ISO/IEC 27007
Go home

ISO/IEC 27007 Information technology -- Security techniques -- Guidelines for Information security management systems auditing (draft)

This standard will provide guidance for accredited certification bodies and others auditing Information Security Management Systems against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard) but may also offer advice to those auditing ISMSs against ISO/IEC 27002 (i.e. auditing the organization’s controls for their suitability in managing information security risks). 

ISO/IEC 27007 is currently WD stage and is unlikely to be published before 2009.

ISO/IEC 27007 will draw heavily on ISO 19011, the ISO standard for auditing quality and environmental management systems - “management systems” being the common factor linking it to the ISO27k standards. It will provide additional ISMS-specific guidance. [As an aside, ISO 19011 is about to be revised. Numerous comments were made on the draft of ISO/IEC 27007, many of which have been passed to the project team working on ISO 19011.]

If you have ISMS auditing experience to contribute to the development of ISO/IEC 27007, please contact your national standards body and ask for the person leading the information security standards work. Alternatively, join the Forum and submit your suggestions there. We will continue tracking and discussing the development of the standard through the Forum.

The ISO27k Implementers’ Forum developed an ISMS Auditing Guideline as a contribution to ISO/IEC 27007. The guideline was released under a Creative Commons license as a public service to ISMS auditors and reviewers. Download the ISMS Auditing Guideline release 1 as a PDF here Available here as a PDF or, if you belong to the Forum, by all means download the MS Word version from the Forum files area.

Added April 26th At its Kyoto meeting in April 2008, ISO/IEC JTC1/SC27 launched a separate project to develop “Guidance for auditors on ISMS controls”. See ISO/IEC TR 27008 for more info.

Added March 19th ISACA released an exposure draft IS auditing guideline on Review of security management practices. The guide explains ISACA’s view of how IT auditors should audit the management system and does not go into depth on how to audit the actual information security controls. Comments are welcome to ISACA by May 15th.

Copyright © 2008 IsecT Ltd.