Introduction To ISO 27008 (ISO27008)

ISO27008 will offer guidelines for ISM (Information Security management) auditing with respect to security controls. This differs from ISO 27007 in that the latter is focused upon the Management System (ISMS) itself, rather than specific controls.

It was approved in April 2008, and is currently at the Working Draft development phase. Anticipated publication date is not until 2011 at the earliest.

The document will actually be a 'technical report', offering guidance on how to verify/confirm the degree to which requisite security controls are implemented in practice.


ISO27008 will of course be closely related to the ISMS audit standard, ISO 27007. However, whereas the latter's focus is on ISMS audit which is most closely related to ISO 27001, ISO 27008 is likely to be more closely aligned to ISO 27002, which of course outlines potential controls. Time will tell.

ISO27008 and ISO 27008 Security Control Auditing Guidelines