ISO/IEC 27007:2017

SLOVENSKI STANDARD
01-september-2018
1DGRPHãþD
SIST ISO/IEC 27007:2015
Informacijska tehnologija - Varnostne tehnike - Smernice za presojanje sistemov
upravljanja informacijske varnosti
Information technology - Security techniques - Guidelines for information security
management systems auditing
Technologies de l'information - Techniques de sécurité - Lignes directrices pour l'audit
des systèmes de management de la sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27007:2017
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO/IEC
STANDARD 27007
Second edition
2017-10
Information technology — Security
techniques — Guidelines for
information security management
systems auditing
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour l'audit des systèmes de management de la sécurité de
l'information
Reference number
©
ISO/IEC 2017
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles of auditing . 1
5 Managing an audit programme . 1
5.1 General . 1
5.1.1 IS 5.1 General . 2
5.2 Establishing the audit programme objectives . 2
5.2.1 IS 5.2 Establishing the audit programme objectives . 2
5.3 Establishing the audit programme . 2
5.3.1 Role and responsibilities of the person managing the audit programme . 2
5.3.2 Competence of the person managing the audit programme . 2
5.3.3 Establishing the extent of the audit programme . 2
5.3.4 Identifying and evaluating audit programme risks . 3
5.3.5 Establishing procedures for the audit programme . 3
5.3.6 Identifying audit programme resources. 3
5.4 Implementing the audit programme . 4
5.4.1 General. 4
5.4.2 Defining the objectives, scope and criteria for an individual audit . 4
5.4.3 Selecting the audit methods . 4
5.4.4 Selecting the audit team members . 5
5.4.5 Assigning responsibility for an individual audit to the audit team leader. 5
5.4.6 Managing the audit programme outcome . 5
5.4.7 Managing and maintaining audit programme records . 5
5.5 Monitoring the audit programme . 5
5.6 Reviewing and improving the audit programme . 5
6 Performing an audit . 5
6.1 General . 5
6.2 Initiating the audit . 5
6.2.1 General. 5
6.2.2 Establishing initial contact with the auditee . 5
6.2.3 Determining the feasibility of the audit . 6
6.3 Preparing audit activities . 6
6.3.1 Performing document review in preparation for the audit . 6
6.3.2 Preparing the audit plan . 6
6.3.3 Assigning work to the audit team . 6
6.3.4 Preparing work documents . 6
6.4 Conducting the audit activities . 7
6.4.1 General. 7
6.4.2 Conducting the opening meeting . 7
6.4.3 Performing document review while conducting the audit . 7
6.4.4 Communicating during the audit . 7
6.4.5 Assigning roles and responsibilities of guides and observers . 7
6.4.6 Collecting and verifying information . 7
6.4.7 Generating audit findings . 8
6.4.8 Preparing audit conclusions . 8
6.4.9 Conducting the closing meeting . 8
6.5 Preparing and distributing the audit report. 8
6.5.1 Preparing the audit report . 8
6.5.2 Distributing the audit report . 8
© ISO/IEC 2017 – All rights reserved iii

6.6 Completing the audit . 8
6.7 Conducting audit follow-up. 8
7 Competence and evaluation of auditors . 8
7.1 General . 8
7.2 Determining auditor competence to fulfil the needs of the audit programme . 9
7.2.1 General. 9
7.2.2 Personal behaviour . 9
7.2.3 Knowledge and skills . 9
7.2.4 Achieving auditor competence . 9
7.2.5 Audit team leader .10
7.3 Establishing the auditor evaluation criteria .10
7.4 Selecting the appropriate auditor evaluation method .10
7.5 Conducting auditor evaluation .10
7.6 Maintaining and improving auditor competence.10
Annex A (informative) Guidance for ISMS auditing practice .11
Bibliography .41
iv © ISO/IEC 2017 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www.iso.org/iso/foreword.html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 27007:2011), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— Annex A has been completely reworked to align to ISO/IEC 27001:2013;
— the main part of this document has been aligned with ISO/IEC 27001:2013.
© ISO/IEC 2017 – All rights reserved v

Introduction
This document provides guidance on:
a) the management of an information security management system (ISMS) audit programme;
b) the conduct of internal and external ISMS audits in accordance with ISO/IEC 27001;
c) the competence and evaluation of ISMS auditors.
This document should be used in conjunction with the guidance contained in ISO 19011:2011.
This document follows the structure of ISO 19011:2011. Additional ISMS-specific guidance on the
application of ISO 19011:2011 for ISMS audits is identified by the letters “IS”.
ISO 19011:2011 provides guidance on the management of audit programmes, the conduct of internal or
external audits of management systems, as well as on the competence and evaluation of management
system auditors.
NOTE For accredited certification, auditor requirements are given in ISO/IEC 27006.
This document does not state requirements and is intended for all users, including small and medium-
sized organizations.
vi © ISO/IEC 2017 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27007:2017(E)
Information technology — Security techniques —
Guidelines for information security management systems
auditing
1 Scope
This document provides guidance on managing an information security management system (ISMS)
audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the
guidance contained in ISO 19011:2011.
This document is applicable to those needing to understand or conduct internal or external audits of an
ISMS or to manage an ISMS audit programme.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 19011:2011, Guidelines for auditing management systems
ISO/IEC 27000:2016, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 19011:2011 and
ISO/IEC 27000 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
4 Principles of auditing
The principles of auditing of ISO 19011:2011, Clause 4 apply.
5 Managing an audit programme
5.1 General
The guidelines of ISO 19011:2011, 5.1 apply. In addition, the following guidance applies.
© ISO/IEC 2017 – All rights reserved 1

5.1.1 IS 5.1 General
1)
An organization needing to conduct audits should establish the audit programme, taking account of
the risks and opportunities determined when planning the ISMS.
5.2 Establishing the audit programme objectives
The guidelines of ISO 19011:2011, 5.2 apply. In addition, the following guidance applies.
5.2.1 IS 5.2 Establishing the audit programme objectives
ISMS-specific considerations for determining audit programme objectives can include:
a) identified information security requirements;
b) requirements of ISO/IEC 27001;
c) auditee’s level of performance, as reflected in the occurrence of information security events and
incidents and effectiveness of the ISMS;
NOTE Further information about performance monitoring, measurement, analysis and evaluation can
be found in ISO/IEC 27004.
d) risks and opportunities determined when planning the ISMS of the auditee;
e) information security risks to the relevant parties, i.e. the auditee and audit client.
Examples of ISMS-specific audit programme objectives include:
— verification of conformity with the relevant legal and contractual requirements and other
requirements and their security implications;
— obtaining and maintaining confidence in the risk management capability of the auditee;
— evaluating the effectiveness of the actions to address information security risks and opportunities.
5.3 Establishing the audit programme
5.3.1 Role and responsibilities of the person managing the audit programme
The guidelines of ISO 19011:2011, 5.3.1 apply.
5.3.2 Competence of the person managing the audit programme
The guidelines of ISO 19011:2011, 5.3.2 apply.
5.3.3 Establishing the extent of the audit programme
The guidelines of ISO 19011:2011, 5.3.3 apply. In addition, the following guidance applies.
5.3.3.1 IS 5.3.3 Establishing the extent of the audit programme
The extent of an audit programme can vary and can be influenced by the following factors:
a) the size of the ISMS, including:
1) the total number of persons doing work under the organization's control and relationships
with interested parties and contractors that are relevant to the ISMS;
1) For the purpose of this document, the term “audit” refers to ISMS audits.
2 © ISO/IEC 2017 – All rights reserved

2) the number of information systems;
3) the number of sites covered by the ISMS;
b) the complexity of the ISMS (including the number and criticality of processes and activities) taking
into account differences between sites within the ISMS scope;
c) the significance of the information security risks identified for the ISMS in relation to the business;
d) the significance of the risks and opportunities determined when planning the ISMS;
e) the importance of preserving the confidentiality, integrity and availability of information within
the scope of the ISMS;
f) the complexity of the information systems to be audited, including complexity of information
technology deployed;
g) the number of similar sites.
Consideration should be given in the audit programme to setting priorities that warrant more detailed
examination based on the significance of information security risks and business requirements in
respect to the scope of the ISMS.
NOTE Further information about determining audit time can be found in ISO/IEC 27006. Further information
on multi-site sampling can be found in ISO/IEC 27006 and mandatory document 1 from the International
Accreditation Forum (IAF MD1, see Reference [12]). The information contained in ISO/IEC 27006 and IAF MD 1
only relates to certification audits.
5.3.4 Identifying and evaluating audit programme risks
The guidelines of ISO 19011:2011, 5.3.4 apply. In addition, the following guidance applies.
5.3.4.1 IS 5.3.4 Identifying and evaluating audit programme risks
Audit programme risks can be additionally associated with risks related to confidentiality requirements.
5.3.5 Establishing procedures for the audit programme
The guidelines of ISO 19011:2011, 5.3.5 apply. In addition, the following guidance applies.
5.3.5.1 IS 5.3.5 Establishing procedures for the audit programme
Measures to ensure information security and confidentiality should be determined considering
auditees and other relevant party requirements. Other party requirements can include relevant legal
and contractual requirements.
5.3.6 Identifying audit programme resources
The guidelines of ISO 19011:2011, 5.3.6 apply. In addition, the following guidance applies.
5.3.6.1 IS 5.3.6 Identifying audit programme resources
In particular, for all significant risks applicable to the auditee and relevant to the audit programme
objectives, ISMS auditors should be allocated sufficient time to review the effectiveness of the actions
to address information security risks and ISMS related risks and opportunities.
© ISO/IEC 2017 – All rights reserved 3

5.4 Implementing the audit programme
5.4.1 General
The guidelines of ISO 19011:2011, 5.4.1 apply
5.4.2 Defining the objectives, scope and criteria for an individual audit
The guidelines of ISO 19011:2011, 5.4.2 apply. In addition, the following guidance applies.
5.4.2.1 IS 5.4.2 Defining the objectives, scope and criteria for an individual audit
The audit objectives can include the following:
a) evaluation of whether the ISMS adequately identifies and addresses information security
requirements;
b) evaluation of the processes for the maintenance and effective improvement of the ISMS;
c) determination of the extent of conformity of information security controls with the requirements
and procedures of the ISMS.
The audit scope should take into account information security risks and relevant risks and opportunities
affecting the ISMS of relevant parties, i.e. the audit client and the auditee.
If ISMS is in the scope of the audit, then the audit team should verify that the scope and boundaries of the
ISMS of the auditee are clearly defined based on internal and external issues and the needs and expectations
of interested parties. The audit team should confirm that the auditee addresses the requirements stated
in ISO/IEC 27001:2013, 4.3 within the scope of the ISMS, as relevant to the audit scope.
The following topics can be considered as audit criteria and used as a reference against which
conformity is determined:
a) the information security policy, information security objectives, policies and procedures adopted
by the auditee;
b) legal and contractual requirements and other requirements relevant to the auditee;
c) the auditee's information security risk criteria, information security risk assessment process and
risk treatment process;
d) the Statement of Applicability, the identification of any sector-specific or other necessary controls,
justification for inclusions, whether they are implemented or not and the justification for exclusions
of controls of ISO/IEC 27001:2013, Annex A;
e) the definition of controls to treat risks appropriately;
f) the methods and criteria for monitoring, measurement, analysis and evaluation of the information
security performance and the effectiveness of the ISMS;
g) information security requirements provided by a customer;
h) information security requirements applied by a supplier or outsourcer.
5.4.3 Selecting the audit methods
The guidelines of ISO 19011:2011, 5.4.3 apply. In addition, the following guidance applies.
4 © ISO/IEC 2017 – All rights reserved

5.4.3.1 IS 5.4.3 Selecting the audit methods
If a joint audit is conducted, particular attention should be paid to the disclosure of information between
the relevant parties. Agreement on this should be reached with all interested parties before the audit
commences.
5.4.4 Selecting the audit team members
The guidelines of ISO 19011:2011, 5.4.4 apply. In addition, the following guidance applies.
5.4.4.1 IS 5.4.4 Selecting the audit team members
The competence of the overall audit team should include adequate knowledge and understanding of:
a) information security risk management sufficient to evaluate the methods used by the auditee;
b) information security and information security management sufficient to evaluate control
determination, planning, implementation, maintenance and effectiveness of the ISMS.
5.4.5 Assigning responsibility for an individual audit to the audit team leader
The guidelines of ISO 19011:2011, 5.4.5 apply.
5.4.6 Managing the audit programme outcome
The guidelines of ISO 19011:2011, 5.4.6 apply.
5.4.7 Managing and maintaining audit programme records
The guidelines of ISO 19011:2011, 5.4.7 apply.
5.5 Monitoring the audit programme
The guidelines of ISO 19011:2011, 5.5 apply.
5.6 Reviewing and improving the audit programme
The guidelines of ISO 19011:2011, 5.6 apply.
6 Performing an audit
6.1 General
The guidelines of ISO 19011:2011, 6.1 apply.
6.2 Initiating the audit
6.2.1 General
The guidelines of ISO 19011:2011, 6.2.1 apply.
6.2.2 Establishing initial contact with the auditee
The guidelines of ISO 19011:2011, 6.2.2 apply. In addition, the following guidance applies.
© ISO/IEC 2017 – All rights reserved 5

6.2.2.1 IS 6.2.2 Establishing initial contact with the auditee
Where necessary, care should be taken to ensure that the auditors have obtained the necessary
security clearance to access documented information or other information required for audit activities
(including but not limited to confidential or sensitive information).
6.2.3 Determining the feasibility of the audit
The guidelines of ISO 19011:2011, 6.2.3 apply. In addition, the following guidance applies.
6.2.3.1 IS 6.2.3 Determining the feasibility of the audit
Before the audit commences, the auditee should be asked whether any ISMS audit evidence is unavailable
for review by the audit team, e.g. because the evidence contains personally identifiable information or
other confidential/sensitive information. The person responsible for managing the audit programme
should determine whether the ISMS can be adequately audited in the absence of audit evidence. If the
conclusion is that it is not possible to adequately audit the ISMS without reviewing the identified audit
evidence, the person responsible for managing the audit programme should advise the auditee that
the audit cannot take place until appropriate access arrangements are granted or alternative means to
achieve the audit have been proposed to or by the auditee. If the audit proceeds, the audit plan should
take into account any access limitations.
6.3 Preparing audit activities
6.3.1 Performing document review in preparation for the audit
The guidelines of ISO 19011:2011, 6.3.1 apply.
6.3.2 Preparing the audit plan
The guidelines of ISO 19011:2011, 6.3.2 apply. In addition, the following guidance applies.
6.3.2.1 IS 6.3.2 Preparing the audit plan
The audit team leader should be aware that risks to the auditee can result from the presence of the
audit team members. The audit team’s presence can influence information security and present a
source of additional risk to the auditee’s information, e.g. confidential or sensitive records or system
infrastructure (e.g. accidental erasure, unauthorized disclosure of information, unintended alteration
of information).
6.3.3 Assigning work to the audit team
The guidelines of ISO 19011:2011, 6.3.3 apply.
6.3.4 Preparing work documents
The guidelines of ISO 19011:2011, 6.3.4 apply. In addition, the following guidance applies.
6.3.4.1 IS 6.3.4 Preparing work documents
The audit team leader should ensure all audit work documents are classified appropriately and handled
in accordance with that classification.
6 © ISO/IEC 2017 – All rights reserved

6.4 Conducting the audit activities
6.4.1 General
The guidelines of ISO 19011:2011, 6.4.1 apply.
6.4.2 Conducting the opening meeting
The guidelines of ISO 19011:2011, 6.4.2 apply.
6.4.3 Performing document review while conducting the audit
The guidelines of ISO 19011:2011, 6.4.3 apply. In addition, the following guidance applies.
6.4.3.1 IS 6.4.3 Performing document review while conducting the audit
ISMS auditors should verify that documented information as required by the audit criteria and relevant
to the audit scope exists and conforms to the audit criteria requirements.
ISMS auditors should confirm that the determined controls within the scope of the audit are related to
the results of the risk assessment and risk treatment process and can subsequently be traced back to
the information security policy and objectives.
NOTE Annex A provides guidance for ISMS auditing practice, including how to audit the ISMS using relevant
documented information.
6.4.4 Communicating during the audit
The guidelines of ISO 19011:2011, 6.4.4 apply.
6.4.5 Assigning roles and responsibilities of guides and observers
The guidelines of ISO 19011:2011, 6.4.5 apply.
6.4.6 Collecting and verifying information
The guidelines of ISO 19011:2011, 6.4.6 apply. In addition, the following guidance applies.
6.4.6.1 IS 6.4.6 Collecting and verifying information
Possible methods to collect relevant information during the audit include:
a) review of documented information (including computer logs and configuration data);
b) visit of information processing facilities;
c) observation of ISMS processes and related controls;
d) use of automated audit tools.
NOTE 1 Annex A provides guidance on how to audit the ISMS processes.
2)
NOTE 2 ISO/IEC/PDTS 27008 provides additional guidance on how to assess information security controls.
ISMS audit team members should ensure appropriate handling of all information received from auditees
in accordance with the agreement among the audit client, audit team and the auditee.
2) Under preparation. Stage at the time of publication: ISO/IEC PDTS 27008:2017
© ISO/IEC 2017 – All rights reserved 7

6.4.7 Generating audit findings
The guidelines of ISO 19011:2011, 6.4.7 apply.
6.4.8 Preparing audit conclusions
The guidelines of ISO 19011:2011, 6.4.8 apply.
6.4.9 Conducting the closing meeting
The guidelines of ISO 19011:2011, 6.4.9 apply.
6.5 Preparing and distributing the audit report
6.5.1 Preparing the audit report
The guidelines of ISO 19011:2011, 6.5.1 apply. In addition, the following guidance applies.
6.5.1.1 IS 6.5.1 Preparing the audit report
If any audit evidence is not available to the audit team during the audit for reasons of classification
or sensitivity, the lead auditor should determine the extent to which this affects the confidence in the
audit findings and conclusion, and reflect on it in the audit report without compromising the sensitivity
of the evidence that was not available.
6.5.2 Distributing the audit report
The guidelines of ISO 19011:2011, 6.5.2 apply. In addition, the following guidance applies.
6.5.2.1 Distributing the audit report
When distributing the audit report, appropriate measures to ensure the report’s confidentially should
be applied.
NOTE When using electronic means for distribution, appropriate encryption of the audit report is a possible
measure.
6.6 Completing the audit
The guidelines of ISO 19011:2011, 6.6 apply.
6.7 Conducting audit follow-up
The guidelines of ISO 19011:2011, 6.7 apply.
7 Competence and evaluation of auditors
7.1 General
The guidelines of ISO 19011:2011, 7.1 apply.
8 © ISO/IEC 2017 – All rights reserved

7.2 Determining auditor competence to fulfil the needs of the audit programme
7.2.1 General
7.2.1.1 General
The guidelines of ISO 19011:2011, 7.2.1 apply. In addition, the following guidance applies.
7.2.1.2 IS 7.2.1 General
In deciding the appropriate knowledge and skills of an ISMS auditor, the following should be considered:
a) complexity of the ISMS (e.g. criticality of information systems within the ISMS, risk assessment
results of the ISMS);
b) the type(s) of business performed within the ISMS scope;
c) extent and diversity of technology utilized in the implementation of the various components of
the ISMS (such as the implemented controls, documented information and/or process control,
technological platforms and solutions involved, etc.);
d) previously demonstrated performance of the ISMS;
e) extent of outsourcing and external party arrangements used within the ISMS scope;
f) the standards, legal requirements and other requirements relevant to the audit programme.
7.2.2 Personal behaviour
The guidelines of ISO 19011:2011, 7.2.2 apply.
7.2.3 Knowledge and skills
7.2.3.1 General
The guidelines of ISO 19011:2011, 7.2.3.1 apply.
7.2.3.2 Generic knowledge and skills of management system auditors
The guidelines of ISO 19011:2011, 7.2.3.2 apply.
7.2.3.3 Discipline and sector specific knowledge and skills of management system auditors
The guidelines of ISO 19011:2011, 7.2.3.3 apply. In addition, the guidelines of ISO 19011:2011, A.7 apply.
7.2.3.4 Generic knowledge and skills of an audit team leader
The guidelines of ISO 19011:2011, 7.2.3.4 apply.
7.2.3.5 Knowledge and skills for auditing management systems addressing multiple disciplines
The guidelines of ISO 19011:2011, 7.2.3.5 apply.
7.2.4 Achieving auditor competence
7.2.4.1 General
The guidelines of ISO 19011:2011, 7.2.4 apply. In addition, the following guidance applies.
© ISO/IEC 2017 – All rights reserved 9

7.2.4.2 IS 7.2.4 Achieving auditor competence
ISMS auditors should have knowledge and skills in information technology and information security,
demonstrated for example through relevant certifications (e.g. accredited to ISO/IEC 17024). ISMS
auditors should also be able to understand the relevant business requirements. Individual ISMS
auditors work experience should also contribute to the development of their knowledge and skills in the
ISMS field.
NOTE Further information about certification for ISMS auditors can be found in ISO/IEC 27006.
7.2.5 Audit team leader
The guidelines of ISO 19011:2011, 7.2.5 apply.
7.3 Establishing the auditor evaluation criteria
The guidelines of ISO 19011:2011, 7.3 apply.
7.4 Selecting the appropriate auditor evaluation method
The guidelines of ISO 19011:2011, 7.4 apply.
7.5 Conducting auditor evaluation
The guidelines of ISO 19011:2011, 7.5 apply.
7.6 Maintaining and improving auditor competence
The guidelines of ISO 19011:2011, 7.6 apply.
10 © ISO/IEC 2017 – All rights reserved

Annex A
(informative)
Guidance for ISMS auditing practice
A.1 Overview
This annex provides generic guidance on how to audit an ISMS, for which an organization claims
conformance to ISO/IEC 27001. As this guidance is intended to apply to all such ISMS audits, irrespective
of the size or nature of the organization involved, this guidance is generic. The guidance is intended to
be used by auditors performing ISMS auditing, whether internal or external.
NOTE ISO/IEC 27003 gives guidance on implementing and operating an ISMS according to ISO/IEC 27001.
A.2 General
A.2.1 Audit objectives, scope, criteria and audit evidence
During audit activities, information relevant to the audit objectives, scope and criteria, including
information relating to interfaces between functions, activities and processes, should be obtained by
means of appropriate sampling and should be verified. Only information that is verifiable should be
accepted as audit evidence. Audit evidence leading to audit findings should be recorded.
Methods of obtaining information include the following:
— interviews;
— observations;
— review of documents, including records.
A.2.2 Strategy for auditing an ISMS
ISO/IEC 27001 applies the high-level structure, identical subclause titles, identical text, common terms,
and core definitions defined in Annex JC of ISO/IEC Directives, Part 1 and Consolidated JTC1 Supplement
— Procedures specific to JTC 1. ISO/IEC 27001 defines a set of interdependent requirements that
function as a whole (often referred to as “a systems approach”) and deploys cross-referencing to show
linkage.
There are some ISO/IEC 27001:2013 subclauses that are closely linked and in practice are often best
dealt with at the same time in conducting the audit. See Table A.2 for examples.
Examples are 6.1.3 and 8.3 and 6.2, 5.1, 5.2, 5.3, 7.1, 7.4, 7.5, 9.1, 9.3 and 10.2 and it makes sense to audit
these subclauses with those linked and related subclauses.
ISO/IEC 27001:2013, 7.5 presents the requirements concerning documented information. As explained
in Table A.2, A.4.5, each time auditors examine an item of documented information, it offers the
opportunity to confirm conformity with the requirements of ISO/IEC 27001:2013, 7.5. The guidance on
how to do this is located in Table A.2, A.4.5. The requirements regarding documented information are
not repeated for each occurrence of "documented information" in the table.
© ISO/IEC 2017 – All rights reserved 11

A.2.3 Audit and documented information
Audit activities can involve documented information, namely:
a) requirement statements of documented information in ISO/IEC 27001 can be used as audit criteria;
b) the following documented information can be audit evidence:
1) documented information required by ISO/IEC 27001:2013, 7.5.1 b);
2) documented information determined by the organization as being necessary for the
effectiveness of the ISMS of ISO/IEC 27001:2013, 7.5.1 c).
There can be audit evidence other than A.2.3 b), which auditors will obtain through interview,
observations and review of documents, including records.
Detailed discussion of documented information concerning ISO/IEC 27001 can be found in A.3.
A.3 Guidance on ISO/IEC 27001 requirements for documented information
A.3.1 Rationale
Auditors should take care when requesting documented information as evidence of conformity.
There are:
a) 16 explicit requirements for documented information, including the Statement of Applicability, as
listed in Table A.1;
b) the remaining requirements are requirements for which:
1) it would be reasonable to expect that evidence of conformance will be found in the above-
mentioned documented information;
2) there is no explicit or implicit requirement for documented information.
Table A.1 — Requirements for documented information in ISO/IEC 27001
Requirement for documented information concerning Reference in ISO/IEC 27001
Scope of the ISMS 4.3
Information security policy 5.2
Information security risk assessment process 6.1.2
Information security risk treatment process 6.1.3
Statement of Applicability 6.1.3 d)
Information security objectives 6.2
Evidence of competence 7.2 d)
Documented information determined by the organization as being necessary for 7.5.1 b)
the effectiveness of the ISMS
Operational planning and control 8.1
Results of the information security risk assessments 8.2
Results of the information security risk treatment 8.3
Evidence of the monitoring and measurement results 9.1
Evidence of the audit programme(s) and the audit results 9.2 g)
12 © ISO/IEC 2017 – All rights reserved

Table A.1 (continued)
Requirement for documented information concerning Reference in ISO/IEC 27001
Evidence of the results of management reviews 9.3
Evidence of the nature of the nonconformities and any subsequent actions taken 10.1 f)
Evidence of the results of any corrective action 10.1 g)
NOTE The definition of an audit states that it is a documented process and hence, an auditor can expect the
requirement of ISO/IEC 27001:2013, 9.2 to result in an audit process being documented.
A.3.2 Example of implicit requirement for documented information
As an example of A.3.1 b) 1), consider ISO/IEC 27001:2013, 6.1.2, which requires organizations
to “retain documented information about the information security risk assessment process”. The
preceding requirements [ISO/IEC 27001:2013, 6.1.2 a) to e)] all concern that risk assessment process. It
is therefore reasonable to expect that evidence of conformance to these requirements will be found in
the required documented information concerning the risk assessment process.
A.3.3 Example where there is no explicit or implicit requirement for documented
information
As an example of A.3.1 b) 2), consider ISO/IEC 27001:2013, 4.1.1. There is no requirement for documented
information concerning external and internal issues. Auditors should not therefore demand to see it.
Nevertheless, failur
...