ISO/IEC 27007:2020 pdf download – Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing.
5.5.3 Selecting and determining audit methods 5.5.3.1 The guidelines of ISO 19011:2018, 5.5.3, apply. In addition, the guidance in 5.5.3.2 applies. 5.5.3.2 If a joint audit is conducted, particular attention should be paid to the disclosure of information between the relevant parties. Agreement on this should be reached with all interested parties before the audit commences. 5.5.4 Selecting audit team members 5.5.4.1 The guidelines of ISO 19011:2018, 5.5.4, apply. In addition, the guidance in 5.5.4.2 applies. 5.5.4.2 The competence of the overall audit team should include adequate knowledge and understanding of: a) information security risk management sufficient to evaluate the methods used by the auditee; b) information security and information security management sufficient to evaluate control determination, planning, implementation, maintenance and effectiveness of the ISMS. 5.5.5 Assigning responsibility for an individual audit to the audit team leader The guidelines of ISO 19011:2018, 5.5.5, apply. 5.5.6 Managing audit programme results The guidelines of ISO 19011:2018, 5.5.6, apply. 5.5.7 Managing and maintaining audit programme records The guidelines of ISO 19011:2018, 5.5.7, apply.
5.6 Monitoring audit programme The guidelines of ISO 19011:2018, 5.6, apply. 5.7 Reviewing and improving audit programme The guidelines of ISO 19011:2018, 5.7, apply. 6 Conducting an audit 6.1 General The guidelines of ISO 19011:2018, 6.1, apply. 6.2 Initiating audit 6.2.1 General The guidelines of ISO 19011:2018, 6.2.1, apply. 6.2.2 Establishing contact with auditee 6.2.2.1 The guidelines of ISO 19011:2018, 6.2.2, apply. In addition, the guidance in 6.2.2.2 applies. 6.2.2.2 Where necessary, care should be taken to ensure that the auditors have obtained the necessary security clearance to access documented information or other information required for audit activities (including but not limited to confidential or sensitive information). 6.2.3 Determining feasibility of audit 6.2.3.1 The guidelines of ISO 19011:2018, 6.2.3, apply. In addition, the guidance in 6.2.3.2 applies. 6.2.3.2 Before the audit commences, the auditee should be asked whether any ISMS audit evidence is unavailable for review by the audit team, e.g. because the evidence contains personally identifiable information or other confidential/sensitive information. The person responsible for managing the audit programme should determine whether the ISMS can be adequately audited in the absence of audit evidence. If the conclusion is that it is not possible to adequately audit the ISMS without reviewing the identified audit evidence, the person responsible for managing the audit programme should advise the auditee that the audit cannot take place until appropriate access arrangements are granted or alternative means to achieve the audit have been proposed to or by the auditee. If the audit proceeds, the audit plan should take into account any access limitations.