1、 Reference numberISO/IEC 27007:2011(E)ISO/IEC 2011INTERNATIONAL STANDARD ISO/IEC27007First edition2011-11-15Information technology Security techniques Guidelines for information security management systems auditing Technologies de linformation Techniques de scurit Lignes directrices pour laudit des
2、systmes de management de la scurit de linformation ISO/IEC 27007:2011(E) COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2011 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
3、and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland
4、ii ISO/IEC 2011 All rights reservedISO/IEC 27007:2011(E) ISO/IEC 2011 All rights reserved iiiContents Page Foreword . v Introduction vi 1 Scope 1 2 Normative references 1 3 Terms and definitions . 1 4 Principles of auditing 1 5 Managing an audit programme 1 5.1 General . 1 5.1.1 IS 5.1 General . 2 5
5、.2 Establishing the audit programme objectives . 2 5.2.1 IS 5.2 Establishing the audit programme objectives . 2 5.3 Establishing the audit programme 2 5.3.1 Role and responsibilities of the person managing the audit programme . 2 5.3.2 Competence of the person managing the audit programme 2 5.3.3 De
6、termining the extent of the audit programme 2 5.3.4 Identifying and evaluating audit programme risks 3 5.3.5 Establishing procedures for the audit programme 3 5.3.6 Identifying audit programme resources 3 5.4 Implementing the audit programme 3 5.4.1 General . 3 5.4.2 Defining the objectives, scope a
7、nd criteria for an individual audit . 3 5.4.3 Selecting the audit methods 4 5.4.4 Selecting the audit team members 4 5.4.5 Assigning responsibility for an individual audit to the audit team leader 5 5.4.6 Managing the audit programme outcome . 5 5.4.7 Managing and maintaining audit programme records
8、 5 5.5 Monitoring the audit programme . 5 5.6 Reviewing and improving the audit programme 5 6 Performing an audit . 5 6.1 General . 5 6.2 Initiating the audit 5 6.2.1 General . 5 6.2.2 Establishing initial contact with the auditee. 5 6.2.3 Determining the feasibility of the audit . 5 6.3 Preparing a
9、udit activities 6 6.3.1 Performing document review in preparation for the audit 6 6.3.2 Preparing the audit plan . 6 6.3.3 Assigning work to the audit team 6 6.3.4 Preparing work documents 6 6.4 Conducting the audit activities 6 6.4.1 General . 6 6.4.2 Conducting the opening meeting 6 6.4.3 Performi
10、ng document review while conducting the audit 6 6.4.4 Communicating during the audit . 6 6.4.5 Assigning roles and responsibilities of guides and observers 6 6.4.6 Collecting and verifying information . 6 6.4.7 Generating audit findings . 7 6.4.8 Preparing audit conclusions 7 6.4.9 Conducting the cl
11、osing meeting 7 ISO/IEC 27007:2011(E) iv ISO/IEC 2011 All rights reserved6.5 Preparing and distributing the audit report 7 6.5.1 Preparing the audit report .7 6.5.2 Distributing the audit report .7 6.6 Completing the audit .7 6.7 Conducting audit follow-up 7 7 Competence and evaluation of auditors .
12、7 7.1 General 7 7.2 Determining auditor competence to fulfil the needs of the audit programme 7 7.2.1 General 7 7.2.2 Personal behaviour .8 7.2.3 Knowledge and skills 8 7.2.4 Achieving auditor competence 9 7.2.5 Audit team leader .9 7.3 Establishing the auditor evaluation criteria 9 7.4 Selecting th
13、e appropriate auditor evaluation method .9 7.5 Conducting auditor evaluation .9 7.6 Maintaining and improving auditor competence 9 Annex A (informative) Practice Guidance for ISMS Auditing .10 Bibliography 27 ISO/IEC 27007:2011(E) ISO/IEC 2011 All rights reserved vForeword ISO (the International Org
14、anization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the r
15、espective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of infor
16、mation technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft Internatio
17、nal Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may
18、 be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27007 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO/IEC 27007:2011(E) vi ISO/IEC 2011
19、All rights reservedIntroduction This International Standard provides guidance on the management of an information security management system (ISMS) audit programme and the conduct of the internal or external audits in accordance with ISO/IEC 27001:2005, as well as guidance on the competence and eval
20、uation of ISMS auditors, which should be used in conjunction with the guidance contained in ISO 19011. This International Standard does not state requirements. This guidance is intended for all users, including small and medium sized organizations. ISO 19011, Guidelines for auditing management syste
21、ms provides guidance on the management of audit programmes, the conduct of internal or external audits of management systems, as well as on the competence and evaluation of management system auditors. The text in this International Standard follows the structure of ISO 19011, and the additional ISMS
22、-specific guidance on the application of ISO 19011 for ISMS audits is identified by the letters “IS”. INTERNATIONAL STANDARD ISO/IEC 27007:2011(E) ISO/IEC 2011 All rights reserved 1Information technology Security techniques Guidelines for information security management systems auditing 1 Scope This
23、 International Standard provides guidance on managing an information security management system (ISMS) audit programme, on conducting the audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This International Standard is applicable to those needing to
24、understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the lates
25、t edition of the referenced document (including any amendments) applies. ISO 19011:2011, Guidelines for auditing management systems ISO/IEC 27001:2005, Information technology Security techniques Information security management systems Requirements ISO/IEC 27000:2009, Information technology Security
26、techniques Information security management systems Overview and vocabulary 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO 19011 and ISO/IEC 27000 apply. 4 Principles of auditing The principles of auditing from ISO 19011:2011, Clause 4 apply. 5 Manag
27、ing an audit programme 5.1 General The guidelines from ISO 19011:2011, Clause 5.1, apply. In addition, the following ISMS-specific guidance applies. ISO/IEC 27007:2011(E) 2 ISO/IEC 2011 All rights reserved5.1.1 IS 5.1 General The ISMS audit1)programme should be developed based on the auditees inform
28、ation security risk situation. 5.2 Establishing the audit programme objectives The guidelines from ISO 19011:2011, Clause 5.2, apply. In addition, the following ISMS-specific guidance applies. 5.2.1 IS 5.2 Establishing the audit programme objectives Objectives for audit programme(s) should be establ
29、ished to direct the planning and conduct of audits and to ensure that the audit programme is implemented effectively. These objectives can be dependent on: a) identified information security requirements; b) requirements from ISO/IEC 27001; c) auditees level of performance, as reflected in the occur
30、rence of information security failures, incidents and effectiveness measurements; and d) information security risks to the organization being audited. Examples of audit programme objectives may include the following: 1) verification of conformity with the identified legal and contractual requirement
31、s and other requirements and their security implications; 2) Obtaining and maintaining confidence in the risk management capability of an auditee. 5.3 Establishing the audit programme 5.3.1 Role and responsibilities of the person managing the audit programme The guidelines from ISO 19011:2011, Claus
32、e 5.3.1, apply. 5.3.2 Competence of the person managing the audit programme The guidelines from ISO 19011:2011, Clause 5.3.2, apply. 5.3.3 Determining the extent of the audit programme The guidelines from ISO 19011:2011, Clause 5.3.3, apply. In addition, the following ISMS-specific guidance applies.
33、 5.3.3.1 IS 5.3.3 Determining the extent of the audit programme The extent of an audit programme can vary. Factors that can influence the extent of the audit programme are: a) the size of the ISMS, including 1. the total number of personnel working at each location and relationships with third-party
34、 contractors working regularly at the location to be audited; 2. the number of information systems; 3. the number of sites covered by the ISMS; b) the complexity of the ISMS (including the number and criticality of processes and activities); c) the significance of the information security risks iden
35、tified for the ISMS; d) the importance of information and related assets within the scope of the ISMS; 1) For the purpose of this document, whenever the term “audit” is used this refers to ISMS audits. ISO/IEC 27007:2011(E) ISO/IEC 2011 All rights reserved 3e) the complexity of the information syste
36、ms to be audited on site, including complexity of information technology deployed; f) whether there are many similar sites; and g) the variations in ISMS complexity across the sites in scope. Consideration should be given in the audit programme to setting priorities based on information security ris
37、ks and business requirements in respect of the ISMS areas that warrant more detailed examination. Further information about multi-site sampling can be found in ISO/IEC 27006:2007 and IAF MD 1:2007 (see Bibliography), where the information in these documents only relates to certification audits. 5.3.
38、4 Identifying and evaluating audit programme risks The guidelines from ISO 19011:2011, Clause 5.3.4, apply. 5.3.5 Establishing procedures for the audit programme The guidelines from ISO 19011:2011, Clause 5.3.5, apply. 5.3.6 Identifying audit programme resources The guidelines from ISO 19011:2011, C
39、lause 5.3.6, apply. In addition, the following ISMS-specific guidance applies. 5.3.6.1 IS 5.3.6 Identifying audit programme resources In particular, for all significant risks applicable to the auditee, auditors should be allocated sufficient time to verify the effectiveness of the corresponding risk
40、 mitigation action. 5.4 Implementing the audit programme 5.4.1 General The guidelines from ISO 19011:2011, Clause 5.4.1, apply. In addition, the following ISMS-specific guidance applies. 5.4.1.1 IS 5.4.1 General Where applicable, confidentiality requirements of auditees and other relevant parties, i
41、ncluding possible legal and contractual requirements, should be addressed in the implementation of an audit programme. 5.4.2 Defining the objectives, scope and criteria for an individual audit The guidelines from ISO 19011:2011, Clause 5.4.2, apply. In addition, the following ISMS-specific guidance
42、applies. 5.4.2.1 IS 5.4.2 Defining the objectives, scope and criteria for an individual audit The audit scope should reflect the auditees information security risks, relevant business requirements and business risks. The audit objectives may in addition include the following: a) evaluation of whethe
43、r the ISMS adequately identifies and addresses information security requirements; b) evaluation of the continual suitability of the ISMS objectives defined by management; and c) evaluation of the processes for the maintenance and effective improvement of the ISMS. ISO/IEC 27007:2011(E) 4 ISO/IEC 201
44、1 All rights reservedPractical help Examples of audit criteria The following are topics for consideration as audit criteria: 1) the auditees information security risk assessment methodology and risk assessment and treatment results, and that these address all relevant requirements; 2) the version of
45、 the Statement of Applicability, and its relation to the results of the risk assessment; 3) the effective implementation of controls to reduce risks: 4) measurement of the effectiveness of the implemented controls, and that these measurements have been applied as defined to measure control effective
46、ness (see ISO/IEC 27004); 5) activities to monitor and review the ISMS processes and controls; 6) internal ISMS audits and management reviews and the organizations corrective actions; 7) information about the adequacy of and compliance with the objectives, policies, and procedures adopted by the aud
47、itee; and 8) compliance with specific legal and contractual requirements and other requirements relevant to the auditee, and their information security implications. The audit team should ensure that the scope and boundaries of the ISMS of the auditee are clearly defined in terms of the characterist
48、ics of the business, the organization, its location, assets and technology including details and justification of any exclusion to scope. The audit team should confirm that the auditee address the requirements stated in Clause 1.2 of ISO/IEC 27001:2005 within the scope of the ISMS. Auditors should t
49、herefore ensure that the auditees information security risk assessment and risk treatment properly reflects its activities and extends to the boundaries of the scope. Auditors should confirm that this is reflected in the Statement of Applicability. Auditors should also ensure that interfaces with services or activities that are not completely within the scope of the ISMS are addressed within the ISMS and are included in the auditees information security risk assessment. An example of such a situation is the sha
