ISO/IEC 27007:2011 Information technology — Security techniques — Guidelines for information security management systems auditing
This standard provides guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard).
ISO/IEC 27007 reflects and largely refers to ISO 19011, the ISO standard for auditing quality and environmental management systems - “management systems” of course being the common factor linking it to the ISO27k standards. It provides additional ISMS-specific guidance.
ISO/IEC 27007 also draws on ISO 17021 Conformity Assessment – Requirements for bodies providing audit and certification of management systems and aligns with ISO/IEC 27006, the ISMS certification body accreditation standard.
The standard covers the ISMS-specific aspects of compliance auditing:
Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
Managing ISMS auditors (competencies, skills, attributes, evaluation).
Status of the standard
The standard was published in November 2011 and is available for CHF122 from the ISO/IEC webstore.
[By the way, ISO 19011 was revised and republished in 2011. It is available for CHF146 from the ISO/IEC webstore.]
Other guidelines for ISMS auditing
Aside from ‘27007, here are some alternative/complementary sources of advice on ISMS auditing:
The ISO27k Forum
developed an ISMS Auditing Guideline
as its contribution to ISO/IEC 27007. The guideline was released under a Creative Commons license as a public service to ISMS auditors and reviewers. Download the free ISMS Auditing Guideline release 1 as a PDF here
or, if you belong to the Forum
, by all means download the MS Word version from the Forum files area;
ISACA released IS auditing guideline G40 on Review of security management practices
. The guide explains ISACA’s view of how IT auditors should audit the ISMS. It specifically mentions an ISO27k ISMS;
If you want to audit the information security controls
as opposed to the management system
, see ISO/IEC 27008