Materiality is taken into account to determine the duration of the audit based on the risks inherent to the organization during:

The determination of audit duration based on materiality and inherent risks is primarily addressed during the initial contact phase of the audit process. This phase is crucial as it sets the stage for the entire audit. During this initial contact, auditors gather essential information about the organization, including its context, the nature of its operations, and the specific risks associated with its information security management system (ISMS).

Understanding materiality in this context means recognizing which assets, processes, or information have the highest potential impact on the organization's objectives and must therefore be prioritized during the audit. This assessment allows auditors to allocate the appropriate resources and time for the audit, ensuring that areas of higher risk are thoroughly examined while still maintaining a comprehensive evaluation of the ISMS.

This early recognition of materiality helps establish the scope and objectives of the audit, ultimately influencing the timeline and approach taken during both the Stage 1 and Stage 2 audits. It ensures that the audit is tailored to the unique risks faced by the organization, leading to more effective and relevant outcomes.