Audit report 06 09 18 34, covering context, planning (Statement of Applicability and Risk Assessment & Treatment Plan), resources, monitoring and measurement, organisation of information security, asset management, physical protection, operations security, business continuity planning and external audit improvement opportunities.