The FIRST phase of the ISACA framework for auditors reviewing cryptographic environments is
inventory and discovery. This is because the inventory and discovery phase helps auditors to identify
and document the scope, objectives, and approach of the audit, as well as the cryptographic assets,
systems, processes, and stakeholders involved in the cryptographic environment. The inventory and
discovery phase also helps auditors to assess the maturity and effectiveness of the cryptographic
governance and management within the organization. The other phases are not the first phase of the
ISACA framework for auditors reviewing cryptographic environments, but rather follow after the
inventory and discovery phase, such as evaluation of implementation details (A), hands-on testing
(B), or risk-based shakeout C.
