ISO/IEC 27007
Go home

ISO/IEC 27007:2011  Information technology — Security techniques — Guidelines for information security management systems auditing

 

This standard provides guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard).

ISO/IEC 27007 reflects and largely refers to ISO 19011, the ISO standard for auditing quality and environmental management systems - “management systems” of course being the common factor linking it to the ISO27k standards.  It provides additional ISMS-specific guidance.

ISO/IEC 27007 also draws on ISO 17021 Conformity Assessment – Requirements for bodies providing audit and certification of management systems and aligns with ISO/IEC 27006, the ISMS certification body accreditation standard.

Structure

The standard covers the ISMS-specific aspects of compliance auditing:

  • Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
  • Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
  • Managing ISMS auditors (competencies, skills, attributes, evaluation).

Status of the standard

The standard was published in November 2011 and is available for CHF122 from the ISO/IEC webstore.

[By the way, ISO 19011 was revised and republished in 2011.  It is available for CHF146 from the ISO/IEC webstore.]

Other guidelines for ISMS auditing

Aside from ‘27007, here are some alternative/complementary sources of advice on ISMS auditing:

  • The ISO27k Forum developed an ISMS Auditing Guideline as its contribution to ISO/IEC 27007.  The guideline was released under a Creative Commons license as a public service to ISMS auditors and reviewers.  Download the free ISMS Auditing Guideline release 1 as a PDF here Available here as a PDF or, if you belong to the Forum, by all means download the MS Word version from the Forum files area;
  • ISACA released IS auditing guideline G40 on Review of security management practices.  The guide explains ISACA’s view of how IT auditors should audit the ISMS.  It specifically mentions an ISO27k ISMS;
  • If you want to audit the information security controls as opposed to the management system, see ISO/IEC 27008

Copyright © 2013 IsecT Ltd.