ISO/IEC INTERNATIONAL STANDARD 27007 Third edition 2020-01-21 Information security,cybersecurity andprivacyprotection-Guidelines for information securitymanagement systemsauditing Securite del'information, cybersecurite et protection des donnees privees-Lignes directricespourI'auditdessystemesde managementdelasecuritedelinformation dasaut0001 Referencenumber IS0/IEC27007:2020(E) @IS0/IEC2020 IS0/IEC27007:2020(E) dasauto001 COPYRIGHTPROTECTEDDOCUMENT ISo/IEc2020,PublishedinSwitzerland All rights reserved.Unless otherwise specified, no part ofthis publication may be reproduced or utilized otherwise In anyform or by any means,electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior writtenpermission,Permission canberequested fromeitherIsOatthe addressbeloworIso'smemberbodyinthecountryof therequester. ISO copyright office Ch.deBlandonnet8-Cp401 CH-1214 Vernier, Geneva, Switzerland Tel.+41227490111 Fax+41227490947 [email protected] ii IS0/IEC2020-Allrightsreserved IS0/IEC27007:2020(E) Contents Page Foreword Introduction. .vi 1 Scope. 1 2 Normativereferences .1 3 Terms and definitions 1 4 Principles ofauditing 1 5 Managingan audit programme 1 5.1 General 1 5.2 Establishingauditprogrammeobjectives 5.3 Determining and evaluating auditprogrammerisks and opportunities 2 5.4 Establishing audit programme. 2 5.4.1 Roles and responsibilities ofthe individual(s)managingauditprogramme 2 5.4.2 Competence of individual(s)managingaudit programme 2 5.4.3 Establishing extent ofthe audit programme 2 5.4.4 Determiningauditprogrammeresources 5.5 Implementingauditprogramme. 3 5.5.1 General. 3 5.5.2 Defining the objectives, scope and criteriaforanindividual audit 3 5.5.3 Selecting and determining audit methods. 4 5.5.4 Selectingauditteammembers 4 5.5.5 Assigning responsibilityfor an individualauditto theaudit teamleader 4 5.5.6 Managing auditprogrammeresults.. 4 5.5.7 Managing and maintainingauditprogrammerecords 4 5.6 Monitoringaudit programme 4 5.7 Reviewingand improving auditprogramme 4 Conducting an audit 5 6 6.1 General, 5 6.2 Initiating audit. 5 6.2.1 General. 5 6.2.2 Establishing contact with auditee 6.2.3 Determiningfeasibilityofaudit. 5 6.3 Preparing audit activities.. 6.3.1 Performingreviewofdocumentedinformation 5 6.3.2 Auditplanning. 5 6.3.3 Assigningworktoauditteam. 5 6.3.4 Preparing documented information for audit 6 6.4 Conducting auditactivities 6 6.4.1 Generaln 6 6.4.2 Assigning roles and responsibilities of guides and observers 6 6.4.3 Conducting opening meeting 6 6.4.4 Communicating during audit 6 6.4.5 Auditinformationavailabilityandaccess 6 6.4.6 Reviewing documentinformation while.conducting audit 6 6.4.7 Collecting and verifying information 6 6.4.8 Generating audit findings. 6.4.9 Determining audit conclusions 7 6.4.10 Conducting closing meeting 6.5 Preparing and distributing audit report 7 6.5.1 Preparing audit report. 7 6.5.2 Distributing audit report 6.6 Completingaudit. 7 6.7 Conducting auditfollow-up IS0/IEC2020-Allrightsreserved ii IS0/IEC27007:2020(E) 7 Competenceandevaluationofauditors 7.1 General 7.2 Determining auditorcompetence 8 7.2.1 General 8 7.2.2 Personal behaviour. 8 7.2.3 Knowledgeandskills 8 7.2.4 Achieving auditor competence. 8 7.2.5 Achievingauditteamleadercompetence 9 7.3 Establishingauditorevaluationcriteria 9 7.4 Selectingappropriateauditorevaluationmethod 7.5 Conducting auditor evaluation 9 7.6 Maintaining andimproving auditorcompetence AnnexA(informative)GuidanceforISMSauditingpractice 10 Bibliography 51 casauto001 iv @IS0/IEC2020-All rightsreserved IS0/IEC27007:2020(E) Foreword Iso (theInternationalOrganizationforStandardization)and IEc (theInternational Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are membersofisO oriEc participateinthe developmentofInternational Standardsthroughtechnical committees established by the respective organization to deal with particular fields of tec

