ISO/TR 27008:2011

ISO/TR 27008:2011, Information technology – Security techniques – Guidelines for auditors on information security controls, is a new Technical Report (TR) that provides technical controls and compliance guidelines for auditors to help improve the effectiveness of an organization’s information security system.

The document supports a rigorous organizational security audit and review program for information security controls, to enable the organization to have confidence that their controls have been appropriately implemented and operated and that their information security is fit for purpose.

ISO/TR 27008 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking. It is principally aimed at information security auditors who need to check the technical compliance of an organization’s information security controls against ISO 27002 and any other control standards used by the organization.

ISO/TR 27008 will help the auditors to:

  • Identify and understand the extent of potential problems and shortfalls of information security controls
  • Identify and understand the potential organizational impacts of inadequately mitigated information security threats and vulnerabilities
  • Prioritize information security risk mitigation activities
  • Confirm that previously identified or emergent weaknesses or deficiencies have been adequately addressed
  • Support budgetary decisions within the investment process and other management decisions relating to improvement of the organization’s information security management

ISO/TR 27008 is part of a series of standards (ISO 27000) on information security management systems:

ISO 27000:2009, Information technology — Security techniques — Information security management systems — Overview and vocabulary

ISO 27001:2005, Information technology — Security techniques — Information security management systems — Requirements

ISO 27002:2005, Information technology — Security techniques — Code of practice for information security management

ISO 27003:2010, Information technology — Security techniques — Information security management system implementation guidance

ISO 27004:2009, Information technology — Security techniques — Information security management — Measurement

ISO 27005:2011, Information technology — Security techniques — Information security risk management

ISO 27006:2011, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems

ISO 27007:2011, Information technology — Security techniques — Guidelines for information security management systems auditing

ISO/TR 27008:2011, Information technology — Security techniques — Guidelines for information security management systems auditing

We offer training on the requirements and auditing of information security management systems. You can view a course description and select a class by clicking on a course title below:

ISO 27001 Requirements
ISO 27001 Internal Auditor
ISO 27001 Lead Auditor