Which of the following activities of stage 1 audit does NOT take place during the auditor's on-site visit?

During a stage 1 audit, the primary focus is on reviewing the organization's information security management system (ISMS) and its readiness for the stage 2 audit. One of the critical activities involves the auditor reviewing various documented information, including the information security policy, procedures, and other relevant documentation. This review is essential to understand the framework and scope of the ISMS and to assess the organization's initial compliance with ISO/IEC 27001 requirements.

Observing the technology and operations related to the ISMS can also occur during the stage 1 audit, allowing the auditor to gather insights into how the security measures are implemented and function in practice.

However, validating compliance with contractual and regulatory requirements typically extends beyond the mere review of documentation. This process often requires a more in-depth examination that may involve extensive discussions and assessments, which usually occurs during a separate audit phase or as part of the overall audit scope. It’s not strictly limited to the stage 1 on-site visit, where the emphasis is more on documentation and initial assessments rather than detailed compliance checks.

Risk assessments are quite detailed processes that require a comprehensive understanding of the organization’s operations, assets, and potential threats. These assessments usually occur in subsequent stages when auditors conduct a deeper analysis of the ISMS