BS ISO/IEC 27007:2011

BS ISO/IEC 27007:2011
Information security management systems – Guidelines for information security management systems auditing

What is it?

BS ISO/IEC 27007:2011 provides guidance on how to audit an Information Security Management System (ISMS) built using BS ISO/IEC 27001. It is a specialist supplement to BS EN ISO/IEC 19011, the generic international standard on auditing management systems. Unlike BS ISO/IEC 27006, which is only relevant to audits for the purposes of external certification, BS ISO/IEC 27007 applies to all forms of auditing, whether internal or external.

BS ISO/IEC 27007:2011 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that use an ISMS built using BS ISO/IEC 27001. Internal auditing is an essential requirement of BS ISO/IEC 27001.

How does it work?

BS ISO/IEC 27007:2011 provides guidance on managing an information security management system (ISMS) audit programme, on conducting the audits, and on the competence requirements for ISMS auditors.

BS ISO/IEC 27007:2011 follows the same structure as BS EN ISO/IEC 19011, and is designed to be used as a supplement to that international standard. Where necessary, it specifies the additional guidance needed to audit an ISMS built using BS ISO/IEC 27001. An annex to BS ISO/IEC 27007:2011 identifies each section of ISO/IEC 27001:2005 with auditable requirements, and specifies good audit practice to assess whether each of those requirements has been met.

Who should buy it?

Anyone who has, or plans to implement, an ISMS based on BS ISO/IEC 27001 needs BS ISO/IEC 27007:2011. It is an essential supporting standard needed to operate an ISMS successfully.

It is an essential document for external auditors who wish to perform ISMS audits.

It will also be useful for anyone needing insight into the practical aspects of how an ISO/IEC 27001 ISMS can and will be assessed.

See the preview for contents

BS ISO/IEC 27007:2011 is currently being revised to align with the new edition of ISO/IEC 27001, BS ISO/IEC 27001:2013. Although the audit requirements in the new edition of ISO/IEC 27001 have been restructured, most audit practice and guidance within BS ISO/IEC 27004:2009 is equally applicable to an ISMS built using the latest edition of ISO/IEC 27001.

Until a new edition of BS ISO/IEC 27007 is published, there are a number of books available from the BSI Shop that explain the differences in audit practice required between the two versions of BS ISO/IEC 27001. Particularly recommended is BIP 0072:2013 Are you ready for an ISMS audit based on ISO/IEC 27001?