You are performing an ISMS audit at a residential nursing home called ABC that provides...

The three options that will not be in your audit trail are A, C, and H. These options are either not relevant to the information security of ABC’s healthcare mobile app development, support, and lifecycle process, or not within the scope of your audit. The amount of money that residents’ family members pay to install the app (A) and the number of users of the app © are not related to the information security aspects or objectives of the ISMS1. The verification of the developer’s certifications (H) is not your responsibility as an ISMS auditor, as you should rely on the competence and impartiality of the certification bodies that issued them2. The other options are relevant and within the scope of your audit, as they relate to the security functions, testing, policies, and procedures of the mobile app development, support, and lifecycle process13. References: 1: ISO/IEC 27001:2022, Information technology — Security techniques — Information security management systems — Requirements, Clause 4.2 \n2: ISO/IEC 27006:2022, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems, Clause 4.1 \n3: PECB Certified ISO/IEC 27001 Lead Auditor Exam Preparation Guide, Domain 5: Conducting an ISO/IEC 27001 audit