ISO/IEC 27001 is the best-known standard for information security management systems (ISMS). It’s an International Standard, adopted in Ireland by NSAI, to which an organisation can be certified, although certification is optional.
Information security is a major concern to consumers and companies alike. Fuelled by an increasing number of high-profile cyberattacks causing personal, financial and reputational damage more and more organisations are moving to a standardised approach to ISMS.
Where data contains personal, financial or medical information, organisations have both a moral and legal obligation to keep it safe. That’s where International Standards like the ISO/IEC 27000 family come in, helping organisations manage the security of assets such as financial information, intellectual property, employee details or information entrusted to them by third parties.
Preparing for an ISMS Audit
For the person charged with auditing an organsiation it can be a complex process. Likewise, getting ready for a smooth audit requires preparation and attention to detail. That’s precisely why ISO/IEC 27007 Information technology —Security techniques — Guidelines for information security management systems auditing exists. It helps both parties thoroughly prepare by providing clear guidance. First published in 2011, ISO/IEC 27007 has now been updated to align it to ISO/IEC 27001:2013.
It provides guidance on the management of an information security management system (ISMS) audit programme, the conduct of internal and external ISMS audits in accordance with ISO/IEC 27001, and the competence and evaluation of ISMS auditors. Additionally, it provides extensive guidance for auditing all requirements stated in ISO/IEC 27001. It’s intended to be used in conjunction with the guidance contained in ISO 19011:2011, and follows the same structure as that International Standard.