The havoc caused by such attacks runs from celebrities embarrassed by careless photos, to the loss of medical records, to ransom threats amounting to millions that have hit even the most powerful corporations.
Where such data contains personal, financial or medical information, companies have both a moral and legal obligation to keep it safe from cybercriminals. That’s where International Standards like the ISO/IEC 27000 family come in, helping organizations manage the security of assets such as financial information, intellectual property, employee details or information entrusted to them by third parties.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).It’s an International Standard to which an organization can be certified, although certification is optional.
For the person charged with auditing a particular company it can be a complex process. Likewise, getting ready for a smooth audit requires preparation and attention to detail. That’s precisely why ISO/IEC 27007 Information technology —Security techniques — Guidelines for information security management systems auditing exists. It helps both parties thoroughly prepare by providing clear guidance. First published in 2011, ISO/IEC 27007 has now been updated to align it to ISO/IEC 27001:2013.
It provides guidance on the management of an information security management system (ISMS) audit programme, the conduct of internal and external ISMS audits in accordance with ISO/IEC 27001, and the competence and evaluation of ISMS auditors. Additionally, it provides extensive guidance for auditing all requirements stated in ISO/IEC 27001. It’s intended to be used in conjunction with the guidance contained in ISO 19011:2011, and follows the same structure as that International Standard.
ISO/IEC 27007 bring benefits to any type of business and is designed to be applicable for all users, including small and medium sized organizations.