ISO/IEC 27007 part of a growing family of ISO/IEC Information Security Management System (ISMS) standards, the 'ISO/IEC 27000 series' is an information security standard being currently developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its current title is Information technology -- Security techniques -- Guidelines for Information security management systems auditing.
ISO/IEC 27007 will provide guidance for those auditing ISMSs for various purposes other than certified compliance with ISO/IEC 27001 (which is covered by ISO/IEC 27006), purposes such as:
- Internal auditing, for example for IT auditors to confirm that an organization's information security controls adequately mitigate its information security risks;
- External auditing, including IT audits conducted as part of financial audits (e.g. confirming that the information security controls relating to the general ledger or procurement systems and processes are adequate for the auditors to place reliance on the associated data/information) and audits of the third party ISMSs (such as those operated by IT service suppliers whether to check their adequacy per se or to confirm that contractual obligations on them in relation to information security are satisfied);
- Management reviews, including those conducted routinely as part of an operating ISMS to check that everything is in order, and ad hoc audits following information security incidents, as part of the root cause analysis to generate corrective actions.