Today, information security is not only a business requirement, but also a legal one. Each organization should take care to keep confidential information, personal information and other protected information secure. A large number of state and private organizations have decided to implement an information security management system (ISMS) based on the ISO/IEC 27001 standard, which is one of the best known and recognized international standards regarding ISMS requirements in the world. If you have not already done so, IKMJ and our specialists are ready to help you effectively manage information security in your organization.
The ISO/IEC 27000 family of standards is quite extensive, we will focus our attention on the relatively recently updated ISO/IEC 27007 standard. Information technology – Security techniques – Guidelines for auditing information security management systems. ISO/IEC 27007 provides guidance on how to perform effective information security management system (ISMS) audits to ensure that they are as robust and competent as they should be. The main reason for the update is to adapt the ISO/IEC 27007 standard to the changes that have been introduced to the ISO 19011 standard – Guidelines for the audit of management systems.
The ISO/IEC 27007 standard provides extensive guidelines for auditing the requirements set out in ISO/IEC 27001 and the competence of ISMS auditors. Annex A provides guidance on the practice of conducting an ISMS audit along with the requirements of ISO/IEC 27001: 2013, Chapters 4-10.
The standard focuses on internal ISMS audits (first party audits) and ISMS audits by organizations at suppliers or other external stakeholders (second party audits). The standard may also be useful for external ISMS audits for purposes other than third party certification of the management system. ISO/IEC 27006 specifies ISMS audit requirements for third party certification; this document may provide useful additional guidance.
An information security management system (ISMS) audit can be performed against a number of audit criteria, individually or in combination, including but not limited to:
- the requirements set out in ISO/IEC 27001: 2013;
- policies and requirements established by relevant stakeholders;
- legal and other requirements;
- processes and controls for the ISMS as defined by the organization or other parties;
- management system plans related to the delivery of specific ISMS results (e.g. plans to address risks and opportunities in establishing an ISMS, plans to achieve information security objectives, risk treatment plans, project plans).
It is worth noting that the guidelines contained in the ISO/IEC 27007: 2020 standard should be adapted to the scope, complexity and scale of the audit program and should be used in conjunction with the guidelines contained in ISO 19011: 2018. Recall that the ISO 19011: 2018 standard contains guidelines for managing audit programs, conducting audits of internal or external management systems, and the competence and assessment of management system auditors.
Do you need to check the compliance of your information security management system?
Use the services of IKMJ in the field of ISMS audit, audit of compliance with other requirements!