What do the audit criteria describe?

The audit criteria are essential components of the audit process as they outline the specific requirements of the standard that is being referenced for evaluating the Information Security Management System (ISMS). In the context of ISO/IEC 27001, these criteria serve as the benchmarks against which the organization’s practices and controls are measured. This ensures that the audit focuses on compliance with the established standards and helps to identify areas for improvement.

Using established criteria ensures that the audit findings are relevant and grounded in a recognized framework. This alignment with the standard provides clarity and credibility to the audit results, as it allows both auditors and stakeholders to understand the basis for the evaluation. Recognizing these criteria during an audit is also crucial for determining whether the ISMS is effectively protecting information assets and managing associated risks.

Other choices would refer to different aspects of the audit process, such as observed facts, types of nonconformities, or general guidelines for conducting the audit, but they do not encapsulate the purpose and significance of the audit criteria as the framework against which the audit is performed.