Knowledge & Skill Requirements For Information Security Auditors

According to ISO 19011 Annex A.7, auditors that intend
to examine information security management systems:

  • Need to have information security management knowledge and skills, and

  • Be able to apply information security management methods, techniques, processes, and practices.

They must have the knowledge and skills needed to examine
information security management systems and to generate
appropriate audit findings and reach valid conclusions.

The following examples illustrate the kind of knowledge and
skills that information security management auditors need
to have. They should:

1. Understand ISO IEC information security standards.

1.1. Understand ISO IEC 27000 (concepts).

1.2. Understand ISO IEC 27001 (requirements).

1.3. Understand ISO IEC 27002 (code of practice).

1.4. Understand ISO IEC 27003 (implementation).

1.5. Understand ISO IEC 27004 (measurement).

1.6. Understand ISO IEC 27005 (risk management).

2. Understand information security management processes.

3. Understand information security management technologies.

4. Understand the scientific foundations of information security.

5. Understand how requirements are identified and evaluated.

5.1. Understand how customer requirements are handled.

5.2. Understand how other party requirements are handled.

6. Understand information security laws and regulations.

6.1. Understand record protection and retention concerns.

6.2. Understand intellectual property rights and concerns.

6.3. Understand telecommunication interception concerns.

6.4. Understand electronic and digital signature concerns.

6.5. Understand data privacy and protection concerns.

6.6. Understand workplace surveillance concerns.

6.7. Understand workplace ergonomic concerns.

6.8. Understand cryptographic control concerns.

6.9. Understand electronic commerce concerns.

6.10. Understand evidence collection concerns.

6.11. Understand penetration testing concerns.

6.12. Understand computer abuse concerns.

6.13. Understand data monitoring concerns.

6.14. Understand anti-terrorism concerns.

7. Understand information security threats and vulnerabilities.

8. Understand information security management controls.

8.1. Understand electronic control methods and practices.

8.2. Understand physical control methods and practices.

9. Understand information security risk management.

9.1. Understand risk assessment techniques.

9.1.1. Understand risk identification techniques.

9.1.2. Understand risk analysis techniques.

9.1.3. Understand risk evaluation techniques.

10. Understand information security methods and practices.

10.1. Understand how to protect sensitive information.

10.2. Understand how to protect the integrity of information.

11. Understand information security measurement methods.

12. Understand information security evaluation methods.

12.1. Understand how to evaluate management systems.

12.2. Understand how to evaluate security controls.

13. Understand performance management methods.

13.1. Understand how to measure performance.

13.1.1. Understand how to test performance.

13.1.2. Understand how to audit performance.

13.2. Understand how to monitor performance.

13.2.1. Understand how to review performance.

13.3. Understand how to record performance.

Please note that these are only examples. No attempt has been made
to provide an exhaustive list of information security management
auditing knowledge and skill expectations. You're free to add
your own knowledge and skill expectations to this list.

For more information, see information security standards developed
by ISO IEC JTC 1/SC 27 (search ISO site at and
our infosec library at

Praxiom Research


Quality Management Auditing Knowledge and Skills

Records Management Auditing Knowledge and Skills

Continuity Management Auditing Knowledge and Skills

Environmental Management Auditing Knowledge and Skill

Occupational Health and Safety Auditing Knowledge and Skill

Transportation Safety Management Auditing Knowledge and Skill


Introduction to Auditing Standard

Plain English Auditing Definitions

Brief Overview of Auditing Standard

ISO 19011 Translated into Plain English

How to Plan and Perform Management Audits

How to Audit Information Security Audit Programs

ISO IEC 27002 2013 Information Security Audit Tool

Home Page

Our Libraries

A to Z Index


How to Order

Our Products

Our Prices


Praxiom Research Group Limited  780-461-4514

 Updated on December 19, 2015. First published on May 24, 2012.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright 2012 - 2015 by Praxiom Research Group Limited. All Rights Reserved.