BS ISO IEC 27007:2011 pdf free download – Information technology – Security techniques – Guidelines for information security management systems auditing
The following are topics for consideration as audit criteria:
1) the auditee’s information security risk assessment methodology and risk assessment and treatment results, and that these address all relevant requirements;
2) the version of the Statement of Applicability, and its relation to the results of the risk assessment;
3) the effective implementation of controls to reduce risks:
4) measurement of the effectiveness of the implemented controls, and that these measurements have been applied as defined to measure control effectiveness (see ISO/IEC 27004);
5) activities to monitor and review the ISMS processes and controls;
6) internal ISMS audits and management reviews and the organization’s corrective actions;
7) information about the adequacy of and compliance with the objectives, policies, and procedures adopted by the auditee; and
8) compliance with specific legal and contractual requirements and other requirements relevant to the auditee, and their information security implications.
The audit team should ensure that the scope and boundaries of the ISMS of the auditee are clearly defined in terms of the characteristics of the business, the organization, its location, assets and technology including details and justification of any exclusion to scope. The audit team should confirm that the auditee address the requirements stated in Clause 1.2 of ISO/IEC 27001:2005 within the scope of the ISMS. Auditors should therefore ensure that the auditee’s information security risk assessment and risk treatment properly reflects its activities and extends to the boundaries of the scope. Auditors should confirm that this is reflected in the Statement of Applicability. Auditors should also ensure that interfaces with services or activities that are not completely within the scope of the ISMS are addressed within the ISMS and are included in the auditee’s information security risk assessment. An example of such a situation is the sharing of facilities (e.g. IT systems, databases and telecommunication systems) with other organizations.
It is important to check that the risk assessment addresses all important assets in the ISMS scope and that the threat/vulnerability assessment in relation to the assets is tailored to the organization and does not just use pre-defined threat or vulnerability lists. It is also important to look for risks that are materially mis-stated or under-played, for example those where the corresponding controls are expensive or difficult to implement or where the risks have been misunderstood. The auditor should confirm on sampling, that all important assets listed in the asset inventory are included in the risk assessment and review the samples of the risk-evaluated incident scenarios to assess whether they reflect the business needs and impacts appropriately. Availability of competent personnel is important for a well-functioning ISMS. The auditor should assess the evidence that the medium and long term risks associated with the loss of availability of personnel have been adequately evaluated by the organization and reviewed to the most updated and that appropriate information security controls have been implemented to increase the resilience of the organization against these losses.