ISO/IEC 27006:2015
Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27006:2015 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021‑1 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes.
| Get this standard | Prices exclude GST | |
|---|---|---|
| PDF ( Single user document) |
$118.26 NZD
|
|
| HardCopy |
$152.17 NZD
|
|
| Networkable PDF |
Price varies
|
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles
5 General requirements
5.1 Legal and contractual matters
5.2 Management of impartiality
5.2.1 IS 5.2 Conflicts of interest
5.3 Liability and financing
6 Structural requirements
7 Resource requirements
7.1 Competence of personnel
7.1.1 IS 7.1.1 General considerations
7.1.2 IS 7.1.2 Determination of Competence Criteria
7.2 Personnel involved in the certification activities
7.2.1 IS 7.2 Demonstration of auditor knowledge and experience
7.3 Use of individual external auditors and external technical experts
7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team
7.4 Personnel records
7.5 Outsourcing
8 Information requirements
8.1 Public information
8.2 Certification documents
8.2.1 IS 8.2 ISMS Certification documents
8.3 Reference to certification and use of marks
8.4 Confidentiality
8.4.1 IS 8.4 Access to organizational records
8.5 Information exchange between a certification body and its clients
9 Process requirements
9.1 Pre-certification activities
9.1.1 Application
9.1.2 Application review
9.1.3 Audit programme
9.1.4 Determining audit time
9.1.5 Multi-site sampling
9.1.6 Multiple management systems
9.2 Planning audits
9.2.1 Determining audit objectives, scope and criteria
9.2.2 Audit team selection and assignments
9.2.3 Audit plan
9.3 Initial certification
9.3.1 IS 9.3.1 Initial certification audit
9.4 Conducting audits
9.4.1 IS 9.4 General
9.4.2 IS 9.4 Specific elements of the ISMS audit
9.4.3 IS 9.4 Audit report
9.5 Certification decision
9.5.1 IS 9.5 Certification decision
9.6 Maintaining certification
9.6.1 General
9.6.2 Surveillance activities
9.6.3 Re-certification
9.6.4 Special audits
9.6.5 Suspending, withdrawing or reducing the scope of certification
9.7 Appeals
9.8 Complaints
9.8.1 IS 9.8 Complaints
9.9 Client records
10 Management system requirements for certification bodies
10.1 Options
10.1.1 IS 10.1 ISMS implementation
10.2 Option A: General management system requirements
10.3 Option B: Management system requirements in accordance with ISO 9001
Annex A (informative) Knowledge and skills for ISMS auditing and certification
Annex B (normative) Audit time
Annex C (informative) Methods for audit time calculations
Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2013, Annex A controls
Bibliography
Amendments
Previous versions
Keep me up-to-date
Sign up to receive updates when there are changes to this standard
Related Information
Similar Standards
-
AS/NZS 3842:1998
Guide 62: General requirements for bodies operating assessment and certification/registration of quality systems
-
AS/NZS 4417.1:2012
Regulatory compliance mark for electrical and electronic equipment - Part 1: Use of the mark -
AS/NZS 4417.1:2012AA
Regulatory compliance mark for electrical and electronic equipment - Part 1: Use of the mark: Amendment A -
AS/NZS 4417.2:2020
Regulatory compliance mark for electrical and electronic equipment Part 2: Specific requirements for particular regulatory applications
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles
5 General requirements
5.1 Legal and contractual matters
5.2 Management of impartiality
5.2.1 IS 5.2 Conflicts of interest
5.3 Liability and financing
6 Structural requirements
7 Resource requirements
7.1 Competence of personnel
7.1.1 IS 7.1.1 General considerations
7.1.2 IS 7.1.2 Determination of Competence Criteria
7.2 Personnel involved in the certification activities
7.2.1 IS 7.2 Demonstration of auditor knowledge and experience
7.3 Use of individual external auditors and external technical experts
7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team
7.4 Personnel records
7.5 Outsourcing
8 Information requirements
8.1 Public information
8.2 Certification documents
8.2.1 IS 8.2 ISMS Certification documents
8.3 Reference to certification and use of marks
8.4 Confidentiality
8.4.1 IS 8.4 Access to organizational records
8.5 Information exchange between a certification body and its clients
9 Process requirements
9.1 Pre-certification activities
9.1.1 Application
9.1.2 Application review
9.1.3 Audit programme
9.1.4 Determining audit time
9.1.5 Multi-site sampling
9.1.6 Multiple management systems
9.2 Planning audits
9.2.1 Determining audit objectives, scope and criteria
9.2.2 Audit team selection and assignments
9.2.3 Audit plan
9.3 Initial certification
9.3.1 IS 9.3.1 Initial certification audit
9.4 Conducting audits
9.4.1 IS 9.4 General
9.4.2 IS 9.4 Specific elements of the ISMS audit
9.4.3 IS 9.4 Audit report
9.5 Certification decision
9.5.1 IS 9.5 Certification decision
9.6 Maintaining certification
9.6.1 General
9.6.2 Surveillance activities
9.6.3 Re-certification
9.6.4 Special audits
9.6.5 Suspending, withdrawing or reducing the scope of certification
9.7 Appeals
9.8 Complaints
9.8.1 IS 9.8 Complaints
9.9 Client records
10 Management system requirements for certification bodies
10.1 Options
10.1.1 IS 10.1 ISMS implementation
10.2 Option A: General management system requirements
10.3 Option B: Management system requirements in accordance with ISO 9001
Annex A (informative) Knowledge and skills for ISMS auditing and certification
Annex B (normative) Audit time
Annex C (informative) Methods for audit time calculations
Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2013, Annex A controls
Bibliography