ISO/IEC 27007:2011
Information technology — Security techniques — Guidelines for information security management systems auditing
ISO/IEC 27007:2011 provides guidance on managing an information security management system (ISMS) audit programme, on conducting the audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
ISO/IEC 27007:2011 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.
| Get this standard | Prices exclude GST | |
|---|---|---|
| PDF ( Single user document) |
$126.00 NZD
|
|
| HardCopy |
$173.00 NZD
|
|
| Networkable PDF |
Price varies
|
1 Scope
2 Normative references
3 Terms and definitions
4 Principles of auditing
5 Managing an audit programme
5.1 General
5.1.1 IS 5.1 General
5.2 Establishing the audit programme objectives
5.2.1 IS 5.2 Establishing the audit programme objectives
5.3 Establishing the audit programme
5.3.1 Role and responsibilities of the person managing the audit programme
5.3.2 Competence of the person managing the audit programme
5.3.3 Determining the extent of the audit programme
5.3.3.1 IS 5.3.3 Determining the extent of the audit programme
5.3.4 Identifying and evaluating audit programme risks
5.3.5 Establishing procedures for the audit programme
5.3.6 Identifying audit programme resources
5.3.6.1 IS 5.3.6 Identifying audit programme resources
5.4 Implementing the audit programme
5.4.1 General
5.4.1.1 IS 5.4.1 General
5.4.2 Defining the objectives, scope and criteria for an individual audit
5.4.2.1 IS 5.4.2 Defining the objectives, scope and criteria for an individual audit
5.4.3 Selecting the audit methods
5.4.3.1 IS 5.4.3 Selecting the audit methods
5.4.4 Selecting the audit team members
5.4.4.1 IS 5.4.4 Selecting the audit team members
5.4.5 Assigning responsibility for an individual audit to the audit team leader
5.4.6 Managing the audit programme outcome
5.4.7 Managing and maintaining audit programme records
5.5 Monitoring the audit programme
5.6 Reviewing and improving the audit programme
6 Performing an audit
6.1 General
6.2 Initiating the audit
6.2.1 General
6.2.2 Establishing initial contact with the auditee
6.2.3 Determining the feasibility of the audit
6.2.3.1 IS 6.2.3 Determining the feasibility of the audit
6.3 Preparing audit activities
6.3.1 Performing document review in preparation for the audit
6.3.2 Preparing the audit plan
6.3.3 Assigning work to the audit team
6.3.4 Preparing work documents
6.4 Conducting the audit activities
6.4.1 General
6.4.2 Conducting the opening meeting
6.4.3 Performing document review while conducting the audit
6.4.3.1 IS 6.4.3 Performing document review while conducting the audit
6.4.4 Communicating during the audit
6.4.5 Assigning roles and responsibilities of guides and observers
6.4.6 Collecting and verifying information
6.4.6.1 IS 6.4.6 Collecting and verifying information
6.4.7 Generating audit findings
6.4.8 Preparing audit conclusions
6.4.9 Conducting the closing meeting
6.5 Preparing and distributing the audit report
6.5.1 Preparing the audit report
6.5.2 Distributing the audit report
6.6 Completing the audit
6.7 Conducting audit follow-up
7 Competence and evaluation of auditors
7.1 General
7.2 Determining auditor competence to fulfil the needs of the audit programme
7.2.1 General
7.2.1.1 IS 7.2.1 General
7.2.2 Personal behaviour
7.2.3 Knowledge and skills
7.2.3.1 General
7.2.3.2 Generic knowledge and skills of management system auditors
7.2.3.3 Discipline and sector specific knowledge and skills of management system auditors
7.2.3.3.1 IS 7.2.3.3 Discipline and sector specific knowledge and skills of management system auditors
7.2.3.4 Generic knowledge and skills of an audit team leader
7.2.3.5 Knowledge and skills for auditing management systems addressing multiple disciplines
7.2.4 Achieving auditor competence
7.2.4.1 IS 7.2.4 Achieving auditor competence
7.2.5 Audit team leader
7.3 Establishing the auditor evaluation criteria
7.4 Selecting the appropriate auditor evaluation method
7.5 Conducting auditor evaluation
7.6 Maintaining and improving auditor competence
Keep me up-to-date
Sign up to receive updates when there are changes to this standard
Related Information
Similar Standards
-
AS/NZS 50004:2023
Energy management systems — Guidance for the implementation, maintenance and improvement of an AS/NZS ISO 50001 energy management system (ISO 50004:2020, (E.D. 1.0), MOD)
-
AS/NZS ISO 10006:2018
Quality management - Guidelines for quality management in projects -
AS/NZS ISO 30302:2023
Information and documentation - Management systems for records - Guidelines for implementation
-
AS/NZS ISO 50001:2021
Energy management systems - Requirements with guidance for use
1 Scope
2 Normative references
3 Terms and definitions
4 Principles of auditing
5 Managing an audit programme
5.1 General
5.1.1 IS 5.1 General
5.2 Establishing the audit programme objectives
5.2.1 IS 5.2 Establishing the audit programme objectives
5.3 Establishing the audit programme
5.3.1 Role and responsibilities of the person managing the audit programme
5.3.2 Competence of the person managing the audit programme
5.3.3 Determining the extent of the audit programme
5.3.3.1 IS 5.3.3 Determining the extent of the audit programme
5.3.4 Identifying and evaluating audit programme risks
5.3.5 Establishing procedures for the audit programme
5.3.6 Identifying audit programme resources
5.3.6.1 IS 5.3.6 Identifying audit programme resources
5.4 Implementing the audit programme
5.4.1 General
5.4.1.1 IS 5.4.1 General
5.4.2 Defining the objectives, scope and criteria for an individual audit
5.4.2.1 IS 5.4.2 Defining the objectives, scope and criteria for an individual audit
5.4.3 Selecting the audit methods
5.4.3.1 IS 5.4.3 Selecting the audit methods
5.4.4 Selecting the audit team members
5.4.4.1 IS 5.4.4 Selecting the audit team members
5.4.5 Assigning responsibility for an individual audit to the audit team leader
5.4.6 Managing the audit programme outcome
5.4.7 Managing and maintaining audit programme records
5.5 Monitoring the audit programme
5.6 Reviewing and improving the audit programme
6 Performing an audit
6.1 General
6.2 Initiating the audit
6.2.1 General
6.2.2 Establishing initial contact with the auditee
6.2.3 Determining the feasibility of the audit
6.2.3.1 IS 6.2.3 Determining the feasibility of the audit
6.3 Preparing audit activities
6.3.1 Performing document review in preparation for the audit
6.3.2 Preparing the audit plan
6.3.3 Assigning work to the audit team
6.3.4 Preparing work documents
6.4 Conducting the audit activities
6.4.1 General
6.4.2 Conducting the opening meeting
6.4.3 Performing document review while conducting the audit
6.4.3.1 IS 6.4.3 Performing document review while conducting the audit
6.4.4 Communicating during the audit
6.4.5 Assigning roles and responsibilities of guides and observers
6.4.6 Collecting and verifying information
6.4.6.1 IS 6.4.6 Collecting and verifying information
6.4.7 Generating audit findings
6.4.8 Preparing audit conclusions
6.4.9 Conducting the closing meeting
6.5 Preparing and distributing the audit report
6.5.1 Preparing the audit report
6.5.2 Distributing the audit report
6.6 Completing the audit
6.7 Conducting audit follow-up
7 Competence and evaluation of auditors
7.1 General
7.2 Determining auditor competence to fulfil the needs of the audit programme
7.2.1 General
7.2.1.1 IS 7.2.1 General
7.2.2 Personal behaviour
7.2.3 Knowledge and skills
7.2.3.1 General
7.2.3.2 Generic knowledge and skills of management system auditors
7.2.3.3 Discipline and sector specific knowledge and skills of management system auditors
7.2.3.3.1 IS 7.2.3.3 Discipline and sector specific knowledge and skills of management system auditors
7.2.3.4 Generic knowledge and skills of an audit team leader
7.2.3.5 Knowledge and skills for auditing management systems addressing multiple disciplines
7.2.4 Achieving auditor competence
7.2.4.1 IS 7.2.4 Achieving auditor competence
7.2.5 Audit team leader
7.3 Establishing the auditor evaluation criteria
7.4 Selecting the appropriate auditor evaluation method
7.5 Conducting auditor evaluation
7.6 Maintaining and improving auditor competence