Hello all. I am a CISSP and happy to join.
Does anyone have a simple sample of an "engagement letter" for security audits at a client?
I presume by "engagement letter" you mean a "Statement of Work" or SOW?
There are plenty of templates available on the internet that you can adjust to your needs.
Whatever your final document ends up looking like, I advise you to seek proper legal advice to ensure it's a suitable contractual document that can be used for legal purposes if needed.
Engagement letter is similar to SOW but I find SOW more detail/in-depth. The engagement letter will only describe the area it's going to be audit, but it will not describe (or at least not in detail) what methodology the audit will use. So for example the engagement letter might say this audit will follow PCI Compliance or NIST framework, but it will not go into detail to explain what is PCI Compliance or NIST framework.
Interesting! An engagement letter is not something I've heard of before in my 20+ years in IT Consulting.
Looking into it a bit more, an engagement letter is not something that is used by the IT Consulting industry in my region - it seems to be something used by accountants and lawyers over here.