AS/NZS ISO/IEC 27006.1:2025
Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of information security management systems, Part 1: General
The objective of this document is to specify requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within AS/NZS ISO/IEC 17021.1
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification.
This document is identical to, and has been reproduced from, ISO/IEC 27006-1:2024, Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General.
| Get this standard | Prices exclude GST | |
|---|---|---|
| PDF ( Single user document) |
$236.93 NZD
|
|
| HardCopy |
$263.25 NZD
|
|
| Networkable PDF |
Price varies
|
|
| Online Library ( Annual subscription) |
Info
Price varies
Online Library subscription information Online library subscriptions provide a cost-effective solution for organisations of any size to access the latest standards, offering 24/7 access to a personalised catalogue. The service ensures subscribers have have the most up-to-date version of selected standards, incluing automatic updates for any amendments or versions. Pricing is dependent on the chosen standards and the number of concurrent users, with discounts applied from the standards PDF price. For customised subscriptions or further inquiries, contact the Online Library team. |
AS/NZS ISO/IEC 27006.1:2025
SA/SNZ - Cover page
Preface
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles
5 General requirements
5.1 Legal and contractual matters
5.2 Management of impartiality
5.2.1 General
5.2.2 Conflicts of interest
5.3 Liability and financing
6 Structural requirements
7 Resource requirements
7.1 Competence of personnel
7.1.1 General
7.1.2 Generic competence requirements
7.1.3 Determination of competence criteria
7.2 Personnel involved in the certification activities
7.2.1 General
7.2.2 Demonstration of auditor knowledge and experience
7.3 Use of individual external auditors and external technical experts
7.4 Personnel records
7.5 Outsourcing
8 Information requirements
8.1 Public information
8.2 Certification documents
8.2.1 General
8.2.2 ISMS Certification documents
8.2.3 Reference of other standards in the ISMS certification documents
8.3 Reference to certification and use of marks
8.4 Confidentiality
8.4.1 General
8.4.2 Access to organizational records
8.5 Information exchange between a certification body and its clients
9 Process requirements
9.1 Pre-certification activities
9.1.1 Application
9.1.2 Application review
9.1.3 Audit programme
9.1.4 Determining audit time
9.1.5 Multi-site sampling
9.1.6 Multiple management systems
9.2 Planning audits
9.2.1 Determining audit objectives, scope and criteria
9.2.2 Audit team selection and assignments
9.2.3 Audit plan
9.3 Initial certification
9.3.1 General
9.3.2 Initial certification audit
9.4 Conducting audits
9.4.1 General
9.4.2 Specific elements of the ISMS audit
9.4.3 Audit report
9.5 Certification decision
9.5.1 General
9.5.2 Certification decision
9.6 Maintaining certification
9.6.1 General
9.6.2 Surveillance activities
9.6.3 Re-certification
9.6.4 Special audits
9.6.5 Suspending, withdrawing or reducing the scope of certification
9.7 Appeals
9.8 Complaints
9.8.1 General
9.8.2 Complaints
9.9 Client records
10 Management system requirements for certification bodies
10.1 Options
10.1.1 General
10.1.2 ISMS implementation
10.2 Option A: General management system requirements
10.3 Option B: Management system requirements in accordance with ISO 9001
Annex A (normative) Knowledge and skills for ISMS auditing and certification
Annex B (informative) Further competence considerations
Annex C (normative) Audit time
Annex D (informative) Methods for audit time calculations
Annex E (informative) Guidance for review of implemented ISO/IEC 27001:2022, Annex A controls
Bibliography
Keep me up-to-date
Sign up to receive updates when there are changes to this standard
Related Information
Similar Standards
-
AS/NZS 3842:1998
Guide 62: General requirements for bodies operating assessment and certification/registration of quality systems
-
AS/NZS 4417.1:2012
Regulatory compliance mark for electrical and electronic equipment - Part 1: Use of the mark -
AS/NZS 4417.1:2012AA
Regulatory compliance mark for electrical and electronic equipment - Part 1: Use of the mark: Amendment A -
AS/NZS 4417.2:2020
Regulatory compliance mark for electrical and electronic equipment Part 2: Specific requirements for particular regulatory applications
AS/NZS ISO/IEC 27006.1:2025
SA/SNZ - Cover page
Preface
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles
5 General requirements
5.1 Legal and contractual matters
5.2 Management of impartiality
5.2.1 General
5.2.2 Conflicts of interest
5.3 Liability and financing
6 Structural requirements
7 Resource requirements
7.1 Competence of personnel
7.1.1 General
7.1.2 Generic competence requirements
7.1.3 Determination of competence criteria
7.2 Personnel involved in the certification activities
7.2.1 General
7.2.2 Demonstration of auditor knowledge and experience
7.3 Use of individual external auditors and external technical experts
7.4 Personnel records
7.5 Outsourcing
8 Information requirements
8.1 Public information
8.2 Certification documents
8.2.1 General
8.2.2 ISMS Certification documents
8.2.3 Reference of other standards in the ISMS certification documents
8.3 Reference to certification and use of marks
8.4 Confidentiality
8.4.1 General
8.4.2 Access to organizational records
8.5 Information exchange between a certification body and its clients
9 Process requirements
9.1 Pre-certification activities
9.1.1 Application
9.1.2 Application review
9.1.3 Audit programme
9.1.4 Determining audit time
9.1.5 Multi-site sampling
9.1.6 Multiple management systems
9.2 Planning audits
9.2.1 Determining audit objectives, scope and criteria
9.2.2 Audit team selection and assignments
9.2.3 Audit plan
9.3 Initial certification
9.3.1 General
9.3.2 Initial certification audit
9.4 Conducting audits
9.4.1 General
9.4.2 Specific elements of the ISMS audit
9.4.3 Audit report
9.5 Certification decision
9.5.1 General
9.5.2 Certification decision
9.6 Maintaining certification
9.6.1 General
9.6.2 Surveillance activities
9.6.3 Re-certification
9.6.4 Special audits
9.6.5 Suspending, withdrawing or reducing the scope of certification
9.7 Appeals
9.8 Complaints
9.8.1 General
9.8.2 Complaints
9.9 Client records
10 Management system requirements for certification bodies
10.1 Options
10.1.1 General
10.1.2 ISMS implementation
10.2 Option A: General management system requirements
10.3 Option B: Management system requirements in accordance with ISO 9001
Annex A (normative) Knowledge and skills for ISMS auditing and certification
Annex B (informative) Further competence considerations
Annex C (normative) Audit time
Annex D (informative) Methods for audit time calculations
Annex E (informative) Guidance for review of implemented ISO/IEC 27001:2022, Annex A controls
Bibliography
AS/NZS ISO/IEC 27006.1:2025
Online Library subscription information
Online library subscriptions provide a cost-effective solution for organisations of any size to access the latest standards, offering 24/7 access to a personalised catalogue. The service ensures subscribers have have the most up-to-date version of selected standards, incluing automatic updates for any amendments or versions. Pricing is dependent on the chosen standards and the number of concurrent users, with discounts applied from the standards PDF price. For customised subscriptions or further inquiries, contact the Online Library team.