Practical experience has shown that comprehensive, company-wide or agency-wide information security oriented towards long-term fulfilment of requirements and sustainable limitation of the risks can only be achieved through information security management. BSI Standard 100-1 ”Information Security Management Systems (ISMS)” (see [BSI1]) describes the information security process. Within the ISMS, the IS audit is part of the information security process and is integrated into “Check” phase of the PDCA model by Deming. The information security process is initiated by the management level and starts with the ”Planning” phase. The security organisation is planned in this phase. In the subsequent ”Do” phase, the security.