< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition)
“This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.”
[Source: ISO/IEC 27007:2020]
ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the management system for conformity with the standard).
The standard covers the ISMS-specific aspects of conformity auditing:
- Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
- Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
- Managing ISMS auditors (competencies, skills, attributes, evaluation).
The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not terribly helpful explanatory comments. However the annex lays out in more detail specific audit tests concerning the organisation’s conformity with the main body of ISO/IEC 27001.
Other standards for ISMS auditing
ISO/IEC 27007 draws heavily on ISO 19011, the standard for auditing management systems, providing additional ISMS-specific guidance.
See ISO/IEC 27008 for advice on auditing information security controls.
Status of the standard
The standard was first published in 2011.
A second edition was published in 2017.
The third edition was published in 2020 - an update for the 2018 release of ISO 19011.
This standard primarily concerns conformity/compliance auditing, a particular form of auditing with a very specific goal: to assess whether the audited organisation’s ISMS is in conformity with (i.e. fulfills the management system requirements specified formally by) ISO/IEC 27001. Such audits are normally performed for certification purposes.
There are many other types of audits with quite different goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance/conformity auditors, or that all audits are compliance/conformity audits! Specifically in relation to the management system, competent auditors might for instance:
- Evaluate the organisation’s strategies and policies relating to information and privacy risk management, incident management, fraud etc. for aspects such as strategic fit, currency, relevance, readability, coverage, suitability and quality (fitness for purpose);
- Audit workers’ conformity with organisational policies, procedures, directives, guidelines, employment contracts/agreements and so on, in the general area of information risk, information security and privacy;
- Delve into the root causes of ongoing issues and repetitive incidents, including near-misses and lesser events;
- Examine the governance arrangements in this area e.g. organisational structure, internal and external reporting relationships, information flows within and between management layers, accountabilities, roles and responsibilities ...;
- Audit the organisation’s compliance/conformity with other relevant obligations and expectations, aside from ISO/IEC 27001 e.g. privacy and data protection laws, intellectual property protection, health and safety plus employment laws, fire codes and building standards, technical security standards, supplier, partner and customer agreements, industry guidelines, ethical codes ..., including the associated arrangements such as enforcement actions, and how the organisation ensures it remains up to date with changes;
- Audit the effectiveness and efficiency of the ISMS, including aspects such as the net value (benefits less costs) it generates for the business, and any unrealised potential;
- Examine ‘assurance’, ‘integrity’, ‘confidentiality’, ‘availability’, ‘risk’, ‘information risk management’, ‘compliance’, ‘privacy’ etc. in the broad, deliberately interpreting such words and phrases very widely to take in related aspects that are not usually considered in any depth;
- Review improvements made and explore further opportunities to improve the ISMS;
- Examine the organisation’s potential and actual exploitation of other standards, methods and frameworks relating to information risk and security management;
- Survey, compare and contrast various stakeholders’ opinions, comments and suggestions on the ISMS, teasing-out the deeper, longstanding concerns that normally remain hidden/unspoken;
- Follow-up on previous ISMS audits, reviews, penetration tests, security assessments, post incident reports etc., delving deeper into areas of concern or extending the scope, and examining the manner in which audits etc. are scoped, conducted, reported, actioned, closed off etc.;
- Explore the management aspects of business continuity and resilience;
- Look into the integration and interoperability etc. of various management systems with the ISMS;
- Audit the organisation’s information management as a whole, such as the integration of risk and security aspects with other business imperatives;
- Benchmark the ISMS against comparable organisations or business units, or against other operational management systems e.g. quality assurance, environmental protection;
- Measure and comment on the organisation’s maturity in this area;
- Review the organisation’s use of security metrics, reports, and management information.
Although that is not even a complete list, there are clearly plenty of creative possibilities here, in addition to the obvious ‘conformity with the standard’ approach. One of the best things about auditing is the chance to do something different for a change, making use of the auditors’ independence, competence, experience, skills, focus, information access, rigorous methods etc. to get into aspects that typically never get done as part of routine management and operations. Some see audits as threats to be avoided or minimised: speaking as a former (lapsed? Reformed!) IT auditor, I see them as valuable business opportunities to be exploited to the max!
< Previous standard ^ Up a level ^ Next standard >