ISO IEC 27007-2020 PDF

Full title and description

ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing. This international standard provides guidance for establishing and managing an ISMS audit programme, conducting ISMS audits and assessing the competence of ISMS auditors, complementing the auditing guidance given in ISO 19011.

Abstract

This document offers practical guidance on planning and managing an ISMS audit programme, on executing internal and external audits of an information security management system (ISMS), and on the competence and evaluation of auditors performing ISMS audits. It is intended for organizations and auditors who need to understand or carry out ISMS audits or manage audit programmes.

General information

• Status: Published.
• Publication date: January 2020 (publication actions on 21 January 2020; ISO news article published 27 January 2020).
• Publisher: International Organization for Standardization (ISO) / Joint ISO/IEC technical committees.
• ICS / categories: 35.030 (IT security) and 03.120.20 (Product and company certification / conformity assessment).
• Edition / version: Edition 3 (ISO/IEC 27007:2020).
• Number of pages: 39 pages (ISO publication).

Scope

ISO/IEC 27007:2020 provides guidance on managing an ISMS audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. It is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

Key topics and requirements

• Principles of auditing as applied to ISMS audits (consistency with ISO 19011).
• Establishing, implementing and managing an ISMS audit programme (objectives, scope, resources, risk considerations, records and continual improvement).
• Planning and conducting audits: audit planning, fieldwork, evidence collection, reporting, nonconformity handling and follow-up.
• Auditor competence and evaluation: knowledge, skills, personal attributes, competence assessment and maintenance for ISMS auditors.
• Guidance specific to ISMS context (mapping audit activities to ISMS processes and controls, auditing organizational context, interested parties and information security risk treatment).

Typical use and users

Primary users include internal auditors, external/third‑party auditors and certification bodies performing ISMS conformity assessments, as well as ISMS managers, compliance officers and consultants who design or manage audit programmes. The standard is used to supplement ISO 19011 and to provide ISMS‑specific auditing practice and competence criteria.

Related standards

Commonly used together with ISO/IEC 27001 (requirements for ISMS), ISO 19011 (guidelines for auditing management systems), ISO/IEC 27000 (overview and vocabulary of the 27000 family) and ISO/IEC 27006 (requirements for bodies providing ISMS certification). ISO/IEC 27007 is designed to complement these documents and give ISMS‑specific auditing guidance.

Keywords

ISMS audit, information security audit, audit programme, auditor competence, ISO 19011, ISO/IEC 27001, conformity assessment, information security management.

FAQ

Q: What is this standard?

A: ISO/IEC 27007:2020 is an international guidance standard providing recommendations and good practice for planning, managing and conducting audits of an information security management system (ISMS).

Q: What does it cover?

A: It covers the principles of auditing applied to ISMSs, establishing and managing audit programmes, audit planning and conduct, evidence collection and reporting, handling nonconformities and the competence and evaluation of ISMS auditors. It supplements ISO 19011 with ISMS‑specific guidance.

Q: Who typically uses it?

A: Internal auditors, external auditors, certification bodies, ISMS managers, compliance officers and consultants use the standard to design, run and evaluate ISMS audit programmes and auditor competence.

Q: Is it current or superseded?

A: ISO/IEC 27007:2020 is the current published edition (3rd edition, published January 2020). The standard is subject to periodic review and may be revised through ISO/IEC technical committees.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family of information security standards and is intended to be used alongside ISO/IEC 27001, ISO/IEC 27000 and related conformity assessment standards.

Q: What are the key keywords?

A: ISMS audit, audit programme, auditor competence, information security management, conformity assessment, ISO 19011, ISO/IEC 27001.