Study Document 07

Audit planning workbook.

A practical lead auditor guide for turning audit objectives, scope, criteria, resources, sampling, Stage 1 readiness, and logistics into a clear audit plan.

Purpose

Planning converts audit intent into audit work.

For ISO 27001 Lead Auditor questions, audit planning is about creating a risk-based, feasible, and evidence-focused approach that is aligned to the audit objective, scope, and criteria.

3Planning anchors: objective, scope, and criteria.
2Certification stages: Stage 1 readiness review and Stage 2 implementation audit.
RiskSampling and time allocation should focus on importance, change, previous findings, and process risk.

Programme vs plan

Do not confuse the audit programme with one audit plan.

An audit programme manages a set of audits across a period. An audit plan is the detailed arrangement for a specific audit event.

Term
Meaning
Audit programme
Arrangements for a set of audits over a defined period or audit cycle, including priorities, resources, methods, responsibilities, risks, and follow-up.
Audit plan
Detailed plan for a specific audit, including objectives, criteria, scope, locations, timings, audit team roles, meetings, sampling, and logistics.

Planning anchors

Objective, scope, and criteria must fit together.

Most planning errors begin when the auditor has not clearly separated what the audit is trying to achieve, where the audit applies, and what requirement will be used to judge conformity.

Anchor
What it defines
ISO 27001 examples
Audit objective
What the audit intends to accomplish.
Determine conformity, evaluate effective implementation, assess certification readiness, or verify corrective action effectiveness.
Audit scope
The extent and boundaries of the audit.
Locations, processes, services, systems, departments, interfaces, suppliers, time period, and ISMS boundaries.
Audit criteria
The reference used to judge conformity.
ISO/IEC 27001:2022 clauses, policies, procedures, legal requirements, contracts, SoA, risk treatment plan, and internal requirements.

Audit plan contents

A good audit plan is specific enough to execute.

The plan should tell the audit team and auditee what will be audited, when it will happen, who is involved, what methods will be used, and how evidence will be sampled.

Core plan fields

  • Audit objectives, criteria, and scope.
  • Date, duration, sites, remote arrangements, and time zone constraints.
  • Processes, functions, locations, systems, and services to be audited.
  • Audit team members, roles, technical experts, guides, and auditee contacts.
  • Opening meeting, daily briefings, closing meeting, and escalation points.

Security and logistics fields

  • Confidentiality, visitor access, evidence handling, screenshot rules, and data restrictions.
  • Remote audit platform, screen sharing, access to tools, connectivity, and backup method.
  • Sampling approach, high-risk areas, previous nonconformities, and major changes.
  • Health, safety, physical security, and site-specific rules.
  • Report timeline, corrective action timelines, and communication channels.

Stage 1 and Stage 2

Plan the audit stage according to its purpose.

Stage 1 is mainly about readiness and planning. Stage 2 is about implementation, effectiveness, conformity, and evidence across the ISMS.

Audit stage
Main purpose
Planning focus
Stage 1
Evaluate whether the organization is ready for Stage 2.
ISMS scope, documented information, legal and regulatory context, internal audit status, management review status, risk assessment, treatment process, SoA readiness, site conditions, and Stage 2 planning data.
Stage 2
Evaluate implementation and effectiveness of the ISMS.
Clause 4 to 10 implementation, operational control, Annex A control evidence, monitoring, internal audit, management review, risk treatment implementation, corrective action, and evidence across functions.

Sampling

Sampling must be justified, not convenient.

Audit conclusions are based on sampled evidence. The auditor should select samples that are relevant to audit objectives and risk, not only the cleanest records presented by the auditee.

Risk

Prioritise high-risk areas.

Sample processes with high impact, recent change, complex dependencies, or previous issues.

Coverage

Cover the boundaries.

Include locations, departments, systems, shifts, suppliers, and services within scope.

Traceability

Follow an audit trail.

Trace from policy to procedure, record, system configuration, interview, and result.

Balance

Avoid cherry-picking.

Use recent, relevant, and representative samples, including exceptions where appropriate.

Workbook checklist

Use this before approving the audit plan.

This checklist can be used by the learner to test whether an audit plan is complete enough for a practical ISO 27001 audit scenario.

Confirm audit type, objective, scope, criteria, and expected outputs.
Review prior audit results, complaints, incidents, changes, and known risk areas.
Confirm audit team competence, independence, and need for technical experts.
Prepare timetable with enough time for high-risk processes and follow-up questions.
Define sampling method, sample size logic, and evidence sources.
Confirm remote or on-site logistics, access, confidentiality, and evidence handling rules.
Prepare opening meeting agenda, working documents, and communication channels.
Communicate the plan to the auditee and handle objections before the audit starts.

Common weaknesses

Planning issues that can damage audit quality.

  • Audit scope does not match the certification or ISMS scope.
  • Audit plan misses key outsourced, remote, or high-risk processes.
  • Audit team lacks competence for technical or regulatory areas.
  • Sampling is not planned or cannot be justified.
  • Time allocation is too short for complex areas.
  • Previous nonconformities and major changes are ignored.

Exam technique

Choose the answer that protects audit feasibility.

  • If scope or criteria are unclear, clarify before auditing.
  • If evidence cannot be accessed, adjust the plan through proper communication.
  • If a high-risk process is skipped, the plan is weak.
  • If the audit team is not competent, change the team or add expertise.
  • If remote audit tools are unreliable, plan an alternative evidence method.

Quick memory aid

Objective says why the audit is being done. Scope says where and what is included. Criteria says what requirement is used. Sampling says how evidence will be selected. Logistics makes the plan workable.

Use note

This is a KISCyber learner guide.

This page is an original training summary using user-provided ISO 19011 audit guidance and ISO 27001 Lead Auditor study materials as references. Always use the authorised standard, official course material, and current exam provider guidance when preparing for certification.