ISO/IEC 27007:2011 Information technology — Security techniques — Guidelines for information security management systems auditing
ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard).
ISO/IEC 27007 reflects and largely refers to ISO 19011, the ISO standard for auditing quality and environmental management systems - “management systems” of course being the common factor linking it to the ISO27k standards. It provides additional ISMS-specific guidance.
ISO/IEC 27007 also draws on ISO 17021 Conformity Assessment – Requirements for bodies providing audit and certification of management systems and aligns with ISO/IEC 27006, the ISMS certification body accreditation standard.
The standard covers the ISMS-specific aspects of compliance auditing:
Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
Managing ISMS auditors (competencies, skills, attributes, evaluation).
Other guidelines for ISMS auditing
Aside from ‘27007, here are some alternative/complementary sources of advice on ISMS auditing:
ISACA released IS auditing guideline G40 on Review of security management practices
. The guide explains ISACA’s view of how IT auditors should audit the ISMS. It specifically mentions an ISO27k ISMS;
If you want to audit the information security controls
as opposed to the management system
, see ISO/IEC 27008
Status of the standard
The standard was published in November 2011. ISO 19011 was also revised and republished in 2011.
This standard covers compliance auditing, a particular form of auditing with a very specific goal: to assess whether the audited organization is fulfilling the obligations laid down in ISO/IEC 27001 in respect of its ISMS. There are many other types of audits with quite different goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance auditors, or that all audits are compliance audits! For a peek at the broader remit and different operating styles and techniques of IT auditors, see the IT Audit FAQ.