This articlemay rely excessively on sourcestoo closely associated with the subject, potentially preventing the article from beingverifiable andneutral. Please helpimprove it by replacing them with more appropriatecitations toreliable, independent sources.(September 2022) (Learn how and when to remove this message)

'ISO/IEC 27007' — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing is a standard providing guidance on:

• managing an information security management system (ISMS) audit programme;
• conducting audits; and
• the competence of ISMS auditors.

It builds upon the auditing guidance contained inISO 19011.

ISO/IEC 27007 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. It was published in 2011, and revised in 2017 and 2020.

It is part of theISO/IEC 27000-series family of standards about information security management system (ISMS), which is a systematic approach to securing sensitive information,^[1] of ISO/IEC. It provides standards for a robust approach to managinginformation security and building resilience.^[2]

The standard is about^[3] how an information security management system audit can be performed based on a variety of audit criteria, separately or in combination, which include, among others:

• Requirements defined inISO/IEC 27001.
• Policies and requirements specified by relevant interested parties.
• Statutory and regulatory requirements.
• ISMS processes and controls defined by the organization or other parties.
• Management system plan(s) relating to the provision of specific outputs of an ISMS (e.g., plans to address risks and opportunities when establishing ISMS, plans to achieve information security objectives, risk treatment plans, project plans).

This standard is applicable to all types of organizations regardless of size and ISMS audits of varying scopes and scales, including those conducted by large audit teams, typically of larger organizations, and those by single auditors, whether in large or small organizations.

It concentrates on ISMS internal audits (first party) and ISMS audits conducted by organizations on their external providers and other external interested parties (second party). This document can also be useful for ISMS external audits conducted for purposes other than third party management system certification. ISO/IEC 27006 provides requirements for auditing ISMS for third party certification.

The terms and definitions given in this standard are defined within the standardISO/IEC 27000. The ISO/IEC 27007 standard is structured as follows:^[4]

• Principles of auditing
• Managing and audit programme
• Conducting an audit
• Competence and evaluation of auditors

In addition to that, it has 1 annex (A):

• Annex A - Guidance for ISMS auditing practice

• ISO Website

• Information assurance standards
• ISO/IEC 27000 family

• Articles lacking reliable references from September 2022
• All articles lacking reliable references