Topic-specific policies
ISO/IEC 27007

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27007:2020 — Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing (third edition)



“This International Standard provides guidance on conducting information security management system (ISMS) audits, as well as guidance on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. It is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.”
[Source: SC27 Standing Document 11 (2021)]


ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors, external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the management system for compliance with the standard).

ISO/IEC 27007 draws heavily on ISO 19011, the standard for auditing management systems, providing additional ISMS-specific guidance.



The standard covers the ISMS-specific aspects of compliance auditing:

  • Managing the ISMS audit programme (determining what to audit, when and how; assigning appropriate auditors; managing audit risks; maintaining audit records; continuous process improvement);
  • Performing an ISMS MS audit (audit process - planning, conduct, key audit activities including fieldwork, analysis, reporting and follow-ups);
  • Managing ISMS auditors (competencies, skills, attributes, evaluation).

The main body of the standard mostly advises on the application of ISO 19011 to the ISMS context, with a few not terribly helpful explanatory comments. However the annex lays out in more detail specific audit tests concerning the organization’s compliance with the main body of ISO/IEC 27001.


Other guidelines for ISMS auditing

See ISO/IEC 27008 for advice on auditing information security controls.


Status of the standard

The standard was first published in 2011.

A second edition was published in 2017.

The current third edition was published in 2020 - an update for the 2018 release of ISO 19011.


Personal comments

This standard primarily concerns compliance auditing, a particular form of auditing with a very specific goal: to assess whether the audited organization’s ISMS is in conformity with (i.e. fulfills the requirements specified formally by) ISO/IEC 27001. It is focused on auditing for certification purposes.

There are many other types of audits with quite different goals. Please don’t make the mistake of assuming that all auditors are so-called “tick-and-bash” compliance auditors, or that all audits are compliance audits! ISMS internal audits, for instance, can usefully evaluate the organization’s business strategies, policies and practices relating to information and privacy risk management and governance with only incidental reference to the ISO27k or other standards.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.