On the basis of GB/T 19011-2013, this standard provides guidelines for information security management system (hereinafter referred to as ISMS) audit program management and audit implementation, and provides evaluation guidelines for ISMS auditor capabilities. This International Standard is applicable to all organizations that need to understand or implement internal or external audits of an ISMS, or that need to manage an ISMS audit programme.