The results of the IS audit are reported to the management of the organisation, the person responsible for IS audits, and the IT Security Officer (see section ) and integrated into the ISMS process. A clearly defined procedure should be available for this purpose that is stated in a guideline for examining and improving the security process (see [BSI2]). Requirements for eliminating deficiencies and improving quality are the result of the evaluation of the IS audit report. The IT Security Officer derives the corresponding follow-up activities from these requirements. The follow-up activities also include updating the security documents, for example.