What are the key practical differences between these standards for auditing? My organisation has decided to adopt ISO 27001 as a best-practice framework but there is currently no intention to certify and the project is not likely to start in the foreseeable (at least 12 months) future.
We have several existing measures and controls, but it has been decided we need to look at an audit approach to determine maturity.
Which of these frameworks would be best?
ISO 27007 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. ISO 19011 was designed to conduct internal or external audits in management systems in general.
ISO 27007 provides additional recommendations to the guidance provided by ISO 19011. For example where ISO 19011 states you must look for evidences for compliance, ISO 27007 will suggest specific evidences and tests for ISO 27001 clauses and controls from Annex A.
Considering that, for a specific ISO 27001 context, ISO 27007 is more recommended. If you have to also audit other ISO management systems, like ISO 9001 and ISO 14001, ISO 19011 would be a better choice.