ISO 27007 Audit Guidance

The second edition of ISO 27007, “Information technology – Security techniques – Guidelines for information security management systems auditing,” has been published.

ISO 27007:2017 provides guidance on managing an information security management system (ISMS) audit program, on conducting audits, and on the competence of ISMS auditors. It gives guidance for auditing all the requirements stated in ISO 27001.

ISO 27007 is intended to be used in conjunction with the audit guidance contained in ISO 19011:2011, and follows the same structure as that International Standard.

The 41-page ISO 27007 standard can be purchased at www.ISO.org for about $160. Members of ANSI can buy it for $148 at www.ANSI.org. Non-ANSI members can buy it for $185.

ISO News Release (edited):
To continue providing the products and services that we expect, businesses will handle increasingly large amounts of data. The security of this information is a major concern to companies and consumers, and fueled by many high-profile cyberattacks.

The havoc caused by these attacks runs from celebrities embarrassed by careless photos, to the loss of medical records, to ransom threats amounting to millions that have hit even the most powerful corporations.

Where such data contains personal, financial, or medical information, companies have a moral and legal obligation to keep it safe from cybercriminals. That’s where International Standards like the ISO 27000 family come in, helping organizations manage the security of assets such as financial information, intellectual property, employee details, or information entrusted to them by third parties.

For the person charged with auditing a company, it can be a complex process. Likewise, getting ready for a smooth audit requires preparation and attention to detail. That’s why ISO 27007 exists. It helps both parties thoroughly prepare by providing clear guidance. First published in 2011, ISO 27007 has now been updated to align with ISO 27001:2013.