Can you perhaps enlighten me as to how to segregate departments in the Audit Process.
I have a client that has 11 departments each with their own set of Risks, and they would like to know if they need to read through the entire Risk Treatment plan so as to identify Risks that are applicable to their specific Business unit.
First is important to note that setting multiple internal audits to cover smaller parts of the ISMS scope with each one is worthy only for larger companies. For smaller ones, the most efficient approach is to perform a single audit.
Regarding the identification of risks in the Risk Treatment document, besides the risks from its own unit it should consider at least the risks from other units that refers to assets the business unit is responsible for.
For example, if a HR unit has a risk related to an IT asset, then the IT unit should read this risk.