BS ISO IEC 27007:2011 pdf download.Information technology一Security techniques一Guidelines for information security management systems auditing
The processes and procedures for ISO/IEC 27001:2005 4.2.1 c) to j) are required to be defined, implemented and documented as a risk assessment approach in accordance with the management statement which is described in organization's ISMS policy (i.e. 4.2.1b) 4) criteria against which risk will be evaluated). The approach is defined as including how to deal with the compliance with legal and contractual requirements and other requirements relevant in relation to risks and assets that the organization should handle strategically in the context of business and risk assessment. At the audit, it should be confirmed that the approach is implemented and performed as required by ISO/IEC 27001:2005 4.2.1 b) to j).
The auditor should confirm that the results of risk assessments by the risk assessment approach are comparable and reproducible.
In other words, the auditor should confirm that the approach enables different personnel in charge of risk assessment to reach the same results regardless of whoever and whenever conducted risk assessment, provided that they have a certain level of competence in risk assessment and conducted the assessments to the same assets in accordance with the processes and procedures defined in the approach. And if a different result is brought up,it enables them to identify where and why the difference has occurred in the risk assessment. It is also necessary for the organization to have the approach be able to get to the same selection of controls for risk treatment if estimated risks are the same, i.e. with the same risk level and features (assets and security requirements).
This confirmation should be performed by sampling on records of risk assessment report to trace both forward and backward along risk assessment process sequences, with on-site audits on assets in material.
Criteria for accepting risks are often influenced by the organization's management policies,goals, technology, funds, relevant laws and regulations and interested parties, and they are eventually defined by the organization. It is therefore necessary for auditors to review with due attention, the effectiveness of the criteria in terms of those above entities, as well as confirming that they have been defined and exist. Auditors may refer to ISO/IEC 27005:2008 clause 7 .2 for detailed interpretations of risk acceptance criteria.
The auditor should review the asset inventory to confirm that all relevant important assets in the scope of the ISMS are included in the inventory, and accountable owners have been identified for all the assets. They should review the identifications of threats related to the assets, vulnerabilities exploited by the threats, and security failures caused by them, i.e.incident scenarios indicated in ISO/IEC 27005.BS ISO IEC 27007 pdf download.