ISO27k-aligned security awareness service
ISO/IEC 27007
Creative security awareness materials

Creative security awareness materials for your ISMS

Copyright © 2018 IsecT Ltd.

ISO/IEC 27007:2017 — Information technology — Security techniques — Guidelines for information security management systems auditing (second edition)


ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard).

ISO/IEC 27007 draws heavily on ISO 19011, the standard for auditing management systems, providing additional ISMS-specific guidance.


The standard covers the ISMS-specific aspects of compliance auditing:

  • Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
  • Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
  • Managing ISMS auditors (competencies, skills, attributes, evaluation).

The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not terribly helpful explanatory comments. However the annex lays out in more detail specific audit tests concerning the organization’s compliance with the main body of ISO/IEC 27001.

Other guidelines for ISMS auditing

To audit the information security controls as opposed to the management system, see ISO/IEC 27008.

Status of the standard

The standard was first published on 2011 and revised in October 2017.

Personal comments

This standard concerns ISO27k compliance auditing, a particular form of auditing with a very specific goal: to assess whether the audited organization is fulfilling the obligations laid down in ISO/IEC 27001 in respect of its ISMS. There are many other types of audits with quite different goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance auditors, or that all audits are compliance audits! For a peek at the broader remit and different operating styles and techniques of IT auditors, see the IT Audit FAQ.


< Previous standard      ^ Up a level ^      Next standard >