ISO/IEC 27007
ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing
(third edition)
Abstract
ISO/IEC 27007 "provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. [ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.”
[Source: ISO/IEC 27007:2020]
Introduction
ISO/IEC 27007 provides guidance for internal auditors, external/third party auditors (e.g. those performing supplier security assessments) and others auditing ISMSs against ISO/IEC 27001 i.e. auditing the Management System for conformity with the standard.
For Certification Bodies' conformity assessors, it supplements or complements the mandatory accreditation requirements specified formally in ISO/IEC 27006-1 with additional discretionary advice.
The standard covers the process of ISMS-specific conformity assessment or auditing, emphasising the 'management system' elements:
Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
Managing ISMS auditors (competencies, skills, attributes and evaluation).
Scope
"[ISO/IEC 27007] provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
[ISO/IEC 27007] is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme."
[Source: ISO/IEC 27007:2020]
Structure
Main clauses:
4: Principles of auditing
5: Managing an audit programme
6: Conducting an audit
7: Competence and evaluation of auditors
Annex A: Guidance for ISMS auditing practice - includes advice re the documentation required by ISO/IEC 27001:2013 such as the Statement of Applicability.
The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not-terribly-helpful explanatory comments (e.g. audits are likely to involve sensitive proprietary or personal information, hence auditors may need to be security-cleared to the appropriate level before auditing, and to secure audit evidence appropriately).
However the more valuable annex describes specific audit tests concerning the organisation’s conformity with the requirements of ISO/IEC 27001.
Status
The first edition was published in 2011.
The second edition was published in 2017.
The current third edition was published in 2020.
A fourth edition is in the works, belatedly reflecting ISO/IEC 27001:2022 and the imminent release of ISO 19011:2026. ISO 19011:2026 is expected to provide guidance on remote auditing (e.g. of virtual locations such as globally-distributed data centres providing cloud services) plus other editorial changes to the current version.
Publication of the fourth edition of ISO/IEC 27007 is planned for 2027. It is at Committee Draft stage, coming along nicely. Reviewers seek to align the terminology and concepts more closely with ISO/IEC 27000, 27001, 27003 and 27005, for example not implying, suggesting or stating additional requirements beyond those formally stated in 27001. Additional approaches, guidance and options are fine so long as readers (implementers and auditors) are not led to believe that they must do a load of additional things in order to conform to 27001. Flexibility is valuable for such a broadly-applicable approach. Additional constraints or demands are not.
Commentary
As with ISO/IEC 27006-1, this standard primarily concerns conformity or compliance auditing, a particular form of auditing with a specific goal: to determine whether the audited organisation’s ISMS conforms with (i.e. fulfills all the mandatory requirements specified formally by) ISO/IEC 27001. Such audits are primarily performed for certification purposes.
Other types of audits have different assurance goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance/conformity auditors, or that all audits are compliance/conformity audits! Specifically in relation to information risk and security management, competent technology auditors might for instance:
Evaluate the organisation’s strategies and policies relating to information and privacy risk management, incident management, fraud etc. for aspects such as strategic fit, currency, relevance, readability, coverage, suitability and quality (fitness for purpose);
Audit workers’ conformity with organisational policies, procedures, directives, guidelines, employment contracts etc., in the general area of information risk, information security and privacy;
Delve into the root causes of ongoing issues and repetitive incidents, including near-misses and lesser events;
Examine the governance arrangements in this area e.g. organisational structure, internal and external reporting relationships, information flows within and between management layers, accountabilities, roles and responsibilities ...;
Audit the organisation’s compliance/conformity with other relevant obligations and expectations, apart from ISO/IEC 27001 e.g. privacy and data protection, intellectual property protection, health and safety, and employment laws and regulations; fire codes and building standards; technical security standards and protocols; supplier, partner and customer agreements and contracts; industry guidelines; ethical codes ... including the associated arrangements such as enforcement actions, and how the organisation stays up-to-date with changes in the requirements;
Audit the effectiveness and efficiency of the ISMS, including aspects such as the net value (benefits less costs) it generates for the business, and releasing any unrealised potential;
Examine ‘assurance’, ‘integrity’, ‘confidentiality’, ‘availability’, ‘risk’, ‘information risk management’, ‘compliance’, ‘privacy’ etc. in the broad, deliberately interpreting such words and phrases very widely to take in related aspects that are not usually considered in any depth;
Review improvements made and explore further opportunities to improve the ISMS;
Examine the organisation’s potential and actual exploitation of other standards, methods and frameworks relating to information risk and security management;
Survey, compare and contrast various stakeholders’ opinions, comments and suggestions on the ISMS, teasing-out and addressing deeper, longstanding concerns and points of common interest that might otherwise remain hidden;
Follow-up on previous ISMS audits, reviews, penetration tests, security assessments, post incident reports etc., delving deeper into areas of concern, extending the scope and picking up on recurrent or widespread issues;
Examining assurance management e.g. the manner in which various audits or assessments are scoped, approved, resourced, conducted, reported, actioned and closed off, treating ISMS or technology audits as important examples;
Explore the management aspects of business continuity and resilience;
Look into the integration and interoperability of various management systems such as the ISMS;
Audit the organisation’s information management as a whole, such as the integration of risk and security aspects with other business imperatives, and the proactive exploitation of information despite various risks;
Benchmark the ISMS against comparable organisations or business units, or against other operational management systems e.g. quality assurance, environmental protection;
Measure and comment on the organisation’s maturity in this general area;
Review the organisation’s use of security metrics, reports and other management information.
Although that is not even a complete list, there are clearly plenty of creative possibilities here, in addition to the basic conformity-assessment tick-n-bash approach.
One of the best things about auditing is the chance to do something different for a change. Exploit the auditors’ independence, competence, experience, skills, focus, information access, rigorous methods, trustworthiness, access to senior management etc. to delve into aspects that are rarely if ever addressed as part of routine management and operations - potentially including those awkward politically-charged issues that are studiously avoided, and longstanding problems that seem destined to remain, forever.
Some pessimists see audits as information threats to be avoided or minimised: speaking as a former (lapsed? Reformed!) IT auditor and optimist (realist!), I see audits as valuable business opportunities to be exploited to the max. Make the best of them. Milk the value.