ISO/IEC 27007

ISO/IEC 27007 is a standard on Information security, cybersecurity and privacy protection that provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This standard is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. It was published on November 14, 2011, and revised on January 21, 2020.

It is part of the ISO/IEC 27000-series family of standards about information security management system (ISMS), which is a systematic approach to securing sensitive information, of ISO/IEC. It provides standards for a robust approach to managing information security and building resilience.

Overview
The standard is about how an information security management system audit can be performed based on a variety of audit criteria, separately or in combination, which include, among others:


 * Requirements defined in ISO/IEC 27001:2013.
 * Policies and requirements specified by relevant interested parties.
 * Statutory and regulatory requirements.
 * ISMS processes and controls defined by the organization or other parties.
 * Management system plan(s) relating to the provision of specific outputs of an ISMS (e.g., plans to address risks and opportunities when establishing ISMS, plans to achieve information security objectives, risk treatment plans, project plans).

This standard is applicable to all types of organizations regardless of size and ISMS audits of varying scopes and scales, including those conducted by large audit teams, typically of larger organizations, and those by single auditors, whether in large or small organizations.

It concentrates on ISMS internal audits (first party) and ISMS audits conducted by organizations on their external providers and other external interested parties (second party). This document can also be useful for ISMS external audits conducted for purposes other than third party management system certification. ISO/IEC 27006 provides requirements for auditing ISMS for third party certification.

Terms and structure
The terms and definitions given in this standard are defined within the standard ISO/IEC 27000. The ISO/IEC 27007 standard is structured as follows: In addition to that, it has 1 annex (A):
 * Principles of auditing
 * Managing and audit programme
 * Conducting an audit
 * Competence and evaluation of auditors
 * Annex A - Guidance for ISMS auditing practice