ISO/IEC 27007 is a standard on Information security, cybersecurity and privacy protection that provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This standard is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. It was published on November 14, 2011, and revised on January 21, 2020.
It is part of the ISO/IEC 27000-series family of standards about information security management system (ISMS), which is a systematic approach to securing sensitive information,[1] of ISO/IEC. It provides standards for a robust approach to managing information security and building resilience.[2]
The standard is about [3] how an information security management system audit can be performed based on a variety of audit criteria, separately or in combination, which include, among others:
This standard is applicable to all types of organizations regardless of size and ISMS audits of varying scopes and scales, including those conducted by large audit teams, typically of larger organizations, and those by single auditors, whether in large or small organizations.
It concentrates on ISMS internal audits (first party) and ISMS audits conducted by organizations on their external providers and other external interested parties (second party). This document can also be useful for ISMS external audits conducted for purposes other than third party management system certification. ISO/IEC 27006 provides requirements for auditing ISMS for third party certification.
The terms and definitions given in this standard are defined within the standard ISO/IEC 27000. The ISO/IEC 27007 standard is structured as follows: [4]
In addition to that, it has 1 annex (A):