Audit planning for certification audits is defined by ISO 19011:2018, clause 6.3 (Preparing audit activities) and ISO/IEC 27006.
Key audit planning documents include:
Audit plan (mandatory, prepared by team leader)
Checklists (supporting tool for consistency and coverage of requirements)
List of external providers (required to check compliance with ISO/IEC 27001 Annex A.5.19 – supplier relationships and A.5.20 – supplier agreements)
Sample plans (used when sampling evidence across sites, processes, or records is needed, especially in Stage 2 audits)
However, the following are not required:
B. Career history of the IT manager – Personnel competence may be verified during interviews and evidence review, but an auditor does not need career histories as part of audit planning. ISO 19011 only requires access to competence records if needed but not CVs.
F. Organisation’s financial statement – Financial performance is not part of ISMS audit planning unless it relates to identified risks or contractual obligations. ISO/IEC 27001 focuses on information security risks, not financial audit compliance.
ISO 19011:2018 (clause 6.3.2) clearly defines the required planning inputs as:
Audit objectives, scope, and criteria
Audit team roles and responsibilities
Allocation of resources
Information about the auditee’s ISMS (e.g., documented scope, processes, external provider relationships, relevant legal/regulatory requirements)
There is no mention of personnel CVs or financial statements being required.
Final Correct Answer: B and F
[References:, ISO 19011:2018, clause 6.3 (Preparing audit activities), ISO/IEC 27006:2015, section 9.2 (Audit planning requirements for ISMS certification bodies), , , ]
Submit