SIST EN ISO/IEC 27007:2022

SLOVENSKI STANDARD
01-april-2022
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Smernice za
presojanje sistemov upravljanja informacijske varnosti (ISO/IEC 27007:2020)
Information security, cybersecurity and privacy protection - Guidelines for information
security management systems auditing (ISO/IEC 27007:2020)
Informationstechnik - Sicherheitsverfahren - Leitfäden für das Auditieren von
Informationssicherheitsmanagementsystemen (ISO/IEC 27007:2020)
Sécurité de l'information, cybersécurité et protection des données privées - Lignes
directrices pour l'audit des systèmes de management de la sécurité de l'information
(ISO/IEC 27007:2020)
Ta slovenski standard je istoveten z: EN ISO/IEC 27007:2022
ICS:
03.100.70 Sistemi vodenja Management systems
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 27007

NORME EUROPÉENNE
EUROPÄISCHE NORM
January 2022
ICS 03.120.20; 35.030
English version
Information security, cybersecurity and privacy protection
- Guidelines for information security management systems
auditing (ISO/IEC 27007:2020)
Sécurité de l'information, cybersécurité et protection Informationstechnik - Sicherheitsverfahren - Leitfäden
des données privées - Lignes directrices pour l'audit für das Auditieren von
des systèmes de management de la sécurité de Informationssicherheitsmanagementsystemen
l'information (ISO/IEC 27007:2020) (ISO/IEC 27007:2020)
This European Standard was approved by CEN on 26 December 2021.

This European Standard was corrected and reissued by the CEN-CENELEC Management Centre on 26 January 2022.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2022 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27007:2022 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 27007:2020 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by July 2022, and conflicting national standards shall be
withdrawn at the latest by July 2022.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27007:2020 has been approved by CEN-CENELEC as EN ISO/IEC 27007:2022
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 27007
Third edition
2020-01
Information security, cybersecurity
and privacy protection — Guidelines
for information security management
systems auditing
Sécurité de l'information, cybersécurité et protection des données
privées — Lignes directrices pour l'audit des systèmes de
management de la sécurité de l'information
Reference number
ISO/IEC 27007:2020(E)
©
ISO/IEC 2020
ISO/IEC 27007:2020(E)
© ISO/IEC 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved

ISO/IEC 27007:2020(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles of auditing . 1
5 Managing an audit programme . 1
5.1 General . 1
5.2 Establishing audit programme objectives . 1
5.3 Determining and evaluating audit programme risks and opportunities . 2
5.4 Establishing audit programme . 2
5.4.1 Roles and responsibilities of the individual(s) managing audit programme . 2
5.4.2 Competence of individual(s) managing audit programme . 2
5.4.3 Establishing extent of the audit programme . 2
5.4.4 Determining audit programme resources . 3
5.5 Implementing audit programme . 3
5.5.1 General. 3
5.5.2 Defining the objectives, scope and criteria for an individual audit . 3
5.5.3 Selecting and determining audit methods . 4
5.5.4 Selecting audit team members . 4
5.5.5 Assigning responsibility for an individual audit to the audit team leader. 4
5.5.6 Managing audit programme results . 4
5.5.7 Managing and maintaining audit programme records . 4
5.6 Monitoring audit programme . 5
5.7 Reviewing and improving audit programme . 5
6 Conducting an audit . 5
6.1 General . 5
6.2 Initiating audit . 5
6.2.1 General. 5
6.2.2 Establishing contact with auditee . 5
6.2.3 Determining feasibility of audit . 5
6.3 Preparing audit activities . 5
6.3.1 Performing review of documented information. 5
6.3.2 Audit planning . . . 5
6.3.3 Assigning work to audit team . 6
6.3.4 Preparing documented information for audit . 6
6.4 Conducting audit activities . 6
6.4.1 General. 6
6.4.2 Assigning roles and responsibilities of guides and observers . 6
6.4.3 Conducting opening meeting . 6
6.4.4 Communicating during audit . 6
6.4.5 Audit information availability and access . 6
6.4.6 Reviewing document information while conducting audit . 6
6.4.7 Collecting and verifying information . 7
6.4.8 Generating audit findings . 7
6.4.9 Determining audit conclusions . 7
6.4.10 Conducting closing meeting . 7
6.5 Preparing and distributing audit report . 7
6.5.1 Preparing audit report . 7
6.5.2 Distributing audit report . 7
6.6 Completing audit . 7
6.7 Conducting audit follow-up. 7
© ISO/IEC 2020 – All rights reserved iii

ISO/IEC 27007:2020(E)
7 Competence and evaluation of auditors . 8
7.1 General . 8
7.2 Determining auditor competence . . 8
7.2.1 General. 8
7.2.2 Personal behaviour . 8
7.2.3 Knowledge and skills . 8
7.2.4 Achieving auditor competence . 9
7.2.5 Achieving audit team leader competence . 9
7.3 Establishing auditor evaluation criteria. 9
7.4 Selecting appropriate auditor evaluation method . 9
7.5 Conducting auditor evaluation . 9
7.6 Maintaining and improving auditor competence. 9
Annex A (informative) Guidance for ISMS auditing practice .10
Bibliography .39
iv © ISO/IEC 2020 – All rights reserved

ISO/IEC 27007:2020(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see http:// patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This third edition cancels and replaces the second edition (ISO/IEC 27007:2017), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— the document has been aligned with ISO 19011:2018;
— the Introduction has been reworded and expanded;
— in 5.1, the entire text has been removed;
— in 5.2.2, the former item d) has been removed;
— in 5.3, the entire text has been removed;
— in 5.5.2.2, the former item b) and a paragraph below has been removed;
— in 6.5.2.2, the first paragraph has been removed and the NOTE reworded.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2020 – All rights reserved v

ISO/IEC 27007:2020(E)
Introduction
An information security management system (ISMS) audit can be conducted against a range of audit
criteria, separately or in combination, including but not limited to:
— requirements defined in ISO/IEC 27001:2013;
— policies and requirements specified by relevant interested parties;
— statutory and regulatory requirements;
— ISMS processes and controls defined by the organization or other parties;
— management system plan(s) relating to the provision of specific outputs of an ISMS (e.g. plans to
address risks and opportunities when establishing ISMS, plans to achieve information security
objectives, risk treatment plans, project plans).
This document provides guidance for all sizes and types of organizations and ISMS audits of varying
scopes and scales, including those conducted by large audit teams, typically of larger organizations, and
those by single auditors, whether in large or small organizations. This guidance should be adapted as
appropriate to the scope, complexity and scale of the ISMS audit programme.
This document concentrates on ISMS internal audits (first party) and ISMS audits conducted by
organizations on their external providers and other external interested parties (second party). This
document can also be useful for ISMS external audits conducted for purposes other than third party
management system certification. ISO/IEC 27006 provides requirements for auditing ISMS for third
party certification; this document can provide useful additional guidance.
This document is to be used in conjunction with the guidance contained in ISO 19011:2018.
This document follows the structure of ISO 19011:2018.
ISO 19011:2018 provides guidance on the management of audit programmes, the conduct of internal or
external audits of management systems, as well as on the competence and evaluation of management
system auditors.
Annex A provides guidance for ISMS auditing practices along with requirements of ISO/IEC 27001:2013,
Clauses 4 to 10.
vi © ISO/IEC 2020 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27007:2020(E)
Information security, cybersecurity and privacy
protection — Guidelines for information security
management systems auditing
1 Scope
This document provides guidance on managing an information security management system (ISMS)
audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the
guidance contained in ISO 19011.
This document is applicable to those needing to understand or conduct internal or external audits of an
ISMS or to manage an ISMS audit programme.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 19011:2018, Guidelines for auditing management systems
ISO/IEC 27000:2018, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 19011 and ISO/IEC 27000 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
4 Principles of auditing
The principles of auditing of ISO 19011:2018, Clause 4, apply.
5 Managing an audit programme
5.1 General
The guidelines of ISO 19011:2018, 5.1, apply.
5.2 Establishing audit programme objectives
5.2.1 The guidelines of ISO 19011:2018, 5.2, apply. In addition, the guidance in 5.2.2 applies.
© ISO/IEC 2020 – All rights reserved 1

ISO/IEC 27007:2020(E)
1)
5.2.2 ISMS-specific considerations for determining audit programme objectives can include:
a) identified information security requirements;
b) requirements of ISO/IEC 27001;
c) auditee’s level of performance, as reflected in the occurrence of information security events and
incidents and effectiveness of the ISMS;
NOTE Further information about performance monitoring, measurement, analysis and evaluation can
be found in ISO/IEC 27004.
d) information security risks to the relevant parties, i.e. the auditee and audit client.
Examples of ISMS-specific audit programme objectives include:
— demonstrate conformity with all relevant legal and contractual requirements and other requirements
and their security implications;
— obtain and maintain confidence in the risk management capability of the auditee;
— evaluate the effectiveness of the actions to address information security risks and opportunities.
5.3 Determining and evaluating audit programme risks and opportunities
5.3.1 The guidelines of ISO 19011:2018, 5.3, apply.
5.3.2 Measures to ensure information security and confidentiality should be determined considering
auditees and other relevant party requirements. Other party requirements can include relevant legal and
contractual requirements.
5.4 Establishing audit programme
5.4.1 Roles and responsibilities of the individual(s) managing audit programme
The guidelines of ISO 19011:2018, 5.4.1, apply. In addition, the guidance in 5.4.1.2 applies.
5.4.2 Competence of individual(s) managing audit programme
The guidelines of ISO 19011:2018, 5.4.2, apply.
5.4.3 Establishing extent of the audit programme
5.4.3.1 The guidelines of ISO 19011:2018, 5.4.3, apply. In addition, the guidance in 5.4.3.2 applies.
5.4.3.2 The extent of an audit programme can include the following:
a) the size of the ISMS, including:
1) the total number of persons doing work under the organization's control and relationships
with interested parties and contractors that are relevant to the ISMS;
2) the number of information systems;
1) For the purpose of this document, the term “audit“ refers to ISMS audits.
2 © ISO/IEC 2020 – All rights reserved

ISO/IEC 27007:2020(E)
3) the number of sites covered by the ISMS;
b) the complexity of the ISMS (including the number and criticality of processes and activities) taking
into account differences between sites within the ISMS scope;
c) the significance of the information security risks identified for the ISMS in relation to the business;
d) the significance of the risks and opportunities determined when planning the ISMS;
e) the importance of preserving the confidentiality, integrity and availability of information within
the scope of the ISMS;
f) the complexity of the information systems to be audited, including complexity of information
technology deployed;
g) the number of similar sites.
Consideration should be given in the audit programme to setting priorities that warrant more detailed
examination based on the significance of information security risks and business requirements in
respect to the scope of the ISMS.
NOTE Further information about determining audit time can be found in ISO/IEC 27006. Further information
on multi-site sampling can be found in ISO/IEC 27006 and mandatory document 1 from the International
Accreditation Forum (IAF MD1, see Reference [11]). The information contained in ISO/IEC 27006 and IAF MD 1
only relates to certification audits.
5.4.4 Determining audit programme resources
5.4.4.1 The guidelines of ISO 19011:2018, 5.4.4, apply. In addition, the guidance in 5.4.4.2 applies.
5.4.4.2 In particular, for all significant risks applicable to the auditee and relevant to the audit
programme objectives, ISMS auditors should be allocated sufficient time to review the effectiveness of
the actions to address information security risks and ISMS related risks and opportunities.
5.5 Implementing audit programme
5.5.1 General
The guidelines of ISO 19011:2018, 5.5.1, apply.
5.5.2 Defining the objectives, scope and criteria for an individual audit
5.5.2.1 The guidelines of ISO 19011:2018, 5.5.2, apply. In addition, the guidance in 5.5.2.2 applies.
5.5.2.2 The audit objectives may include the following:
a) evaluation of whether the ISMS adequately identifies and addresses information security
requirements;
b) determination of the extent of conformity of information security controls with the requirements
and procedures of the ISMS.
The audit scope should take into account information security risks and relevant risks and opportunities
affecting the ISMS of relevant parties, i.e. the audit client and the auditee.
© ISO/IEC 2020 – All rights reserved 3

ISO/IEC 27007:2020(E)
The following topics may be considered as audit criteria and used as a reference against which
conformity is determined:
a) the information security policy, information security objectives, policies and procedures adopted
by the auditee;
b) contractual requirements and other requirements relevant to the auditee;
c) the auditee's information security risk criteria, information security risk assessment process and
risk treatment process;
d) the Statement of Applicability, the identification of any sector-specific or other necessary controls,
justification for inclusions, whether they are implemented or not and the justification for exclusions
of controls of ISO/IEC 27001:2013, Annex A;
e) the definition of controls to treat risks appropriately;
f) the methods and criteria for monitoring, measurement, analysis and evaluation of the information
security performance and the effectiveness of the ISMS;
g) information security requirements provided by a customer;
h) information security requirements applied by a supplier or outsourcer.
5.5.3 Selecting and determining audit methods
5.5.3.1 The guidelines of ISO 19011:2018, 5.5.3, apply. In addition, the guidance in 5.5.3.2 applies.
5.5.3.2 If a joint audit is conducted, particular attention should be paid to the disclosure of information
between the relevant parties. Agreement on this should be reached with all interested parties before the
audit commences.
5.5.4 Selecting audit team members
5.5.4.1 The guidelines of ISO 19011:2018, 5.5.4, apply. In addition, the guidance in 5.5.4.2 applies.
5.5.4.2 The competence of the overall audit team should include adequate knowledge and
understanding of:
a) information security risk management sufficient to evaluate the methods used by the auditee;
b) information security and information security management sufficient to evaluate control
determination, planning, implementation, maintenance and effectiveness of the ISMS.
5.5.5 Assigning responsibility for an individual audit to the audit team leader
The guidelines of ISO 19011:2018, 5.5.5, apply.
5.5.6 Managing audit programme results
The guidelines of ISO 19011:2018, 5.5.6, apply.
5.5.7 Managing and maintaining audit programme records
The guidelines of ISO 19011:2018, 5.5.7, apply.
4 © ISO/IEC 2020 – All rights reserved

ISO/IEC 27007:2020(E)
5.6 Monitoring audit programme
The guidelines of ISO 19011:2018, 5.6, apply.
5.7 Reviewing and improving audit programme
The guidelines of ISO 19011:2018, 5.7, apply.
6 Conducting an audit
6.1 General
The guidelines of ISO 19011:2018, 6.1, apply.
6.2 Initiating audit
6.2.1 General
The guidelines of ISO 19011:2018, 6.2.1, apply.
6.2.2 Establishing contact with auditee
6.2.2.1 The guidelines of ISO 19011:2018, 6.2.2, apply. In addition, the guidance in 6.2.2.2 applies.
6.2.2.2 Where necessary, care should be taken to ensure that the auditors have obtained the necessary
security clearance to access documented information or other information required for audit activities
(including but not limited to confidential or sensitive information).
6.2.3 Determining feasibility of audit
6.2.3.1 The guidelines of ISO 19011:2018, 6.2.3, apply. In addition, the guidance in 6.2.3.2 applies.
6.2.3.2 Before the audit commences, the auditee should be asked whether any ISMS audit evidence
is unavailable for review by the audit team, e.g. because the evidence contains personally identifiable
information or other confidential/sensitive information. The person responsible for managing the audit
programme should determine whether the ISMS can be adequately audited in the absence of audit
evidence. If the conclusion is that it is not possible to adequately audit the ISMS without reviewing the
identified audit evidence, the person responsible for managing the audit programme should advise the
auditee that the audit cannot take place until appropriate access arrangements are granted or alternative
means to achieve the audit have been proposed to or by the auditee. If the audit proceeds, the audit plan
should take into account any access limitations.
6.3 Preparing audit activities
6.3.1 Performing review of documented information
The guidelines of ISO 19011:2018, 6.3.1, apply.
6.3.2 Audit planning
6.3.2.1 The guidelines of ISO 19011:2018, 6.3.2, apply. In addition, the guidance in 6.3.2.2 applies.
6.3.2.2 The audit team leader should be aware that risks to the auditee can result from the presence
of the audit team members. The audit team’s presence can influence information security and present
© ISO/IEC 2020 – All rights reserved 5

ISO/IEC 27007:2020(E)
a source of additional risk to the auditee’s information, e.g. confidential or sensitive records or system
infrastructure (e.g. accidental erasure, unauthorized disclosure of information, unintended alteration of
information).
6.3.3 Assigning work to audit team
The guidelines of ISO 19011:2018, 6.3.3, apply.
6.3.4 Preparing documented information for audit
6.3.4.1 The guidelines of ISO 19011:2018, 6.3.4, apply. In addition, the guidance in 6.3.4.2 applies.
6.3.4.2 The audit team leader should ensure all audit work documents are classified appropriately and
handled in accordance with that classification.
6.4 Conducting audit activities
6.4.1 General
The guidelines of ISO 19011:2018, 6.4.1, apply.
6.4.2 Assigning roles and responsibilities of guides and observers
The guidelines of ISO 19011:2018, 6.4.2, apply.
6.4.3 Conducting opening meeting
The guidelines of ISO 19011:2018, 6.4.3, apply.
6.4.4 Communicating during audit
The guidelines of ISO 19011:2018, 6.4.4, apply.
6.4.5 Audit information availability and access
6.4.5.1 The guidelines of ISO 19011:2018, 6.4.5, apply. In addition, the guidance in 6.4.5.2 applies.
6.4.5.2 If any audit evidence is not available to the audit team during the audit for reasons of
classification or sensitivity, the lead auditor should determine the extent to which this affects the
confidence in the audit findings and conclusion, and reflect on it in the audit report without compromising
the sensitivity of the evidence that was not available.
6.4.6 Reviewing document information while conducting audit
6.4.6.1 The guidelines of ISO 19011:2018, 6.4.6, apply. In addition, the guidance in 6.4.6.2 applies.
6.4.6.2 ISMS Auditors should verify that documented information as required by the audit criteria and
relevant to the audit scope exists and conforms to the audit criteria requirements.
ISMS Auditors should confirm that the determined controls within the scope of the audit are related to
the results of the risk assessment and risk treatment process, and can subsequently be traced back to
the information security policy and objectives.
NOTE Annex A provides guidance for ISMS auditing practice, including how to audit the ISMS using relevant
documented information.
6 © ISO/IEC 2020 – All rights reserved

ISO/IEC 27007:2020(E)
6.4.7 Collecting and verifying information
6.4.7.1 The guidelines of ISO 19011:2018, 6.4.7, apply. In addition, the guidance in 6.4.7.2 applies.
6.4.7.2 Possible methods to collect relevant information during the audit include:
a) review of documented information (including computer logs and configuration data);
b) visit of information processing facilities;
c) observation of ISMS processes and related controls;
d) use of automated audit tools.
NOTE 1 Annex A provides guidance on how to audit the ISMS processes.
NOTE 2 ISO/IEC TS 27008 provides additional guidance on how to assess information security controls.
ISMS audit team members should ensure appropriate handling of all information received from auditees
in accordance with the agreement among the audit client, audit team and the auditee.
6.4.8 Generating audit findings
The guidelines of ISO 19011:2018, 6.4.8, apply.
6.4.9 Determining audit conclusions
The guidelines of ISO 19011:2018, 6.4.9, apply.
6.4.10 Conducting closing meeting
The guidelines of ISO 19011:2018, 6.4.10, apply.
6.5 Preparing and distributing audit report
6.5.1 Preparing audit report
The guidelines of ISO 19011:2018, 6.5.1, apply.
6.5.2 Distributing audit report
6.5.2.1 The guidelines of ISO 19011:2018, 6.5.2, apply. In addition, the guidance in 6.5.2.2 applies.
6.5.2.2 NOTE
NOTE When using electronic means for distribution of the audit report, appropriate encryption is a possible
measure to ensure confidentially requirements.
6.6 Completing audit
The guidelines of ISO 19011:2018, 6.6, apply.
6.7 Conducting audit follow-up
The guidelines of ISO 19011:2018, 6.7, apply.
© ISO/IEC 2020 – All rights reserved 7

ISO/IEC 27007:2020(E)
7 Competence and evaluation of auditors
7.1 General
The guidelines of ISO 19011:2018, 7.1, apply.
7.2 Determining auditor competence
7.2.1 General
7.2.1.1 The guidelines of ISO 19011:2018, 7.2.1, apply. In addition, the guidance in 7.2.1.2 applies.
7.2.1.2 In deciding the appropriate knowledge and skills of an ISMS auditor, the following should be
taken into consideration:
a) complexity of the ISMS (e.g. criticality of information systems within the ISMS, risk assessment
results of the ISMS);
b) the type(s) of business performed within the ISMS scope;
c) extent and diversity of technology utilized in the implementation of the various components of
the ISMS (such as the implemented controls, documented information and/or process control,
technological platforms and solutions involved, etc.);
d) previously demonstrated performance of the ISMS;
e) extent of outsourcing and external party arrangements used within the ISMS scope;
f) the standards, legal requirements and other requirements relevant to the audit programme.
7.2.2 Personal behaviour
The guidelines of ISO 19011:2018, 7.2.2, apply.
7.2.3 Knowledge and skills
7.2.3.1 General
The guidelines of ISO 19011:2018, 7.2.3.1, apply.
7.2.3.2 Generic knowledge and skills of management system auditors
The guidelines of ISO 19011:2018, 7.2.3.2, apply.
7.2.3.3 Discipline and sector specific competence of auditors
7.2.3.3.1 The guidelines of ISO 19011:2018, 7.2.3.3, apply. In addition, the guidance in 7.2.3.3.2 applies.
7.2.3.3.2 ISMS auditors should also be able to understand the relevant business requirements.
7.2.3.4 Generic competence of audit team leader
The guidelines of ISO 19011:2018, 7.2.3.4, apply.
8 © ISO/IEC 2020 – All rights reserved

ISO/IEC 27007:2020(E)
7.2.3.5 Knowledge and skills for auditing multiple disciplines
The guidelines of ISO 19011:2018, 7.2.3.5, apply.
7.2.4 Achieving auditor competence
7.2.4.1 The guidelines of ISO 19011:2018, 7.2.4, apply. In addition, the guidance in 7.2.4.2 applies.
7.2.4.2 ISMS auditors should have knowledge and skills in information technology and information
security, demonstrated for example through relevant certifications (e.g. accredited to ISO/IEC 17024).
Individual ISMS auditors work experience should also contribute to the development of their knowledge
and skills in the ISMS field.
NOTE Further information about certification for ISMS auditors can be found in ISO/IEC 27006.
7.2.5 Achieving audit team leader competence
The guidelines of ISO 19011:2018, 7.2.5, apply.
7.3 Establishing auditor evaluation criteria
The guidelines of ISO 19011:2018, 7.3, apply.
7.4 Selecting appropriate auditor evaluation method
The guidelines of ISO 19011:2018, 7.4, apply.
7.5 Conducting auditor evaluation
The guidelines of ISO 19011:2018, 7.5, apply.
7.6 Maintaining and improving auditor competence
The guidelines of ISO 19011:2018, 7.6, apply.
© ISO/IEC 2020 – All rights reserved 9

ISO/IEC 27007:2020(E)
Annex A
(informative)
Guidance for ISMS auditing practice
A.1 Overview
This annex provides generic guidance on how to audit an ISMS, for which an organization claims
conformance to ISO/IEC 27001. As this guidance is intended to apply to all such ISMS audits, irrespective
of the size or nature of the organization involved, this guidance is generic. The guidance is intended to
be used by auditors performing ISMS auditing, whether internal or external.
NOTE ISO/IEC 27003 gives guidance on implementing and operating an ISMS according to ISO/IEC 27001.
A.2 General
A.2.1 Audit objectives, scope, criteria and audit evidence
During audit activities, information relevant to the audit objectives, scope and criteria, including
information relating to interfaces between functions, activities and processes, should be obtained by
means of appropriate sampling and should be verified. Only information that is verifiable should be
accepted as audit evidence. Audit evidence leading to audit findings should be recorded.
Methods of obtaining information include the following:
— interviews;
— observations;
— review of documents, including records.
A.2.2 Strategy for auditing an ISMS
There are some ISO/IEC 27001:2013 subclauses that are closely linked and in practice are often best
dealt with at the same time in conducting the audit. See Table A.2 for examples.
Examples are ISO/IEC 27001:2013:6.1.3 and 8.3 and 6.2, 5.1, 5.2, 5.3, 7.1, 7.4, 7.5, 9.1, 9.3 and 10.2 and it
makes sense to audit these subclauses with those linked and related subclauses.
ISO/IEC 27001:2013, 7.5, presents the requirements concerning documented information. As explained
in Table A.2, A.4.5, each time auditors examine an item of documented information, it offers the
opportunity to confirm conformity with the requirements of ISO/IEC 27001:2013, 7.5. The guidance on
how to do this is located in Table A.2, A.4.5. The requirements regarding documented information are
not repeated for each occurrence of "documented information" in the table.
A.2.3 Audit and documented information
Audit activities can involve documented information, namely:
a) req
...