EN IS0 27007 EUROPEAN STANDARD NORME EUROPEENNE EUROPAISCHE NORM January 2022 ICS 03.120.20; 35.030 English version Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing (IS0/IEC 27007:2020) Sécurité de I'information, cybersécurité et protection Informationstechnik - Sicherheitsverfahren - Leitfaden des données privées - Lignes directrices pour I'audit fur das Auditieren von des systemes de management de la sécurité de Informationssicherheitsmanagementsystemen I'information (IS0/IEC 27007:2020) (IS0/IEC 27007:2020) This European Standard was approved by CEN on 26 December 2021. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. ce CENELEC CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels @ 2022 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN IS0 27007:2022 E reserved worldwide for CEN national Members and for CENELEC Members. EN IS0 27007:2022 (E) European foreword The text of IS0/IEC 27007:2020 has been prepared by Technical Committee IS0/IEC JTC 1 "Information technology" of the International Organization for Standardization (ISO) and has been taken over as EN ISO 27007:2022 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity and Data Protection" the secretariat of which is held by DIN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by July 2022, and conflicting national standards shall be withdrawn at the latest by July 2022. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights. Any feedback and questions on this document should be directed to the users' national standards body A complete listing of these bodies can be found on the CEN and CENELEC websites. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of IS0/IEC 27007:2020 has been appr0ved by CEN-CENELEC as EN IS0 27007:2022 without any modification. Contents Page Foreword V Introduction vi 1 Scope. 1 2 Normative references. 3 Terms and definitions. 4 Principles of auditing. 1 5 Managing an audit programme 1 5.1 General 5.2 Establishing audit programme objectives. 5.3 Determining and evaluating audit programme risks and opportunities. 2 5.4 Establishing audit programme 2 Roles and responsibilities of the individual(s) managing audit programme. 5.4.1 2