Audit – the process by which a subject area is independently reviewed and reported on by one or more competent auditors on behalf of stakeholders
Audit checklist – a structured questionnaire or workplan to guide the auditors in testing the area being audited
Audit evidence – information gathered from the area being audited such as written documentation, computer printouts, interviews and observation
Audit finding – the auditor’s summary/description and analysis of an inadequately mitigated risk to the organization
Audit observation – an optional or advisory audit recommendation which carries less weight than an audit recommendation
Audit plan or programme – a project plan for an audit laying out the main audit activities and heir timing
Audit recommendation – a corrective action that is proposed to address one or more identified audit findings, that must be addressed prior to certification or recertification of the ISMS
Audit report – a formal report to management documenting the key findings and conclusions of the audit
Audit risk – the potential for an audit to fail to meet its objectives, for example by using unreliable, incomplete or inaccurate information
Audit schedule – a diary of planned audits
Audit subject – the in-scope organization/s, or parts of an organization, which are being audited
Audit test – a check conducted by the auditors to verify whether a control is effective, efficient and adequate to mitigate one or more risks to the organization
Audit work papers – documents written by the auditors recording their examination, findings and analysis of the ISMS, including completed audit checklists
Compliance audit – a type of audit specifically designed to assess the extent to which the audit subject conforms to stated requirements
ISMS audit – an audit centred on the organization’s Information Security Management System (ISMS)
Risk-based audit – an audit planned on the basis of an assessment of risks