ISO IEC 27007:2011 pdfダウンロード

ISO IEC 27007:2011 pdfダウンロード。Information technology — Security techniques — Guidelines for information security management systems auditing
1 Scope
This lnternational Standard provides guidance on managing an information security management systemISMS) audit programme, on conducting the audits, and on the competence of ISMS auditors, in addition tothe guidance contained in ISO 19011.
This International Standard is applicable to those needing to understand or conduct internal or external audits of anISMS or to manage an ISMS audit programme.
2 Normative references
The following referenced documents are indispensable for the application of this document. For datedreferences, only the edition cited applies. For undated references, the latest edition of the referenceddocument (including any amendments) applies.
ISO 19011:2011, Guidelines for auditing management systems
ISO/EC 27001:2005,Information technology – Security techniques – Information security managementsystems-Requirements
ISO/EC 27000:2009,Information technology – Security techniques – nformation security managementsystems- Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 19011 and ISO/EC 27000 apply
4 Principles of auditing
The principles of auditing from ISO 19011:2011, Clause 4 apply.
5 Managing an audit programme
5.1General
The guidelines from ISO 19011:2011, Clause 5.1, apply. in addition, the following ISMS-specific guidanceapplies.
5.1.1 IS 5.1 General
The ISMS audit 1 ) programme should be developed based on the auditee’s information security risk situation.
5.2 Establishing the audit programme objectives
The guidelines from ISO 19011:2011, Clause 5.2, apply. In addition, the following ISMS-specific guidance applies.
5.2.1 IS 5.2 Establishing the audit programme objectives
Objectives for audit programme(s) should be established to direct the planning and conduct of audits and to ensure that the audit programme is implemented effectively. These objectives can be dependent on:
a) identified information security requirements;
b) requirements from ISO/IEC 27001;
c) auditee’s level of performance, as reflected in the occurrence of information security failures, incidents and effectiveness measurements; and
d) information security risks to the organization being audited.
Examples of audit programme objectives may include the following:
1) verification of conformity with the identified legal and contractual requirements and other requirements and their security implications;
2) Obtaining and maintaining confidence in the risk management capability of an auditee.
5.3 Establishing the audit programme
5.3.1 Role and responsibilities of the person managing the audit programme
The guidelines from ISO 19011:2011, Clause 5.3.1, apply.
5.3.2 Competence of the person managing the audit programme
The guidelines from ISO 19011:2011, Clause 5.3.2, apply.