ISO/IEC 27007 Information technology -- Security techniques -- Guidelines for Information Security Management Systems auditing (draft)
This standard will provide guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing Information Security Management Systems against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard) but may also offer advice to those auditing or reviewing ISMSs against ISO/IEC 27002 (i.e. auditing the organization’s controls for their suitability in managing information security risks) although this may be covered instead by ISO/IEC TR 27008.
ISO/IEC 27007 is progressing well, although there has been some confusion over the scope of this standard in relation to ’27008. Publication is still anticipated during 2010.
ISO/IEC 27007 draws heavily on ISO 19011, the ISO standard for auditing quality and environmental management systems - “management systems” being the common factor linking it to the ISO27k standards. It provides additional ISMS-specific guidance. ISO 19011 is currently being revised. Numerous comments on 19011 were made by the 27007 team and passed to 19011 team. ’27007 also draws on ISO 17021-2.
The ISO27k Forum developed an ISMS Auditing Guideline as a contribution to ISO/IEC 27007. The guideline was released under a Creative Commons license as a public service to ISMS auditors and reviewers. Download the ISMS Auditing Guideline release 1 as a PDF here  or, if you belong to the Forum, by all means download the MS Word version from the Forum files area.
JTC1/SC27 has launched a separate project to develop “Guidance for auditors on ISMS controls” - see ISO/IEC 27008 for more info.
ISACA released an exposure draft IS auditing guideline on Review of security management practices. The guide explains ISACA’s view of how IT auditors should audit the management system and does not go into depth on how to audit the actual information security controls. The comments period is over so we await publication of a revised version.
|
