Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

ISO/IEC 27007:2011 (ISMS) Information Security Management Systems Auditing

Richard Regalado

Quite Involved in Discussions
#1
Since its publication, ISO/IEC 27001:2005 has referenced ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing as the guide for carrying out internal ISMS audits (see NOTE on Section 6.0 of ISO/IEC 27001:2005). With the publication of ISO/IEC 27007:2011 (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42506), the ISO 27000 family of standards finally have an auditing guide specific to information security.

The standard covers the ISMS-specific aspects of compliance auditing:

  • Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
  • Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
  • Managing ISMS auditors (competencies, skills, attributes, evaluation).
Above quote taken from: http://iso27001security.com/html/27007.html

Whilst ISO/IEC 27007:2001 provides auditing guidance for ISMS, a separate standard exist for auditing the implementation of security controls - ISO/IEC TR 27008:2011.
 

Richard Regalado

Quite Involved in Discussions
#3
Re: ISO/IEC 27007:2011 Guidelines for ISMS Auditing

Yes Marc. I am an active contributor to the site. If you check the toolkit on the same site, some of my materials are published there for free download and use. No commercial relationship though.

We also have a Google group which aims to assist newbies in the implementation of ISO 27001.
 
#4
Re: ISO/IEC 27007:2011 Guidelines for ISMS Auditing

Yes Marc. I am an active contributor to the site. If you check the toolkit on the same site, some of my materials are published there for free download and use. No commercial relationship though.

We also have a Google group which aims to assist newbies in the implementation of ISO 27001.
Hi Richard

As per ISO 27007, let's say a bank or insurance company is planning its internal audit programme - does the standard specify if the internal audit should cover all of the branches/sites?
 

Tyranna

Starting to get Involved
#5
Is it a requirement to audit the technical aspect of the controls, i.e. see if the control works technically vs. determining if a control exists and how/when the control is used? I audit internally and have been thinking about the technical aspect of the controls vs. the requirement that controls are in place and used. Guidance is appreciated. Thanks!
 

Richard Regalado

Quite Involved in Discussions
#6
Hi Richard

As per ISO 27007, let's say a bank or insurance company is planning its internal audit programme - does the standard specify if the internal audit should cover all of the branches/sites?
Sorry serouj for the late reply. The internal audit should cover the parts of the organization as described in the scope statement. At least, this is what is expected by a 3rd-party certification body, if you are certified. But beyond certification, I believe it is prudent to audit all branches/sites to have a good measure on how information is being protected all throughout the organization.
 

Richard Regalado

Quite Involved in Discussions
#7
Is it a requirement to audit the technical aspect of the controls, i.e. see if the control works technically vs. determining if a control exists and how/when the control is used? I audit internally and have been thinking about the technical aspect of the controls vs. the requirement that controls are in place and used. Guidance is appreciated. Thanks!
Hello Tyranna. Auditors need to audit to achieve a level of confidence that the control is working, whether technical or non-technical. If, for example, I am auditing the control for malware, aside from the checking the version of the virus definition files, I would also check the logs, and will trail if any viral incident has affected the organization.
 
Top Bottom