ISO/IEC 27007:2017 — Information technology — Security techniques — Guidelines for information security management systems auditing (second edition)
ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard).
ISO/IEC 27007 draws heavily on ISO 19011, the standard for auditing management systems, providing additional ISMS-specific guidance.
The standard covers the ISMS-specific aspects of compliance auditing:
- Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
- Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
- Managing ISMS auditors (competencies, skills, attributes, evaluation).
The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not terribly helpful explanatory comments. However the annex lays out in more detail specific audit tests concerning the organization’s compliance with the main body of ISO/IEC 27001.
Other guidelines for ISMS auditing
See ISO/IEC 27008 re auditing the information security controls as opposed to the management system.
Status of the standard
The standard was first published on 2011 and revised in October 2017.
This standard concerns ISO27k compliance auditing, a particular form of auditing with a very specific goal: to assess whether the audited organization is fulfilling the obligations laid down in ISO/IEC 27001 in respect of its ISMS. There are many other types of audits with quite different goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance auditors, or that all audits are compliance audits! For a peek at the broader remit and different operating styles and techniques of IT auditors, see the IT Audit FAQ.
< Previous standard ^ Up a level ^ Next standard >