When auditing the necessary controls, it is better to audit against the risk treatment plan(s)

  
  “IMS-Smart On-Line is indeed a product of the 21st Century”, as an ISO/IEC 27001/ISO 9001 assessor said at the conclusion of an initial audit in 2008
 

Auditing and certification

Introduction

ISO 17021Conformity assessment — Requirements for bodies providing audit and certification of management systems is the ISO standard that places requirements upon certification bodies and ISO 19011Guidelines for auditing management systems is the ISO standard that provides guidance for certification body auditors. These standards are interpreted in the context of ISO/IEC 27001 by ISO/IEC 27006 and ISO/IEC 27007 respectively. Whilst these standards are primarily aimed at certification bodies, some knowledge of their content is of benefit to organisations that are certified (or are considering) certification to ISO/IEC 27001. This article explains why.

What is in ISO/IEC 27007?

We start with ISO/IEC 27007 as its content is the most useful for ISMS organisations. In particular, it contains an annex which takes each of the major clauses of ISO/IEC 27001 and gives advice on how to audit against them.

Layout of ISO/IEC 27007, Annex A

A.n Clause title (ISO/IEC 27001:2022, Clause corresponding clause number)
A.n.m Sub-clause title (ISO/IEC 27001:2022, corresponding sub-clause number)
Related ISO/IEC 27001 clauses List of clauses
Relevant ISO/IEC 27000 definitions List of terms that have special meanings
Audit evidence What the auditor should be looking for to confirm conformity with the ISO/IEC 27001 requirement
Audit practice guide Guidance, especially in cases where there is no requirement for documented information
Supporting documents References to documents providing further relevant information

It cautions auditors to take care when requesting documented information as evidence of conformity. This is because there are only sixteen explicit requirements in ISO/IEC 27001, including the Statement of Applicability. Whilst there are many requirements for which it would be reasonable to expect evidence of conformance to be be found in such documented information, there are requirements where this is not the case. For example:

  • There is no requirement for documented information concerning the context of the organisation, the identification of interested parties or their requirements, audit procedures, or measurement procedures (and many more examples such as these).
  • Nevertheless, it would be reasonable to expect evidence of conformity to clauses such as 6.1.3 a) through f) in the documented information regarding the information security risk treatment process, since these clauses constitute a process which organisations are explicitly required to document.

What else is in ISO/IEC 27007?

The main body of ISO/IEC 27007 provides an interpretation of ISO 19011. There are many cross-references to ISO 19011 and, indeed, the main body of ISO/IEC 27007 cannot be readily understood without a copy of ISO 19011 to hand. Nevertheless, the following are some of the main points:

  • Audit programmes can address more than one management system standard.
  • The principles of auditing reflect the risk-based approach of Annex SL, and should therefore take account of the type of risks and opportunities faced by the organisation being audited and the level of maturity of its management system.
  • Auditors should pay attention to what constitutes top management.

What does ISO/IEC 27007 say about the Statement of Applicability?

ISO/IEC 27007 points out that the Statement of Applicability (SOA) is another area where the auditor should take care. It stresses:

  • The SOA should contain all necessary controls.
  • Necessary controls can:
  1. be ISO/IEC 27001:2022, Annex A controls, but these are not mandatory;
  2. be taken from other standards (e.g. ISO/IEC 27017) or other sources;
  3. have been specially designed by the organisation;
  4. can be variants of Annex A controls.
  • When auditing the necessary controls, it is better to audit against the information security risk treatment plan(s) [as stated in ISO/IEC 27001:2022, 6.1.3 e)] rather than the individual necessary controls as listed in the Statement of Applicability. Indeed, not only are controls in ISO/IEC 27001 Annex A not requirements, but there is no requirement in to implement any information security control. The requirement (Clause 8.3) is to implement your risk treatment plan😮. 

What about ISO/IEC 27006?

The main body of ISO/IEC 27006 provides an interpretation of ISO 17021. There are many cross-references to ISO 17021 and, indeed, the main body of ISO/IEC 27006 cannot be readily understood without a copy of ISO 17021 to hand. Nevertheless there are two key annexes, and there is an important new development:

  • Annex B specifies the requirements for audit time. It contains a table that lists the minimum audit time as a function of the number of persons doing work under the control of the organisation, and explains the factors which can increase or decrease this time. It also provides a comparison between the times required for ISO/IEC 27001, ISO 9001 and ISO 14001. The time required for ISO/IEC 27001 is greater than the time required for ISO 14001 which, in turn, is greater than the time required for ISO 9001 audits.
  • Annex D explains that auditors should review “The implementation of controls that were determined as necessary by the client for the ISMS (as per the Statement of Applicability)”. It proceeds to give guidance on how this can be done using the ISO/IEC 27001, Annex A controls. The table is not intended to provide guidance for reviewing other controls.
  • The new development concerns an extension of ISO/IEC 27006 to cater for ISO/IEC 27701, which is an extension to ISO/IEC 27001 for privacy. The principle changes concern audit time and auditor competence.