ISO/IEC 27007:2011 Information technology — Security techniques — Guidelines for information security management systems auditing
ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard).
ISO/IEC 27007 reflects and largely refers to ISO 19011, the ISO standard for auditing quality and environmental management systems - “management systems” of course being the common factor linking it to the ISO27k standards. It provides additional ISMS-specific guidance.
ISO/IEC 27007 also draws on ISO 17021 Conformity Assessment – Requirements for bodies providing audit and certification of management systems and aligns with ISO/IEC 27006, the ISMS certification body accreditation standard.
The standard covers the ISMS-specific aspects of compliance auditing:
Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
Managing ISMS auditors (competencies, skills, attributes, evaluation).
Other guidelines for ISMS auditing
Aside from ‘27007, here are some alternative/complementary sources of advice on ISMS auditing:
ISACA released IS auditing guideline G40 on Review of security management practices
. The guide explains ISACA’s view of how IT auditors should audit the ISMS. It specifically mentions an ISO27k ISMS;
If you want to audit the information security controls
as opposed to the management system
, see ISO/IEC 27008
Status of the standard
The standard was published in November 2011. ISO 19011 was also revised and republished in 2011.
The standard is now being revised. Changes seem likely to be minor e.g. citing the current versions of updated ISO27k standards and ISO 19011. Comments on WD1 were mostly accepted, except for ISACA’s anyway.
This standard covers compliance auditing, a particular form of auditing with a very specific goal: to assess whether the audited organization is fulfilling the obligations laid down in ISO/IEC 27001 in respect of its ISMS. There are many other types of audits with quite different goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance auditors, or that all audits are compliance audits! For a peek at the broader remit and different operating styles and techniques of IT auditors, see the IT Audit FAQ.