This guideline supports ISMS auditors with pragmatic advice on two key aspects:
 
The kinds of evidence typically sought during an ISMS audit i.e. documents and information in other forms (e.g. expressed verbally in audit interviews).  Only some of this is formally mandated by the standard, with the requirement specifications terse to the point of being cryptic since the standard applies to all sizes and types of organisation – a deliberately wide brief.  These are the ticked items in the table – the ‘green flags’.
 
The issues and concerns that typically signal dysfunctional/problematic, ineffective/failing/failed and nonconformant ISMSs – certainly warning signs for the auditor to watch out for.  These are the crossed items in the table – the ‘red flags’.
 
This guideline helps identify crucial information and reveal potential issues.  By understanding what constitutes robust evidence, and recognising common pitfalls and deviations from the standard, ISMS auditors can work more effectively and efficiently using this guideline.