ISO IEC 27007:2020 pdf download.Information security, cybersecurity and privacy protection一Guidelines for information security management systems auditing
1 Scope
This document provides guidance on managing an information security management system [ISMS] audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 19011:2018, Guidelines for auditing management systems
ISO/IEC 27000:2018, Information technology一Security techniques一Information security management systems一Overview and vocabulary
5.2.2 ISMS-specific considerations for determining audit1) programme objectives can include:
a] identified information security requirements;
b] requirements of ISO/IEC 27001;
c] auditee's level of performance, as reflected in the occurrence of information security events and incidents and effectiveness of the ISMS;
NOTE Further information about performance monitoring, measurement, analysis and evaluation can be found in ISO/IEC 27004.
d] information security risks to the relevant parties, i.e. the auditee and audit client.
5.4.3.2 The extent of an audit programme can include the following:
a) the size of the ISMS, including:
1) the total number of persons doing work under the organization's control and relationships with interested parties and contractors that are relevant to the ISMS;
2) the number of information systems;
3) the number of sites covered by the ISMS;
b) the complexity of the ISMS (including the number and criticality of processes and activities) taking into account differences between sites within the ISMS scope;
c) the significance of the information security risks identified for the ISMS in relation to the business;
d) the significance of the risks and opportunities determined when planning the ISMS;
e) the importance of preserving the confidentiality, integrity and availability of information within the scope of the ISMS;
f) the complexity of the information systems to be audited, including complexity of information technology deployed;
g) the number of similar sites.
Consideration should be given in the audit programme to setting priorities that warrant more detailed examination based on the significance of information security risks and business requirements in respect to the scope of the ISMS.
NOTE Further information about determining audit time can be found in ISO/IEC 27006. Further information on multi-site sampling can be found in ISO/IEC 27006 and mandatory document 1 from the International Accreditation Forum (IAF MD1, see Reference [11]). The information contained in ISO/IEC 27006 and IAF MD 1 only relates to certification audits.ISO IEC 27007 pdf download.