Introduction
This guideline has been written by members of the ISO27k Implementers' Forum, an international online community of neatly 1,000 practitioners actively using the ISO/IEC 27000-family of Information Security Management System (ISMS) standards known colloquially as "ISO27k", and base at ISO27001security.com. Our primary aim is to contribute to the development of the new standard ISO/IEC 27007 by providing what we, as experienced ISMS implementers and IT/ISMS auditors, believe is worthwhile content. A secondary aim to provide a pragmatic and useful guideline for those involved in auditing ISMSs.
At the time of first writing this guideline (February-March 2008). ISO/IEC 27007 is currently at the first Working Draft stage ("ISO/IEC WD 27007") and has been circulated to ISO member bodies for study and comment by March 14 2008. Its working title is "Information Technology - Security techniques - Guidelines for information security management systems auditing".
The Proposed outline structure of ISO/IEC WD 27007 is presently as follows:
- Foreword and introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Principles of auditing
5. Managing an audit programme
6. Audit activities
7. Competence and evaluation of auditors
- Bibliography
In the proposed structure, section 6 should presumably explain how to go about auditing an ISMS. The current working draft has headings for a guide to audit process but little content on the actual audit tests to be performed, although in section 6.3.1 it identifies a list of items that are required by ISO/IEC 27001 and says that "Auditors should check that all these documents exist and conform to the requirements in ISO/IEC 27001"2005". This is probably the most basic type of ISMS audit test: are the specified ISMS documents present? We feel that a generic ISMS audit checklist (often called an "Internal Controls Questionnaire" by IT auditors) would be a very useful addition to the standard and producing one was a key aim of this guideline - in fact we have produced two (see the appendices). We also aim to contribute content draft 27007 and hope to track its development through future revisions.
Sunday, July 6, 2008
Subscribe to:
Posts (Atom)