Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Understanding CAN CSA ISO IEC TR 27008-13 (2017): A Guide for Auditors on Information Security Control Assessment
Insights into the Canadian Adoption of the International Technical Report for Auditing ISMS Controls
The CAN CSA ISO IEC TR 27008-13 (2017) is the Canadian adoption of the international technical report ISO/IEC TR 27008. This standard provides comprehensive guidelines for auditors evaluating the implementation and effectiveness of information security controls within an Information Security Management System (ISMS) conforming to ISO/IEC 27001. It bridges the gap between the high-level audit requirements of ISO/IEC 27001 and the detailed, control-specific verification activities needed for a thorough assessment. This article explores the scope, technical requirements, implementation considerations, and compliance aspects of this essential auditing reference.
Scope and Purpose
The primary scope of CAN CSA ISO IEC TR 27008-13 (2017) is to assist auditors—both internal and external—in planning, conducting, and reporting on audits of ISMS controls. The standard covers all 14 domains and 35 control categories from Annex A of ISO/IEC 27001:2013, providing structured guidance on how to verify the existence, adequacy, and operational effectiveness of each control. It is designed to be used alongside ISO/IEC 27001, ISO/IEC 27002, and relevant audit management standards such as ISO 19011. The aim is to promote consistency and depth in audit work, ensuring that all critical aspects of information security are examined.
Technical Requirements and Structure
The technical report is organized to facilitate a systematic audit approach. For every control in ISO/IEC 27001 Annex A, it describes:
- The control objective and the specific control statement.
- Guidance on verifying the control’s existence (design), implementation (deployment), and effectiveness (operation).
- Typical evidence to collect (e.g., policies, procedures, logs, reports).
- Potential nonconformities, observations, and findings to consider.
The following table summarizes the key audit focus areas for each control domain according to CAN CSA ISO IEC TR 27008-13 (2017).
| Control Domain (ISO/IEC 27001:2013) | Key Audit Focus Areas |
|---|---|
| Information Security Policies | Policy review and approval process; communication and awareness; periodic review and updates. |
| Organization of Information Security | Internal organizational structure and responsibilities; external party agreements; project lifecycle security. |
| Human Resource Security | Background checks and screening; terms of employment; training and awareness; disciplinary process. |
| Asset Management | Asset inventory and ownership; information classification and handling; media disposal and reuse. |
| Access Control | Access control policy; user access provisioning and reviews; privileged access management; authentication methods. |
| Cryptography | Cryptographic policy and use; key management lifecycle; algorithms and key strength. |
| Physical and Environmental Security | Secure perimeters and entry controls; equipment location and maintenance; power and environmental protection. |
| Operations Security | Procedures and operational documentation; malware defense; backup management; logging and monitoring; vulnerability management. |
| Communications Security | Network segregation; information transfer policies; use of external services and cloud. |
| System Acquisition, Development, and IS Lifecycle | Security requirements specification; secure development lifecycle; testing and acceptance; change management. |
| Supplier Relationships | Supplier security policy; due diligence; monitoring of service delivery; contractual security clauses. |
| Information Security Incident Management | Incident response roles; reporting mechanisms; response and recovery; lessons learned. |
| Information Security Aspects of Business Continuity Management | BCM integration; redundancy and resilience; testing and maintenance. |
| Compliance | Legal and regulatory compliance; intellectual property protection; records management; personal data protection; internal and external audits. |
Implementation Highlights
Organizations that adopt the guidelines of CAN CSA ISO IEC TR 27008-13 (2017) can significantly improve the quality and consistency of their information security audits. The standard serves as a reference for developing audit checklists, training audit teams, and ensuring that no critical control aspect is overlooked.
Tip: Customize the generic audit guidance in TR 27008-13 to match your organization’s specific industry, regulatory environment, and risk profile. This tailored approach yields more relevant and actionable audit results.
Caution: Do not treat this technical report as a rigid checklist. Professional judgment, auditing experience, and adaptability are essential. The report is intended as guidance, not a mandatory set of auditable requirements.
Benefit: Applying the structured methodology of CAN CSA ISO IEC TR 27008-13 (2017) enhances audit reproducibility and credibility. It provides clear evidence for certifications and helps identify control weaknesses before they lead to incidents.
Risk: Neglecting the detailed audit considerations in this technical report can lead to superficial audits that miss critical control deficiencies. This increases the likelihood of security breaches and potential non-compliance with ISO/IEC 27001 certification requirements.
When integrating the standard into existing audit programs, consider aligning the audit procedures with the process approach of ISO 19001 (audit management) and ISO/IEC 27006 (certification body requirements). Regular training on the technical report’s content ensures that audit teams remain competent and up-to-date.
Compliance Notes
While CAN CSA ISO IEC TR 27008-13 (2017) is not a mandatory standard for ISO/IEC 27001 certification, it is widely recognized as a best practice for performing rigorous and thorough ISMS control audits. Certification bodies and accreditation organizations often expect auditors to be familiar with its guidance. In Canada, the CSA adoption ensures that the standard considers national regulatory nuances, making it particularly valuable for organizations operating within the Canadian legal framework.
This edition (2017) replaced any previous Canadian adoptions of ISO/IEC TR 27008 and remains aligned with ISO/IEC 27001:2013. Note that as of 2026, developments in the ISO 27001 landscape (including the 2022 version) have prompted updates to the international technical report. Organizations should monitor for a potential updated CSA adoption that reflects these newer requirements.
Frequently Asked Questions
Q: What is the relationship between CAN CSA ISO IEC TR 27008-13 (2017) and ISO/IEC 27001?
A: ISO/IEC 27001 specifies the requirements for an ISMS and its controls. TR 27008 provides detailed guidance on how to audit those controls effectively. It is a complementary reference for auditors.
A: ISO/IEC 27001 specifies the requirements for an ISMS and its controls. TR 27008 provides detailed guidance on how to audit those controls effectively. It is a complementary reference for auditors.
Q: Is this standard only applicable in Canada?
A: The underlying international report, ISO/IEC TR 27008, is used globally. The CAN CSA prefix indicates it is the Canadian adoption, which may include national deviations or contextual notes relevant to Canadian organizations.
A: The underlying international report, ISO/IEC TR 27008, is used globally. The CAN CSA prefix indicates it is the Canadian adoption, which may include national deviations or contextual notes relevant to Canadian organizations.
Q: Can small and medium-sized enterprises (SMEs) benefit from this standard?
A: Yes. The principles and guidance are scalable. SMEs can apply the audit considerations in a risk-based manner, focusing on the controls that matter most for their operations and risk appetite.
A: Yes. The principles and guidance are scalable. SMEs can apply the audit considerations in a risk-based manner, focusing on the controls that matter most for their operations and risk appetite.
© 2026 — International Standards Documentation