PD ISO/IEC TR 27008:2011
Information security management systems – Guidelines for auditors on information security controls
What is it?
PD ISO/IEC TR 27008:2011 is a Technical Report that provides guidance on reviewing an organization's information security controls. It supports the management processes required to implement and operate an Information Security Management System (ISMS). Although intended to be used in conjunction with BS ISO/IEC 27001 and BS ISO/IEC 27002, it is not specific to those standards and is applicable to any situation where information security controls need to be assessed.
PD ISO/IEC TR 27008:2011 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations conducting information security reviews and technical compliance checks. PD ISO/IEC TR 27008:2011 does not address management systems audits. ISMS auditing is covered in BS ISO/IEC 27007:2011.
How does it work?
PD ISO/IEC TR 27008:2011 describes generic processes, rather than techniques applicable to specific controls or types of controls. It introduces the concept of formal reviews, then describes different methods and types of reviews applicable to information security controls. Finally it describes the necessary activities for an effective review process. An annex contains detailed worked examples.
Although the detailed worked examples within PD ISO/IEC TR 27008:2011 are taken from BS ISO/IEC 27002:2005, the principles and guidance within PD ISO/IEC TR 27008:2011 are not specific to particular versions of either ISO/IEC 27001 or ISO/IEC 27002.
Who should buy it?
PD ISO/IEC TR 27008:2011 is targeted at auditors, either internal or external, tasked with examining information security controls forming part of an ISMS. However, it will be useful for anyone wanting to review or assess the controls of an ISMS, whether as part of a formal audit process or otherwise.
See the preview for contents