is a must, and for internal audits it is a recommendation.
    During the audit, use the well-filled Declaration of Applicability (SoA), as it contains all references to the respective guidelines and measures as well as the standard chapters.