Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Aug 20, 2017

NBlog August 20 - FREE ISO27k audit guideline



Over the last few weeks, I've been busy with a virtual team of volunteers updating an ISMS audit guideline written prior to the 2011 release of the ISO/IEC standards 27007 (Guidelines for information security management systems auditingand 27008 (Guidelines for auditors on information security controls). One of our goals at the time was to contribute to the development of the standards.

Meantime, not only have those two standards been published, but ISO/IEC 27001 and 27002 have also been updated ... so there was a lot of updating to do.

Our guideline is aimed at internal auditors, specifically IT auditors tasked with auditing either:

  • the management system parts of an Information Security Management System; or
  • the information security controls being managed by the ISMS.

In ISO27k, the management system is a combined governance and management framework - a structured approach similar to those for managing quality assurance, environmental protection and more. Auditing it is fairly straightforward because 27001 is quite explicit about what it should be. The guideline goes beyond certification auditing, though. Even if the ISMS fulfills the requirements of the standard, it may not satisfy the organization's needs. 

Auditing the information security controls is another matter entirely. 27002 is not a simple catalog of controls (like, say, PCI DSS). Instead, organizations identify and assess their information risks, then decide how to treat them using whatever controls they feel are appropriate. Given the variety of organizations that The standard suggests literally hundreds of possible controls ... and acknowledges that it is not totally comprehensive. Auditing the controls is tough given their number and complexity, especially if management wants a reasonably detailed and comprehensive picture of the security status. 

The audit guideline ballooned to 100 pages at one stage before being viciously pruned to 'just' 50 - still a daunting prospect for a busy IT auditor. The suggestion is to use the guideline to develop a custom audit workplan or checklist that meets the parameters of the particular assignment - for instance, skimming through just the main points while ignoring the details for an overview, or going to town on a few areas of concern where the main risks and issues are thought to be.

Download just the ISMS audit guideline, or the entire ISO27k Toolkit.  Both are FREE!