ISO/IEC 27007:2011 (ISMS) Information Security Management Systems Auditing

Richard Regalado · Dec 23, 2011

Since its publication, ISO/IEC 27001:2005 has referenced ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing as the guide for carrying out internal ISMS audits (see NOTE on Section 6.0 of ISO/IEC 27001:2005). With the publication of ISO/IEC 27007:2011 (https://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42506), the ISO 27000 family of standards finally have an auditing guide specific to information security.

The standard covers the ISMS-specific aspects of compliance auditing:

Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);

Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);

Managing ISMS auditors (competencies, skills, attributes, evaluation).

Above quote taken from: https://iso27001security.com/html/27007.html

Whilst ISO/IEC 27007:2001 provides auditing guidance for ISMS, a separate standard exist for auditing the implementation of security controls - ISO/IEC TR 27008:2011.

Marc · Dec 24, 2011

Re: ISO/IEC 27007:2011 Guidelines for ISMS Auditing

Richard Regalado said:
<snip> Above quote taken from: https://iso27001security.com/html/27007.html <snip>

Do you have any relationship to/with iso27001security.com?

Richard Regalado · Dec 24, 2011

Re: ISO/IEC 27007:2011 Guidelines for ISMS Auditing

Yes Marc. I am an active contributor to the site. If you check the toolkit on the same site, some of my materials are published there for free download and use. No commercial relationship though.

We also have a Google group which aims to assist newbies in the implementation of ISO 27001.

serouj · May 4, 2019

Richard Regalado said:
Re: ISO/IEC 27007:2011 Guidelines for ISMS Auditing

Yes Marc. I am an active contributor to the site. If you check the toolkit on the same site, some of my materials are published there for free download and use. No commercial relationship though.

We also have a Google group which aims to assist newbies in the implementation of ISO 27001.

Hi Richard

As per ISO 27007, let's say a bank or insurance company is planning its internal audit programme - does the standard specify if the internal audit should cover all of the branches/sites?

Tyranna · Oct 7, 2019

Is it a requirement to audit the technical aspect of the controls, i.e. see if the control works technically vs. determining if a control exists and how/when the control is used? I audit internally and have been thinking about the technical aspect of the controls vs. the requirement that controls are in place and used. Guidance is appreciated. Thanks!

Richard Regalado · Oct 7, 2019

serouj said:
Hi Richard

As per ISO 27007, let's say a bank or insurance company is planning its internal audit programme - does the standard specify if the internal audit should cover all of the branches/sites?

Sorry serouj for the late reply. The internal audit should cover the parts of the organization as described in the scope statement. At least, this is what is expected by a 3rd-party certification body, if you are certified. But beyond certification, I believe it is prudent to audit all branches/sites to have a good measure on how information is being protected all throughout the organization.

Richard Regalado · Oct 7, 2019

Tyranna said:
Is it a requirement to audit the technical aspect of the controls, i.e. see if the control works technically vs. determining if a control exists and how/when the control is used? I audit internally and have been thinking about the technical aspect of the controls vs. the requirement that controls are in place and used. Guidance is appreciated. Thanks!

Hello Tyranna. Auditors need to audit to achieve a level of confidence that the control is working, whether technical or non-technical. If, for example, I am auditing the control for malware, aside from the checking the version of the virus definition files, I would also check the logs, and will trail if any viral incident has affected the organization.

Ozzmaradny · Jan 27, 2023

Richard Regalado said:
Re: ISO/IEC 27007:2011 Guidelines for ISMS Auditing

Yes Marc. I am an active contributor to the site. If you check the toolkit on the same site, some of my materials are published there for free download and use. No commercial relationship though.

We also have a Google group which aims to assist newbies in the implementation of ISO 27001.

Can I join? I'm a 3rd party lead Auditor and Consultant for 27001 and 20000

Randy · Jan 27, 2023

Ozzmaradny said:
Can I join? I'm a 3rd party lead Auditor and Consultant for 27001 and 20000

You'd be better served to contact him direct, trying here might probably be a dead end.

Note - Pay attention to the dates on the earlier Posts

Richard Regalado · Jan 31, 2023

Ozzmaradny said:
Can I join? I'm a 3rd party lead Auditor and Consultant for 27001 and 20000

Anyone can join the forum. Visit the site and see the information there to access the Google Groups.
Thanks!

ISO/IEC 27007:2011 (ISMS) Information Security Management Systems Auditing

Richard Regalado

Marc

Fully vaccinated are you?

Richard Regalado

serouj

Registered

Tyranna

Involved In Discussions

Richard Regalado

Richard Regalado

Ozzmaradny

Registered

Randy

Richard Regalado

Similar threads