Search in ISMS Guides


Sunday, July 6, 2008

ISMS Auditing Guideline [ Pdf File ]

This guideline has been written by members of the ISO27k Implementers' Forum, an international online community of neatly 1,000 practitioners actively using the ISO/IEC 27000-family of Information Security Management System (ISMS) standards known colloquially as "ISO27k", and base at Our primary aim is to contribute to the development of the new standard ISO/IEC 27007 by providing what we, as experienced ISMS implementers and IT/ISMS auditors, believe is worthwhile content. A secondary aim to provide a pragmatic and useful guideline for those involved in auditing ISMSs.

At the time of first writing this guideline (February-March 2008). ISO/IEC 27007 is currently at the first Working Draft stage ("ISO/IEC WD 27007") and has been circulated to ISO member bodies for study and comment by March 14 2008. Its working title is "Information Technology - Security techniques - Guidelines for information security management systems auditing".

The Proposed outline structure of ISO/IEC WD 27007 is presently as follows:
- Foreword and introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Principles of auditing
5. Managing an audit programme
6. Audit activities
7. Competence and evaluation of auditors
- Bibliography

In the proposed structure, section 6 should presumably explain how to go about auditing an ISMS. The current working draft has headings for a guide to audit process but little content on the actual audit tests to be performed, although in section 6.3.1 it identifies a list of items that are required by ISO/IEC 27001 and says that "Auditors should check that all these documents exist and conform to the requirements in ISO/IEC 27001"2005". This is probably the most basic type of ISMS audit test: are the specified ISMS documents present? We feel that a generic ISMS audit checklist (often called an "Internal Controls Questionnaire" by IT auditors) would be a very useful addition to the standard and producing one was a key aim of this guideline - in fact we have produced two (see the appendices). We also aim to contribute content draft 27007 and hope to track its development through future revisions.