Richard Regalado

Quite Involved in Discussions
#1
Since its publication, ISO/IEC 27001:2005 has referenced ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing as the guide for carrying out internal ISMS audits (see NOTE on Section 6.0 of ISO/IEC 27001:2005). With the publication of ISO/IEC 27007:2011 (http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42506), the ISO 27000 family of standards finally have an auditing guide specific to information security.

The standard covers the ISMS-specific aspects of compliance auditing:

  • Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
  • Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
  • Managing ISMS auditors (competencies, skills, attributes, evaluation).
Above quote taken from: http://iso27001security.com/html/27007.html

Whilst ISO/IEC 27007:2001 provides auditing guidance for ISMS, a separate standard exist for auditing the implementation of security controls - ISO/IEC TR 27008:2011.
 

Richard Regalado

Quite Involved in Discussions
#3
Re: ISO/IEC 27007:2011 Guidelines for ISMS Auditing

Yes Marc. I am an active contributor to the site. If you check the toolkit on the same site, some of my materials are published there for free download and use. No commercial relationship though.

We also have a Google group which aims to assist newbies in the implementation of ISO 27001.
 
#4
Re: ISO/IEC 27007:2011 Guidelines for ISMS Auditing

Yes Marc. I am an active contributor to the site. If you check the toolkit on the same site, some of my materials are published there for free download and use. No commercial relationship though.

We also have a Google group which aims to assist newbies in the implementation of ISO 27001.
Hi Richard

As per ISO 27007, let's say a bank or insurance company is planning its internal audit programme - does the standard specify if the internal audit should cover all of the branches/sites?
 


Top Bottom