The Security audit execution is planned and carried out in a phase wise manner Appropriate communication and appointment of central point of contact and other support for the auditors.  § It should be ensured that actual operations in the organisation are not significantly disrupted by the audit when initiating the audit.  The auditors never actively intervene in systems, and therefore should not provide any instructions for making changes to the objects being audited. It is management responsibility for supporting the conduct of fair and comprehensive audit. § Important IS audit meetings such as the opening and the closing meetings as well as the interviews should be conducted as a team. This procedure ensures objectivity, thoroughness, and impartiality. No member of the audit team, should have participated directly in supporting or managing the areas to be audited, e.g. they must not have been involved in the development of concepts or the configuration of the IT systems. § Audit team is experienced, independent and objective. Every audit team should consist of at least two auditors to guarantee the independence and objectivity of the audit (”two-person rule”). There is unrestricted right to obtain and view information. § Coverage of security is comprehensive and cross-cutting audit across the entire organisation. Partial audits may be done for specific purposes. § Clearly defined objectives §1.3.3 What should be covered in audits? (Given just for reference only) 1.3.4 What makes a good security audit? The development and dissemination of the IS Auditing Standards by Information Systems Audit and Control Association (ISACA) is already in circulation for further information. A good security audit is part of a regular and comprehensive framework of information security. A good security audit may likely include the following: