BSI recently updated ISO 27006, which provides minimum requirements for auditor competency for bodies that provide audit and certification of information security management systems (ISMS).
John DiMaria, certification product marketing manager for BSI in the US, explained that ISO 27006 provides “baseline” requirements for auditing competency.
BSI has some of the most stringent requirements for auditing competency, DiMaria explained. “Each responsible body is responsible for putting together their particular scheme requirements, which include minimum requirements for competency”, he told Infosecurity.
The standards for auditors include minimum number of audits that have to be carried out as a trainee and as a lead auditor. Once auditors meet the minimum standards, they must pass a qualifying review by the scheme or operations manager before they can become lead auditors, DiMaria related.
In addition, there are minimum competency standards for technical specialists who provide nonauditing skills and knowledge to the auditing team. The specialists might provide industry-specific skills or knowledge, he said.
“BSI goes quite a ways to ensure that the auditors are not only trained and exceed the requirements of ISO 27006, but we also try to match up the auditors with the specific industry that they are auditing as well”, DiMaria said.
In December, the BSI unveiled a new standard for information security audits (ISO 27007), which provides guidance on managing an information security audit program and offers assistance on conducting audits and assessing the competence of auditors.
ISO 27007 provides organizations with a standard for internal audits of their ISMS, as opposed to the standard for external audits covered by ISO 27006, explained Lorraine King, EMEA product marketing manager at BSI.
The new standard enables organizations to understand the application of ISMS, realize the role and potential of ISMS audits, appreciate the significance of continual improvement of the ISMS, have the ability to successfully plan and organize an ISMS audit, know how to evaluate and report the results of an ISMS audit, and recognize the role of ISMS audits in the maintenance and continual improvement of ISMS.
Another ISO standard for auditing, ISO 27008, provides guideline for auditors on information security controls.
The ISO 27000 standard series is intended to provide a “framework” to help organizations manage information security risk, explained King. The series offers a framework for information security best practices. ISO 27001 provides the overall specifications for information security standards, and the remaining documents provide guidance on how to implement those specifications, King told Infosecurity.
The whole 27000 series is being revised, and a revised ISO 27001 is due out in 2013, King explained.
In addition, an ISO standard is being developed (ISO 27017) for information security best practices in the cloud. The standard is expected to provide a guideline or code of practice for security controls in the cloud computing environment, she added.