Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27007:2020 — ISMS Auditing Guidelines
Guidelines for auditing information security management systems, complementing ISO 19011
ISO/IEC 27007:2020 provides guidelines for auditing an Information Security Management System (ISMS), complementing the general auditing guidance of ISO 19011 with information security-specific considerations. It is written primarily for internal and external auditors conducting ISMS audits, as well as for audit program managers and organizations that need to evaluate their own or their suppliers’ ISMS. The standard covers the complete audit lifecycle: audit program management, audit principles, auditor competence criteria, and detailed guidance on conducting audit activities. While ISO 19011 teaches the general discipline of management system auditing, ISO/IEC 27007 translates those principles into the specific language, risks, and practices of information security.
Where ISO 19011 teaches you “how to audit a management system,” ISO/IEC 27007 teaches you “how to audit an ISMS specifically.” It translates general audit concepts into the language and context of information security, addressing topics like auditing technical controls, evaluating security awareness, and assessing incident response capabilities.
1. Audit Program Management for ISMS
The standard emphasizes that auditing an ISMS requires a risk-based approach to audit program planning. Not all controls, processes, and departments need the same level of scrutiny in every audit cycle. The audit program should be dynamic, adapting to changes in the organization’s risk profile, operational environment, and security maturity. Key factors that should influence audit planning include:
| Factor | Impact on Audit Planning | Example Consideration |
|---|---|---|
| Risk assessment results | Higher-risk areas receive more audit attention and sampling depth | Critical systems handling sensitive personal data vs. low-risk internal support systems |
| Previous audit findings | Areas with prior nonconformities require follow-up and verification of corrective actions | Verify that previously identified access control weaknesses have been remediated |
| Organizational changes | New or significantly changed processes warrant focused review | Post-merger integration of IT systems, migration to cloud infrastructure |
| Incident history | Recurring incident types or patterns indicate systemic issues needing investigation | Repeated phishing campaign successes may indicate gaps in security awareness training |
| Regulatory and contractual changes | New compliance obligations create new audit criteria that must be addressed | GDPR, CCPA, PIPL, or sector-specific regulations affecting information security requirements |
The audit program should be flexible enough to adapt to changing circumstances while maintaining sufficient rigor to provide assurance. ISO/IEC 27007 recommends establishing an audit program that spans at least the full certification cycle (3 years), with detailed planning for each individual audit and provision for unplanned audits when significant incidents or changes occur. The audit program manager should maintain a master schedule, allocate qualified auditors, and ensure that audit results are reviewed by management as input to the continual improvement process.
2. Conducting the ISMS Audit — Stage 1 and Stage 2
ISO/IEC 27007 follows the two-stage audit approach established in ISO 19011 and mandated by ISO/IEC 27006-1 for certification audits. Each stage has distinct objectives and activities:
- Stage 1 (Readiness Review): Evaluates whether the ISMS is sufficiently mature and ready for full assessment. Key activities include reviewing documented information (ISMS scope document, security policy, risk assessment methodology and results, Statement of Applicability), verifying that risk assessment and treatment processes are operational and have been applied to the defined scope, checking management’s awareness of legal and regulatory compliance obligations, and assessing whether internal audits and management reviews have been conducted and their findings addressed. Stage 1 is typically conducted on-site, though remote elements are increasingly accepted when justified by risk assessment and technological capabilities.
- Stage 2 (Full Assessment): Conducted after all Stage 1 findings and issues have been satisfactorily resolved. This stage tests the actual implementation, operational effectiveness, and continual improvement of the ISMS. Auditors sample objective evidence across all ISO/IEC 27001 clauses (4-10) and selected Annex A controls, interview personnel at various levels, observe processes in operation, and examine records and documented information. The output is a comprehensive audit report documenting findings (nonconformities, observations, and opportunities for improvement), audit conclusions regarding conformity and effectiveness, and the certification recommendation.
A common mistake during ISMS audits is focusing disproportionately on documentation review while neglecting substantive testing of control effectiveness. ISO/IEC 27007 reminds auditors that documentation proves intent and design, but observation, interview, and record review prove implementation and effectiveness. A well-written security policy that nobody follows results in a major nonconformity — the presence of documented information is not sufficient evidence of a functioning ISMS.
3. Auditor Competence and Professional Judgment
The standard dedicates significant attention to auditor competence, recognizing that the quality of an ISMS audit depends fundamentally on the knowledge, skills, and experience of the auditor. Beyond the general competence requirements of ISO 19011, ISMS auditors need specific competencies in several areas:
- Information security principles and concepts: Deep understanding of the CIA triad (confidentiality, integrity, availability), information security risk management terminology, security control categories (preventive, detective, corrective, deterrent, recovery), and the relationship between security controls and business processes.
- Technology awareness: Sufficient knowledge of network security architecture, cryptography (encryption algorithms, PKI, TLS), operating system hardening, application security (secure coding, OWASP Top 10), cloud security (shared responsibility model, IAM, data protection), and operational technology security to evaluate control implementation and identify potential weaknesses.
- Legal and regulatory knowledge: Awareness of applicable information security and data protection laws in the auditee’s jurisdiction, including breach notification requirements, cross-border data transfer restrictions, and sector-specific compliance obligations.
- Audit techniques in security context: Specialized skills for interviewing technical personnel, sampling security events and logs, evaluating security awareness through observation rather than self-reporting, and writing clear, actionable audit findings that distinguish between symptoms and root causes.
The best ISMS auditors combine deep technical security knowledge with strong audit discipline and professional skepticism. They know how to ask probing questions about configuration management without needing to personally review every firewall rule, how to assess security awareness through targeted interviews with non-IT staff rather than relying solely on training completion statistics, and how to distinguish between an isolated procedural lapse and a systemic control failure that requires management attention.
ISO/IEC 27007 also emphasizes the role of professional judgment. Auditors must evaluate the significance of individual findings in the context of the overall ISMS, distinguish between isolated non-serious issues and systemic failures that undermine the ISMS’s ability to achieve its objectives, and assess whether the overall ISMS is effectively implemented and maintained. This judgment is developed through experience under the guidance of senior auditors and is a critical factor in the competence evaluation processes required by ISO/IEC 27006-1.
4. Frequently Asked Questions
Q: Can ISO/IEC 27007 be used for internal audits, or is it only for external certification audits?
A: Yes, it is equally applicable to internal audits. While the standard is often associated with external certification audits, it provides equally valuable guidance for internal auditors. Organizations should train their internal audit teams on ISO/IEC 27007 to ensure consistent, professional audit practices and to prepare effectively for external certification audits.
A: Yes, it is equally applicable to internal audits. While the standard is often associated with external certification audits, it provides equally valuable guidance for internal auditors. Organizations should train their internal audit teams on ISO/IEC 27007 to ensure consistent, professional audit practices and to prepare effectively for external certification audits.
Q: What is the relationship between ISO/IEC 27007 and ISO 19011?
A: ISO/IEC 27007 is a sector-specific supplement to ISO 19011. ISO 19011 provides generic auditing guidance applicable to all management systems (quality, environmental, security, etc.). ISO/IEC 27007 adds information security-specific content, terminology, risk considerations, and technical audit guidance. The two standards should be used together.
A: ISO/IEC 27007 is a sector-specific supplement to ISO 19011. ISO 19011 provides generic auditing guidance applicable to all management systems (quality, environmental, security, etc.). ISO/IEC 27007 adds information security-specific content, terminology, risk considerations, and technical audit guidance. The two standards should be used together.
Q: Does ISO/IEC 27007 cover auditing of controls only, or the full ISMS including management processes?
A: Both. The standard addresses auditing of the ISMS management system as a whole (Clauses 4-10: context, leadership, planning, support, operation, performance evaluation, improvement) as well as the specific security controls in Annex A of ISO/IEC 27001. A complete ISMS audit according to ISO/IEC 27007 covers both dimensions.
A: Both. The standard addresses auditing of the ISMS management system as a whole (Clauses 4-10: context, leadership, planning, support, operation, performance evaluation, improvement) as well as the specific security controls in Annex A of ISO/IEC 27001. A complete ISMS audit according to ISO/IEC 27007 covers both dimensions.
Q: How does ISO/IEC 27007 address remote auditing techniques?
A: While published in 2020 (before the pandemic-driven surge in remote auditing), the standard provides foundational principles applicable to remote audits, including secure information exchange protocols, remote interview techniques using videoconferencing, screen-sharing for evidence review, and technology-assisted collection and analysis of audit evidence. Subsequent supplementary guidance from ISO and accreditation bodies has further developed these provisions.
A: While published in 2020 (before the pandemic-driven surge in remote auditing), the standard provides foundational principles applicable to remote audits, including secure information exchange protocols, remote interview techniques using videoconferencing, screen-sharing for evidence review, and technology-assisted collection and analysis of audit evidence. Subsequent supplementary guidance from ISO and accreditation bodies has further developed these provisions.
