ISO/IEC 27007:2011

INTERNATIONAL ISO/IEC
STANDARD 27007
First edition
2011-11-15
Information technology — Security
techniques — Guidelines for information
security management systems auditing
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour l'audit des systèmes de management de la sécurité de
l'information
Reference number
©
ISO/IEC 2011
©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved

Contents Page
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles of auditing . 1
5 Managing an audit programme . 1
5.1 General . 1
5.1.1 IS 5.1 General . 2
5.2 Establishing the audit programme objectives . 2
5.2.1 IS 5.2 Establishing the audit programme objectives . 2
5.3 Establishing the audit programme . 2
5.3.1 Role and responsibilities of the person managing the audit programme . 2
5.3.2 Competence of the person managing the audit programme . 2
5.3.3 Determining the extent of the audit programme . 2
5.3.4 Identifying and evaluating audit programme risks . 3
5.3.5 Establishing procedures for the audit programme . 3
5.3.6 Identifying audit programme resources . 3
5.4 Implementing the audit programme . 3
5.4.1 General . 3
5.4.2 Defining the objectives, scope and criteria for an individual audit . 3
5.4.3 Selecting the audit methods . 4
5.4.4 Selecting the audit team members . 4
5.4.5 Assigning responsibility for an individual audit to the audit team leader . 5
5.4.6 Managing the audit programme outcome . 5
5.4.7 Managing and maintaining audit programme records . 5
5.5 Monitoring the audit programme . 5
5.6 Reviewing and improving the audit programme . 5
6 Performing an audit . 5
6.1 General . 5
6.2 Initiating the audit . 5
6.2.1 General . 5
6.2.2 Establishing initial contact with the auditee. 5
6.2.3 Determining the feasibility of the audit . 5
6.3 Preparing audit activities . 6
6.3.1 Performing document review in preparation for the audit . 6
6.3.2 Preparing the audit plan . 6
6.3.3 Assigning work to the audit team . 6
6.3.4 Preparing work documents . 6
6.4 Conducting the audit activities . 6
6.4.1 General . 6
6.4.2 Conducting the opening meeting . 6
6.4.3 Performing document review while conducting the audit . 6
6.4.4 Communicating during the audit . 6
6.4.5 Assigning roles and responsibilities of guides and observers . 6
6.4.6 Collecting and verifying information . 6
6.4.7 Generating audit findings . 7
6.4.8 Preparing audit conclusions . 7
6.4.9 Conducting the closing meeting . 7
© ISO/IEC 2011 – All rights reserved iii

6.5 Preparing and distributing the audit report .7
6.5.1 Preparing the audit report .7
6.5.2 Distributing the audit report .7
6.6 Completing the audit .7
6.7 Conducting audit follow-up .7
7 Competence and evaluation of auditors .7
7.1 General .7
7.2 Determining auditor competence to fulfil the needs of the audit programme .7
7.2.1 General .7
7.2.2 Personal behaviour .8
7.2.3 Knowledge and skills .8
7.2.4 Achieving auditor competence .9
7.2.5 Audit team leader .9
7.3 Establishing the auditor evaluation criteria .9
7.4 Selecting the appropriate auditor evaluation method .9
7.5 Conducting auditor evaluation .9
7.6 Maintaining and improving auditor competence .9
Annex A (informative) Practice Guidance for ISMS Auditing .10
Bibliography .27

iv © ISO/IEC 2011 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27007 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2011 – All rights reserved v

Introduction
This International Standard provides guidance on the management of an information security management
system (ISMS) audit programme and the conduct of the internal or external audits in accordance with
ISO/IEC 27001:2005, as well as guidance on the competence and evaluation of ISMS auditors, which should
be used in conjunction with the guidance contained in ISO 19011. This International Standard does not state
requirements.
This guidance is intended for all users, including small and medium sized organizations.
ISO 19011, Guidelines for auditing management systems provides guidance on the management of audit
programmes, the conduct of internal or external audits of management systems, as well as on the
competence and evaluation of management system auditors.
The text in this International Standard follows the structure of ISO 19011, and the additional ISMS-specific
guidance on the application of ISO 19011 for ISMS audits is identified by the letters “IS”.
vi © ISO/IEC 2011 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27007:2011(E)

Information technology — Security techniques — Guidelines for
information security management systems auditing
1 Scope
This International Standard provides guidance on managing an information security management system
(ISMS) audit programme, on conducting the audits, and on the competence of ISMS auditors, in addition to
the guidance contained in ISO 19011.
This International Standard is applicable to those needing to understand or conduct internal or external audits of an
ISMS or to manage an ISMS audit programme.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 19011:2011, Guidelines for auditing management systems
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 19011 and ISO/IEC 27000 apply.
4 Principles of auditing
The principles of auditing from ISO 19011:2011, Clause 4 apply.
5 Managing an audit programme
5.1 General
The guidelines from ISO 19011:2011, Clause 5.1, apply. In addition, the following ISMS-specific guidance
applies.
© ISO/IEC 2011 – All rights reserved 1

5.1.1 IS 5.1 General
1)
The ISMS audit programme should be developed based on the auditee’s information security risk situation.
5.2 Establishing the audit programme objectives
The guidelines from ISO 19011:2011, Clause 5.2, apply. In addition, the following ISMS-specific guidance
applies.
5.2.1 IS 5.2 Establishing the audit programme objectives
Objectives for audit programme(s) should be established to direct the planning and conduct of audits and to
ensure that the audit programme is implemented effectively. These objectives can be dependent on:
a) identified information security requirements;
b) requirements from ISO/IEC 27001;
c) auditee’s level of performance, as reflected in the occurrence of information security failures, incidents
and effectiveness measurements; and
d) information security risks to the organization being audited.

Examples of audit programme objectives may include the following:
1) verification of conformity with the identified legal and contractual requirements and other requirements and
their security implications;
2) Obtaining and maintaining confidence in the risk management capability of an auditee.
5.3 Establishing the audit programme
5.3.1 Role and responsibilities of the person managing the audit programme
The guidelines from ISO 19011:2011, Clause 5.3.1, apply.
5.3.2 Competence of the person managing the audit programme
The guidelines from ISO 19011:2011, Clause 5.3.2, apply.
5.3.3 Determining the extent of the audit programme
The guidelines from ISO 19011:2011, Clause 5.3.3, apply. In addition, the following ISMS-specific guidance
applies.
5.3.3.1 IS 5.3.3 Determining the extent of the audit programme
The extent of an audit programme can vary. Factors that can influence the extent of the audit programme are:
a) the size of the ISMS, including
1. the total number of personnel working at each location and relationships with third-party
contractors working regularly at the location to be audited;
2. the number of information systems;
3. the number of sites covered by the ISMS;
b) the complexity of the ISMS (including the number and criticality of processes and activities);
c) the significance of the information security risks identified for the ISMS;
d) the importance of information and related assets within the scope of the ISMS;

1) For the purpose of this document, whenever the term “audit” is used this refers to ISMS audits.
2 © ISO/IEC 2011 – All rights reserved

e) the complexity of the information systems to be audited on site, including complexity of information
technology deployed;
f) whether there are many similar sites; and
g) the variations in ISMS complexity across the sites in scope.

Consideration should be given in the audit programme to setting priorities based on information security risks
and business requirements in respect of the ISMS areas that warrant more detailed examination.
Further information about multi-site sampling can be found in ISO/IEC 27006:2007 and IAF MD 1:2007 (see
Bibliography), where the information in these documents only relates to certification audits.
5.3.4 Identifying and evaluating audit programme risks
The guidelines from ISO 19011:2011, Clause 5.3.4, apply.
5.3.5 Establishing procedures for the audit programme
The guidelines from ISO 19011:2011, Clause 5.3.5, apply.
5.3.6 Identifying audit programme resources
The guidelines from ISO 19011:2011, Clause 5.3.6, apply. In addition, the following ISMS-specific guidance
applies.
5.3.6.1 IS 5.3.6 Identifying audit programme resources
In particular, for all significant risks applicable to the auditee, auditors should be allocated sufficient time to
verify the effectiveness of the corresponding risk mitigation action.
5.4 Implementing the audit programme
5.4.1 General
The guidelines from ISO 19011:2011, Clause 5.4.1, apply. In addition, the following ISMS-specific guidance
applies.
5.4.1.1 IS 5.4.1 General
Where applicable, confidentiality requirements of auditees and other relevant parties, including possible legal
and contractual requirements, should be addressed in the implementation of an audit programme.
5.4.2 Defining the objectives, scope and criteria for an individual audit
The guidelines from ISO 19011:2011, Clause 5.4.2, apply. In addition, the following ISMS-specific guidance
applies.
5.4.2.1 IS 5.4.2 Defining the objectives, scope and criteria for an individual audit
The audit scope should reflect the auditee’s information security risks, relevant business requirements and
business risks.
The audit objectives may in addition include the following:
a) evaluation of whether the ISMS adequately identifies and addresses information security requirements;
b) evaluation of the continual suitability of the ISMS objectives defined by management; and
c) evaluation of the processes for the maintenance and effective improvement of the ISMS.

© ISO/IEC 2011 – All rights reserved 3

Practical help — Examples of audit criteria
The following are topics for consideration as audit criteria:
1) the auditee's information security risk assessment methodology and risk assessment and treatment
results, and that these address all relevant requirements;
2) the version of the Statement of Applicability, and its relation to the results of the risk assessment;
3) the effective implementation of controls to reduce risks:
4) measurement of the effectiveness of the implemented controls, and that these measurements have been
applied as defined to measure control effectiveness (see ISO/IEC 27004);
5) activities to monitor and review the ISMS processes and controls;
6) internal ISMS audits and management reviews and the organization’s corrective actions;
7) information about the adequacy of and compliance with the objectives, policies, and procedures adopted
by the auditee; and
8) compliance with specific legal and contractual requirements and other requirements relevant to the
auditee, and their information security implications.

The audit team should ensure that the scope and boundaries of the ISMS of the auditee are clearly defined in
terms of the characteristics of the business, the organization, its location, assets and technology including
details and justification of any exclusion to scope. The audit team should confirm that the auditee address the
requirements stated in Clause 1.2 of ISO/IEC 27001:2005 within the scope of the ISMS.
Auditors should therefore ensure that the auditee’s information security risk assessment and risk treatment
properly reflects its activities and extends to the boundaries of the scope. Auditors should confirm that this is
reflected in the Statement of Applicability.
Auditors should also ensure that interfaces with services or activities that are not completely within the scope
of the ISMS are addressed within the ISMS and are included in the auditee's information security risk
assessment. An example of such a situation is the sharing of facilities (e.g. IT systems, databases and
telecommunication systems) with other organizations.
5.4.3 Selecting the audit methods
The guidelines from ISO 19011:2011, Clause 5.4.3, apply. In addition, the following ISMS-specific guidance
applies.
5.4.3.1 IS 5.4.3 Selecting the audit methods
If a joint audit is conducted, particular attention should be paid to the disclosure of information during the audit.
Agreement on this should be reached with all interested parties before the audit commences.
5.4.4 Selecting the audit team members
The guidelines from ISO 19011:2011, Clause 5.4.4, apply. In addition, the following ISMS-specific guidance
applies.
5.4.4.1 IS 5.4.4 Selecting the audit team members
The competence of the overall audit team should include:
a) adequate knowledge and understanding of information security risk management, sufficient to evaluate
the methods used by the auditee; and
b) adequate knowledge and understanding of information security and information security management
sufficient to evaluate control selection, and planning, implementation, maintenance and effectiveness of
the ISMS.
Where necessary, care should be taken that the auditors have obtained the necessary clearance to access
audit evidence.
4 © ISO/IEC 2011 – All rights reserved

5.4.5 Assigning responsibility for an individual audit to the audit team leader
The guidelines from ISO 19011:2011, Clause 5.4.5, apply.
5.4.6 Managing the audit programme outcome
The guidelines from ISO 19011:2011, Clause 5.4.6, apply.
5.4.7 Managing and maintaining audit programme records
The guidelines from ISO 19011:2011, Clause 5.4.7, apply.
5.5 Monitoring the audit programme
The guidelines from ISO 19011:2011, Clause 5.5 apply.
5.6 Reviewing and improving the audit programme
The guidelines from ISO 19011:2011, Clause 5.6 apply.
6 Performing an audit
6.1 General
The guidelines from ISO 19011:2011, Clause 6.1 apply.
6.2 Initiating the audit
6.2.1 General
The guidelines from ISO 19011:2011, Clause 6.2.1, apply.
6.2.2 Establishing initial contact with the auditee
The guidelines from ISO 19011:2011, Clause 6.2.2, apply.
6.2.3 Determining the feasibility of the audit
The guidelines from ISO 19011:2011, Clause 6.2.3, apply. In addition, the following ISMS-specific guidance
applies.
6.2.3.1 IS 6.2.3 Determining the feasibility of the audit
Before the audit commences, the auditee should be asked whether any ISMS records are unavailable for
review by the audit team, e.g. because they contain confidential or sensitive information. The person
responsible for managing the audit programme should determine whether the ISMS can be adequately
audited in the absence of these records. If the conclusion is that it is not possible to adequately audit the ISMS
without reviewing the identified records, the person should advise the auditee that the audit cannot take place
until appropriate access arrangements are granted and an alternative could be proposed to or by the auditee.
© ISO/IEC 2011 – All rights reserved 5

6.3 Preparing audit activities
6.3.1 Performing document review in preparation for the audit
The guidelines from ISO 19011:2011, Clause 6.3.1, apply.
6.3.2 Preparing the audit plan
The guidelines from ISO 19011:2011, Clause 6.3.2, apply.
6.3.3 Assigning work to the audit team
The guidelines from ISO 19011:2011, Clause 6.3.3, apply.
6.3.4 Preparing work documents
The guidelines from ISO 19011:2011, Clause 6.3.4, apply.
6.4 Conducting the audit activities
6.4.1 General
The guidelines from ISO 19011:2011, Clause 6.4.1, apply.
6.4.2 Conducting the opening meeting
The guidelines from ISO 19011:2011, Clause 6.4.2, apply.
6.4.3 Performing document review while conducting the audit
The guidelines from ISO 19011:2011, Clause 6.4.3 apply. In addition, the following ISMS-specific guidance
applies.
6.4.3.1 IS 6.4.3 Performing document review while conducting the audit
Auditors should check that documents required by ISO/IEC 27001 exist and conform to its requirements.
Auditors should confirm that the selected controls are related to the results of the risk assessment and risk
treatment process, and can subsequently be traced back to the ISMS policy and objectives.
NOTE Annex A of this standard provides guidance on how to audit the ISMS processes and ISMS documentation.
6.4.4 Communicating during the audit
The guidelines from ISO 19011:2011, Clause 6.4.4, apply.
6.4.5 Assigning roles and responsibilities of guides and observers
The guidelines from ISO 19011:2011, Clause 6.4.5, apply.
6.4.6 Collecting and verifying information
The guidelines from ISO 19011:2011, Clause 6.4.6, apply. In addition, the following ISMS-specific guidance
applies.
6 © ISO/IEC 2011 – All rights reserved

6.4.6.1 IS 6.4.6 Collecting and verifying information
Gathering information and evidence that ISMS processes and controls are implemented and effective is an
important part of ISMS auditing. Possible methods to collect relevant information during the audit include:
a) review of information assets and the ISMS processes and controls implemented for them; and
b) use of automated audit tools.
NOTE Annex A of this standard provides guidance on how to audit the ISMS processes.
ISMS auditors should ensure appropriate handling of all information received from auditees according to the
agreement between the auditee and the audit team.
6.4.7 Generating audit findings
The guidelines from ISO 19011:2011, Clause 6.4.7, apply.
6.4.8 Preparing audit conclusions
The guidelines from ISO 19011:2011, Clause 6.4.8, apply.
6.4.9 Conducting the closing meeting
The guidelines from ISO 19011:2011, Clause 6.4.9, apply.
6.5 Preparing and distributing the audit report
6.5.1 Preparing the audit report
The guidelines from ISO 19011:2011, Clause 6.5.1, apply.
6.5.2 Distributing the audit report
The guidelines from ISO 19011:2011, Clause 6.5.2, apply.
6.6 Completing the audit
The guidelines from ISO 19011:2011, Clause 6.6 apply.
6.7 Conducting audit follow-up
The guidelines from ISO 19011:2011, Clause 6.7 apply.
7 Competence and evaluation of auditors
7.1 General
The guidelines from ISO 19011:2011, Clause 7.1 apply.
7.2 Determining auditor competence to fulfil the needs of the audit programme
7.2.1 General
The guidelines from ISO 19011:2011, Clause 7.2.1 apply. In addition, the following ISMS-specific guidance
applies.
© ISO/IEC 2011 – All rights reserved 7

7.2.1.1 IS 7.2.1 General
In deciding the appropriate knowledge and skills, the following should be considered:
a) complexity of the ISMS (e.g. criticality of information systems, risk situation of the ISMS) ;
b) the type(s) of business performed within the scope of the ISMS;
c) extent and diversity of technology utilized in the implementation of the various components of the ISMS
(such as the implemented controls, documentation and/or process control, corrective/preventive action,
etc.);
d) number of sites;
e) previously demonstrated performance of the ISMS;
f) extent of outsourcing and third party arrangements used within the scope of the ISMS;
g) the standards, legal requirements and other requirements relevant to the audit programme.

7.2.2 Personal behaviour
The guidelines from ISO 19011:2011, Clause 7.2.2 apply.
7.2.3 Knowledge and skills
7.2.3.1 General
The guidelines from ISO 19011:2011, Clause 7.2.3.1, apply.
7.2.3.2 Generic knowledge and skills of management system auditors
The guidelines from ISO 19011:2011, Clause 7.2.3.2, apply.
7.2.3.3 Discipline and sector specific knowledge and skills of management system auditors
The guidelines from ISO 19011:2011, Clause 7.2.3.3, apply. In addition, the following ISMS-specific guidance
applies.
7.2.3.3.1 IS 7.2.3.3 Discipline and sector specific knowledge and skills of management system
auditors
ISMS auditors should have knowledge and skills in the following areas:
a) Information security management methods: to enable the auditor to examine ISMS and generate
the appropriate audit findings and recommendations. Knowledge and skills in this area should
include:
1) information security terminology;
2) information security management principles and their application; and
3) information security risk management methods and their application.
b) General knowledge in information technology and information security techniques, as applicable
(for example, physical and logical access control techniques; protection against malicious
software; vulnerability management techniques, etc.), or access thereto.
c) Current information security threats, vulnerabilities and controls, plus the broader organizational,
legal and contractual context for the ISMS (e.g. changing business processes and relationships,
technology or laws).
If additional specific knowledge and/or skills are required, the use of information security experts (e.g. with
sector specific competence, competence in IT Security or business continuity management) should be
considered. If experts are used, their competence should be carefully evaluated.
NOTE Specific requirements for ISMS certification auditors are given in ISO/IEC 27006.
8 © ISO/IEC 2011 – All rights reserved

7.2.3.4 Generic knowledge and skills of an audit team leader
The guidelines from ISO 19011:2011, Clause 7.2.3.4, apply.
7.2.3.5 Knowledge and skills for auditing management systems addressing multiple disciplines
The guidelines from ISO 19011:2011, Clause 7.2.3.5, apply.
7.2.4 Achieving auditor competence
The guidelines from ISO 19011:2011, Clause 7.2.4, apply. In addition, the following ISMS-specific guidance
applies.
7.2.4.1 IS 7.2.4 Achieving auditor competence
ISMS auditors should have knowledge and skills in information technology and information security,
demonstrated for example through relevant certifications, and should also be able to understand the
respective business requirements. ISMS auditors' work experience should also contribute to the development
of their knowledge and skills in the ISMS field.
7.2.5 Audit team leader
The guidelines from ISO 19011:2011, Clause 7.2.5, apply.
7.3 Establishing the auditor evaluation criteria
The guidelines from ISO 19011:2011, Clause 7.3, apply.
7.4 Selecting the appropriate auditor evaluation method
The guidelines from ISO 19011:2011, Clause 7.4, apply.
7.5 Conducting auditor evaluation
The guidelines from ISO 19011:2011, Clause 7.5, apply.
7.6 Maintaining and improving auditor competence
The guidelines from ISO 19011:2011, Clause 7.6, apply.
© ISO/IEC 2011 – All rights reserved 9

Annex A
(informative)
Practice Guidance for ISMS Auditing
The text below provides generic guidance on how to audit the ISMS processes, as required by ISO/IEC 27001,
without regard to any specific ISMS requirements that an individual organization might have (for example,
legal and contractual requirements and other requirements relevant to the implementation of particular
information security controls).
This guidance is primarily intended to be referenced and used by auditors who will perform ISMS auditing, be
they internal or external.
Optional additional standards can be used to guide the auditee or auditor. These are listed as “Relevant
Standards” in the tables below. Auditors are reminded to base nonconformities solely on the audit criteria and
the requirements of ISO/IEC 27001.
Table A.1 — ISMS audit practice guidance
A.1 ISMS scope, policy and risk assessment approach (ISO/IEC 27001 4.1 & 4.2.1a) to c))
2)
Audit ISO/IEC 27001 4.1, 4.2.1 a), b) and c)
criteria
Relevant ISO/IEC 17021 9.2.1 a) to d)
standards
ISO/IEC 27005 3.1 to 3.9 (ISO/IEC Guide73)
ISO/IEC 27005 7.1,7.2, 7.3 and 7.4
ISO/IEC 27006 3.1, 3.5, 9.1.2 and 9.1.4.2 b) to d)
Audit
Audit evidence includes:
evidence
 Scope of the ISMS (4.3.1 b));
 Organization chart;
 Organization strategy;
 Business policy statement, business processes and activities;
 Documentation of roles and responsibilities;
 Network configuration;
 Sites information, including a list of branches, business, offices and facilities, and
their floor layouts;
 Interfaces and dependencies that the business activities carried out in the scope of the
ISMS have with those outside the scope;
 Relevant laws, regulations and contracts;
 Primary assets information;
 ISMS policy document.
Audit Information security management system (4)
practice
General requirements (4.1)
guide
“4.1 General requirements” in ISO/IEC 27001 specifies the overall context of an ISMS as
required by ISO/IEC 27001, which covers all the requirements stated in the clauses
subsequent to 4.1. In auditing practice, an ISMS has to be confirmed as being:
 organized and performed within the context of the organization’s overall business
activities and the risks it faces;

2) Undated references refer to the version of the standard cited in Normative References or Bibliography.
10 © ISO/IEC 2011 – All rights reserved

 documented to satisfy the documentation requirements (stated in 4.3).
In addition, it should be demonstrated that the ISMS has been established, implemented,
operated, monitored, reviewed, maintained and improved, e.g. the organization
demonstrates that it has the capability of carrying out these processes.
Establishing and managing the ISMS (4.2)
Establish the ISMS (4.2.1)
ISMS scope (4.2.1 a))
The auditor should review and confirm that the organization has defined the scope and
boundaries of the ISMS.
The scope of the ISMS needs to be identified to ensure that all relevant assets are taken
into account in the ISMS and its risk management. In addition, the boundaries, interfaces
and dependencies need to be identified to address those risks that might arise through
them.
It should be confirmed that information about the organization has been collected to
determine the context within which the organization operates and how the organization
has been related to the ISMS and its information security risk management processes, in
order to define the scope and boundaries.
The auditor should confirm that the organization has considered the following information
in order to define the scope and boundaries:
 organization's strategies, business objectives and policies;
 business processes;
 organization’s functions and structure;
 legal and contractual requirements and other requirements relevant to the
organization;
 primary information assets;
 locations of the organization and their geographical characteristics;
 constraints affecting the organization;
 expectation of stakeholders;
 socio-cultural environment; and
 interfaces (i.e. information exchange with the environment).
It should be reviewed and verified that the organization provides justification for any
exclusion from the scope. It should be confirmed that the organization has its own
functions and administration and is able to ensure that the ISMS is exercised continually
all through its life cycle (ISO/IEC 27001 Section 4.1 and ISO/IEC 27006 Section 3.5).
Further guidance on how to audit the ISMS scope is given in Section 6.2.3.
ISMS policy (4.2.1 b))
The auditor should confirm that the organization’s ISMS policy is specifically described in
terms of the characteristics of the business, the organization, its location, assets and
technology. The auditor should also confirm that the ISMS policy clearly identifies:
 a framework for setting ISMS objectives (the background to and rationale for
setting the objectives, and if the ISMS policy and information security policies are
described in one document, the objectives), as well as direction and principles for
action from the management viewpoint;
 necessary business requirements, legal and contractual requirements and other
requirements relevant to the auditee;
 position and interface how the information security risk management is aligned
with the organization’s overall risk management including CSR, internal
governance, financial control and safety etc;
© ISO/IEC 2011 – All rights reserved 11

 rationale for managing risks, such as that what primary assets should be
considered as important to protect and which aspects of information security, i.e.
either confidentiality, integrity or availability, should be evaluated most seriously
when ISMS risk assessment is conducted; and
 approval and commitment of the top management.

Auditing the ISMS policy can be done by:
 confirming that the ISMS policy is produced as a document which includes
signatures or seals indicating that the top management has established the policy;
 confirming through the relevant documents that procedures on establishing the
policy (e.g. how the policy is authorized or reviewed within the organization) and
rules for the procedures are defined, the rules are documented, and the methods
for controlling the documents are specified;
 interviewing management to understand their approach and commitment to the
organization’s ISMS;
 evaluating, through the minutes and records of management review, the
commitment and involvement of management in implementation, maintenance
and improvement of the ISMS policy;
 assessing whether management has effectively communicated the ISMS policy,
e.g. by focusing it on specific audiences, at all levels of the organization;
 conducting interviews with personnel in the ISMS scope to verify if they are aware
of the importance of meeting information security objectives, conforming to the
information security policy, and their information security responsibilities; and
 considering the information security policy (if available) and its relation to the ISMS
policy.
Auditing ISMS objectives can be done by verifying that:
 organization’s ISMS objectives have been defined, reflected in the ISMS policy,
and aligned with the overall business objectives;
 ISMS controls and processes are identified and documented to meet the ISMS
objectives;
 the objectives are adequately documented;
 ISMS objectives are suitably communicated to all levels of the organization; and
 the organization has assigned responsible personnel as resources required to
achieve the objectives.
It is recommended that the auditor should examine the documented ISMS policy and
objectives in the audit stage of document review;
ISMS policy and objectives are required to be reviewed and updated in response to the
context change of the risk management. The auditor should confirm that continual
improvements have been performed in relation to the business environment context.
The auditor should keep in mind that conformity to the ISMS policy and fulfilment of
objectives can be measured in a quantitative or qualitative manner.
Risk assessment approach (4.2.1 c))
ISO/IEC 27001 requires that organizations define a risk assessment approach and
Clauses 4.2.1 d) to f) specify elements of this approach. ISO/IEC 27001 does not state
which risk assessment approach should be employed and any approach is acceptable as
long as it meets the requirements in ISO/IEC 27001.
The auditor should verify that the risk assessment approach conforms to the requirements
for risk assessment in ISO/IEC 27001 and is suitable for the organization and the overall
risk management in place.
It should be confirmed that the risk assessment approach is implemented to identify risks
in the business processes and activities and taking appropriate actions against the risks.
12 © ISO/IEC 2011 – All rights reserved

ISO/IEC 27005 provides guidance on risk assessment and risk management. The auditor
should be aware that there are quantitative and qualitative methods, or any combination of
the two, for risk assessment, and that it is up to the organization to decide which approach
to use.
The processes and procedures for ISO/IEC 27001:2005 4.2.1 c) to j) are required to be
defined, implemented and documented as a risk assessment approach in accordance with
the management statement which is described in organization’s ISMS policy (i.e. 4.2.1b)
4) criteria against which risk will be evaluated). The approach is defined as including how
to deal with the compliance with legal and contractual requirements and other
requirements relevant in relation to risks and assets that the organization should handle
strategically in the context of business and risk assessment. At the audit, it should be
confirmed that the approach is implemented and performed as required by ISO/IEC
27001:2005 4.2.1 b) to j).
The auditor should confirm that the results of risk assessments by the risk assessment
approach are comparable and reproducible.
In other words, the auditor should confirm that the approach enables different personnel in
charge of risk assessment to reach the same results regardless of whoever and whenever
conducted risk assessment, provided that they have a certain level of competence in risk
assessment and conducted the assessments to the same assets in accordance with the
processes and procedures defined in the approach. And if a different result is brought up,
it enables them to identify where and why the difference has occurred in the risk
...