ISO/IEC 27007
Go home

Copyright © 2009 IsecT Ltd.

ISO/IEC 27007 Information technology -- Security techniques -- Guidelines for Information Security Management Systems auditing (draft) Updated following Beijing meeting May 2009

 

This standard will provide guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing Information Security Management Systems against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard) but may also offer advice to those auditing or reviewing ISMSs against ISO/IEC 27002 (i.e. auditing the organization’s controls for their suitability in managing information security risks) although this may be covered instead by ISO/IEC TR 27008

 

ISO/IEC 27007 is currently at WD stage, moving soon to CD. Publication is anticipated early in 2010.

 

ISO/IEC 27007 will draw heavily on ISO 19011, the ISO standard for auditing quality and environmental management systems - “management systems” being the common factor linking it to the ISO27k standards. It will provide additional ISMS-specific guidance. ISO 19011 is currently being revised. Numerous comments on 19011 were made by the 27007 team and passed to 19011 team. It also draws on ISO 17021-2.

 

If you have ISMS auditing experience to contribute to the development of ISO/IEC 27007, please contact your national standards body and ask for the person leading the information security standards work. Alternatively, join the ISO27k Implementers’ Forum and submit your suggestions there. We will continue tracking and discussing the development of the standard through the Forum.

 

The ISO27k Implementers’ Forum developed an ISMS Auditing Guideline as a contribution to ISO/IEC 27007. The guideline was released under a Creative Commons license as a public service to ISMS auditors and reviewers. Download the ISMS Auditing Guideline release 1 as a PDF here Available here as a PDF or, if you belong to the Forum, by all means download the MS Word version from the Forum files area.

 

JTC1/SC27 has launched a separate project to develop “Guidance for auditors on ISMS controls” - see ISO/IEC 27008 for more info.

 

ISACA released an exposure draft IS auditing guideline on Review of security management practices. The guide explains ISACA’s view of how IT auditors should audit the management system and does not go into depth on how to audit the actual information security controls. The comments period is over so we await publication of a revised version.