•Audit Findings: These are the results of evaluating collected audit evidence against the predetermined audit criteria.
•Audit Evidence: Objective, verifiable information gathered through interviews, observations, document reviews, etc., that supports the audit findings.
•Audit Criteria: The standards, policies, procedures, or requirements of the ISMS that are used as benchmarks for the audit.
The Process: Auditors compare collected audit evidence against the audit criteria to determine whether there is conformity or nonconformity, leading them to generate audit findings.
References:
•ISO/IEC 27001:2022, Section 9.2 (Internal Audit): Discusses the process of gathering audit evidence and documenting nonconformities (which form a basis for audit findings).
•ISO 19011:2018 Guidelines for auditing management systems: Provides a broader framework for audit processes, emphasizing the role of audit evidence in generating findings.
