Organisations should assess their ISMS regularly. This is done . by establishing an IS audit procedure based on the information security concept adopted by the organisation. An ”overview” of the information security status of the organisation can be obtained through regular IS cross-cutting audits, amongst others. The management level of an organisation always bears the overall responsibility for the IS audit. Management must be informed regularly about any problems as well as of the results and activities of the IS audit, but also on new developments, new or changed general conditions, or possibilities for improvement in order to fulfil their function.