ISO/IEC 27007
ISO/IEC 27007:2020 – Privacy protection, information security, and cybersecurity – Guidelines for information security management systems auditing (3rd edition)
Introduction
ISO/IEC 27007 is intended for accreditation agencies, internal auditors, third-party auditors, and others auditing management systems against ISO/IEC 27001 (i.e. checking compliance with the standard).
The ISO/IEC 27007 standard makes extensive use of ISO 19011, the management system standard, for specific guidance about ISMS.
Standard’s structure
The standard covers the following aspects of ISMS compliance auditing:
– Overseeing the ISMS audit program (determining what to audit, when to audit it, and how to audit it; choosing the right auditor; addressing audit risks; maintaining audit files; improving the process continuously);
– Conducting an ISMS MS audit (audit process – designing, conducting, and executing audits, which includes data collection, analysis, reporting, and follow-up);
– Supervising ISMS auditors (expertise, skills, attributes, evaluation).
In most of the standard, ISO 19011 is applied to ISMSs, but a few unhelpful comments are supporting the application. The annexe, on the other hand, outlines more precisely specific audits that must be conducted to verify the organization’s compliance with ISO/IEC 27001.
Additional guidelines for ISMS auditing
A guide to auditing information security controls can be found in ISO/IEC 27008.
The standard’s status
The standard was published for the first time in 2011.
In 2017, a second edition was published.
January 2020 marked the publication of the third revision, aligning the standards with ISO 19011:2018.
Commentary
The standard describes compliance auditing, a specific type of audit with a very specific purpose: to determine whether an organization’s ISMS complies with (i.e. meets the requirements specified formally by) ISO/IEC 27001. Auditing for certification purpose is its focus.
Audits can be categorized into several different types with quite different objectives. Please do not think that all auditors are merely compliance auditors, or to think that all audits are compliance audits! The internal audit of an ISMS, for instance, can be useful for evaluating the company’s plans, concepts, practices, and policies related to information and privacy risk management and governance, as well as incidentally referencing ISO27k.