According to ISO 27001, are audit results required to be documented?

Documentation of audit results is essential in the context of ISO 27001 because it creates a formal record of the audit's findings, observations, and conclusions. This documentation serves several key purposes in the information security management system (ISMS):

1. Accountability: By documenting results, organizations ensure accountability. It provides a trail of evidence that can be reviewed and audited, supporting the integrity of the audit process.

2. Continuous Improvement: The documented results help organizations identify areas for improvement in their ISMS. By having a formal record, organizations can analyze trends over time and track the effectiveness of any corrective actions taken.

3. Compliance: ISO 27001 emphasizes the need for a systematic approach to managing sensitive company information. Documenting audit results demonstrates compliance with the standard and the organization's commitment to maintaining an effective ISMS.

4. Communication: Written documentation allows for clear communication of audit results to relevant stakeholders. This ensures that all parties are informed about the state of the ISMS and any necessary actions.

Thus, the requirement for audit results to be documented is a fundamental aspect of maintaining an effective internal audit process and supports the overall framework established by ISO 27001.