ISO/IEC 27007:2017 — Information technology — Security techniques — Guidelines for information security management systems auditing (second edition)
ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard).
ISO/IEC 27007 draws heavily on ISO 19011, the standard for auditing management systems, providing additional ISMS-specific guidance.
The standard covers the ISMS-specific aspects of compliance auditing:
- Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
- Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
- Managing ISMS auditors (competencies, skills, attributes, evaluation).
The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not terribly helpful explanatory comments. However the annex lays out in more detail specific audit tests concerning the organization’s compliance with the main body of ISO/IEC 27001.
Other guidelines for ISMS auditing
To audit the information security controls as opposed to the management system, see ISO/IEC 27008.
Status of the standard
The standard was first published on 2011 and revised in October 2017.
This standard concerns ISO27k compliance auditing, a particular form of auditing with a very specific goal: to assess whether the audited organization is fulfilling the obligations laid down in ISO/IEC 27001 in respect of its ISMS. There are many other types of audits with quite different goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance auditors, or that all audits are compliance audits! For a peek at the broader remit and different operating styles and techniques of IT auditors, see the IT Audit FAQ.