prEN ISO/IEC 27006-1

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 27006-1:2022
01-september-2022
Zahteve za organe, ki izvajajo presojanje in certificiranje sistemov upravljanja
informacijske varnosti - 1. del: Splošno (ISO/IEC/DIS 27006-1:2022)
Requirements for bodies providing audit and certification of information security
management systems - Part 1: General (ISO/IEC/DIS 27006-1:2022)
Anforderungen an Stellen, die Informationssicherheitsmanagementsysteme auditieren
und zertifizieren - Teil 1: Allgemeines (ISO/IEC/DIS 27006-1:2022)
Exigences pour les organismes procédant à l'audit et à la certification des systèmes de
management de la sécurité de l'information - Partie 1: Généralités (ISO/IEC/DIS 27006-
1:2022)
Ta slovenski standard je istoveten z: prEN ISO/IEC 27006-1
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 27006-1:2022 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO/IEC 27006-1:2022

---------------------- Page: 2 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27006-1
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2022-07-01 2022-09-23
Requirements for bodies providing audit and certification
of information security management systems —
Part 1:
General
ICS: 35.030; 03.120.20
This document is circulated as received from the committee secretariat.
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
ISO/CEN PARALLEL PROCESSING
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27006-1:2022(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2022

---------------------- Page: 3 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
ISO/IEC DIS 27006-1:2022(E)
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27006-1
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:

Requirements for bodies providing audit and certification
of information security management systems —
Part 1:
General
ICS: 35.030; 03.120.20
This document is circulated as received from the committee secretariat.
COPYRIGHT PROTECTED DOCUMENT
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
© ISO/IEC 2022
ISO/CEN PARALLEL PROCESSING
THEREFORE SUBJECT TO CHANGE AND MAY
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
NOT BE REFERRED TO AS AN INTERNATIONAL
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on STANDARD UNTIL PUBLISHED AS SUCH.
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
IN ADDITION TO THEIR EVALUATION AS
or ISO’s member body in the country of the requester. BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
ISO copyright office
USER PURPOSES, DRAFT INTERNATIONAL
CP 401 • Ch. de Blandonnet 8
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
CH-1214 Vernier, Geneva
POTENTIAL TO BECOME STANDARDS TO
Phone: +41 22 749 01 11
WHICH REFERENCE MAY BE MADE IN
Reference number
Email: copyright@iso.org
NATIONAL REGULATIONS.
Website: www.iso.org ISO/IEC DIS 27006-1:2022(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
Published in Switzerland
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
ii
  © ISO/IEC 2022 – All rights reserved
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2022

---------------------- Page: 4 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
ISO/IEC DIS 27006-1:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 4
5 General requirements . 4
5.1 Legal and contractual matters . 4
5.2 Management of impartiality . 4
5.2.1 IS 5.2 Conflicts of interest . 4
5.3 Liability and financing . 5
6 Structural requirements .5
7 Resource requirements .5
7.1 Competence of personnel . 5
7.1.1 IS 7.1.1 General considerations . 5
7.1.2 IS 7.1.2 Determination of Competence Criteria . 5
7.2 Personnel involved in the certification activities . 8
7.2.1 IS 7.2 Demonstration of auditor knowledge and experience . 8
7.3 Use of individual external auditors and external technical experts . 9
7.3.1 IS 7.3 Using external auditors or external technical experts as part of the
audit team . 9
7.4 Personnel records . 9
7.5 Outsourcing . 9
8 Information requirements .10
8.1 Public information . . 10
8.2 Certification documents . 10
8.2.1 IS 8.2 ISMS Certification documents . 10
8.3 Reference to certification and use of marks . 10
8.4 Confidentiality . 10
8.4.1 IS 8.4 Access to organizational records . 11
8.5 Information exchange between a certification body and its clients . 11
8.5.1 IS 8.5 Information exchange between a certification body and its clients . 11
9 Process requirements .11
9.1 Pre-certification activities . 11
9.1.1 Application . 11
9.1.2 Application review . . 11
9.1.3 Audit programme . 11
9.1.4 Determining audit time . 13
9.1.5 Multi-site sampling . . 13
9.1.6 Multiple management systems . 14
9.2 Planning audits . 15
9.2.1 Determining audit objectives, scope and criteria .15
9.2.2 Audit team selection and assignments . 16
9.2.3 Audit plan . 16
9.3 Initial certification . 17
9.3.1 IS 9.3.1 Initial certification audit . 17
9.4 Conducting audits . 18
9.4.1 IS 9.4 General . 18
9.4.2 IS 9.4 Specific elements of the ISMS audit . 18
9.4.3 IS 9.4 Audit report . 18
9.5 Certification decision . . . 19
iii
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 5 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
ISO/IEC DIS 27006-1:2022(E)
9.5.1 IS 9.5 Certification decision . 19
9.6 Maintaining certification . 19
9.6.1 General . 19
9.6.2 Surveillance activities .20
9.6.3 Re-certification . 21
9.6.4 Special audits . 21
9.6.5 Suspending, withdrawing or reducing the scope of certification . 21
9.7 Appeals . 21
9.8 Complaints. 21
9.8.1 IS 9.8 Complaints . 21
9.9 Client records . 21
10 Management system requirements for certification bodies .22
10.1 Options. 22
10.1.1 IS 10.1 ISMS implementation . 22
10.2 Option A: General management system requirements . 22
10.3 Option B: Management system requirements in accordance with ISO 9001 .22
Annex A (informative) Knowledge and skills for ISMS auditing and certification .23
Annex B (normative) Audit time .25
Annex C (informative) Methods for audit time calculations .31
Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2022, Annex A
controls .34
Annex E (informative) Requirements and limits for certifications according to sector-
specific standard extensions .50
Bibliography .51
iv
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
ISO/IEC DIS 27006-1:2022(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO's adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, Information
security, cybersecurity and privacy protection.
ISO/IEC 27006-1 was prepared by the Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This document cancels and replaces the second edition (ISO/IEC 27006:2015), which has been
technically revised. It has been renumbered and so is the first edition of ISO/IEC 27006-1.
v
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 7 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
ISO/IEC DIS 27006-1:2022(E)
Introduction
ISO/IEC 17021-1 sets out criteria for bodies operating audit and certification of management systems. If
such bodies are to be accredited as complying with ISO/IEC 17021-1 with the objective of auditing and
certifying information security management systems (ISMS) in accordance with ISO/IEC 27001:2013
and possibly sector-specific standard extensions of ISO/IEC 27001, some additional requirements and
guidance to ISO/IEC 17021-1 are necessary. These are provided by this Document.
The text in this Document follows the structure of ISO/IEC 17021-1 and the additional ISMS-specific
requirements and guidance on the application of ISO/IEC 17021-1 for ISMS certification are identified
by the letters “IS”.
The term “shall” is used throughout this Document to indicate those provisions which, reflecting the
requirements of ISO/IEC 17021-1 and ISO/IEC 27001, are mandatory. The term “should” is used to
indicate recommendation.
The primary purpose of this Document is to enable accreditation bodies to more effectively harmonize
their application of the standards against which they are bound to assess certification bodies.
Throughout this Document, the terms “management system” and “system” are used interchangeably.
The definition of a management system can be found in ISO 9000:2005. The management system as
used in this Document is not to be confused with other types of systems, such as IT systems.
The certification body may offer audit and certification services to sector-specific standard extensions
of ISO/IEC 27001 in addition to audit and certification to ISO/IEC 27001.
NOTE The extension of ISO/IEC 7001 through the application of a sector-specific standard does not result in
a management system independent of the ISMS.
vi
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 8 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27006-1:2022(E)
Requirements for bodies providing audit and certification
of information security management systems —
Part 1:
General
1 Scope
This document specifies requirements and provides guidance for bodies providing audit and
certification of an information security management system (ISMS), in addition to the requirements
contained within ISO/IEC 17021-1. It is primarily intended to support the accreditation of certification
bodies providing ISMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and
reliability by any body providing ISMS certification, and the guidance contained in this document
provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit
processes.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification
of management systems — Part 1: Requirements
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021-1 and the following
apply.
3.1
certification documents
documents indicating that a client's ISMS conforms to specified ISMS standards and any supplementary
documentation required under the system
3.2
sector-specific standard
standard that extends Annex A of ISO/IEC 27001 to support a specific sector
Note 1 to entry: A sector specific standard provides additions to the controls in ISO/IEC 27002 or provides
guidance on which elements to consider in the organizational context, interested parties, their needs and
expectations to implement the requirements in ISO/IEC 27001 or guidance on the implementation of controls.
Note 2 to entry: A sector specific extension standard of ISO/IEC 27001 doesn't change the requirements of
ISO/IEC 27001, including any addition and modification.
1
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 9 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
ISO/IEC DIS 27006-1:2022(E)
3.3
control
measure that is modifying risk (3.10)
Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk (3.10).
Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.
[SOURCE: ISO/IEC 27000:2018, 3.14]
3.4
control objective
statement describing what is to be achieved as a result of implementing controls (3.3)
[SOURCE: ISO/IEC 27000:2018, 3.15]
3.5
external context
external environment in which the organization seeks to achieve its objectives
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization;
— relationships with, and perceptions and values of, external stakeholders.
[SOURCE: ISO/IEC 27000:2018, 3.22]
3.6
information security
preservation of confidentiality, integrity and availability of information
Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability
can also be involved.
[SOURCE: ISO/IEC 27000:2018, 3.28]
3.7
information security incident
single or a series of unwanted or unexpected information security events that have a significant
probability of compromising business operations and threatening information security (3.6)
[SOURCE: ISO/IEC 27000:2018, 3.31]
3.8
information system
set of applications, services, information technology assets, or other information-handling components
[SOURCE: ISO/IEC 27000:2018, 3.35]
3.9
internal context
internal environment in which the organization seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies, objectives, and the strategies that are in place to achieve them;
2
  © ISO/IEC 2022 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
ISO/IEC DIS 27006-1:2022(E)
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes,
systems and technologies);
— information systems, information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders;
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— form and extent of contractual relationships.
[SOURCE: ISO/IEC 27000:2018, 3.38]
3.10
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009,
3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.
Note 5 to entry: In the context of information security management systems, information security risks can be
expressed as effect of uncertainty on information security objectives.
Note 6 to entry: Information security risk is associated with the potential that threats will exploit vulnerabilities
of an information asset or group of information assets and thereby cause harm to an organization.
[SOURCE: ISO/IEC 27000:2018, 3.61]
3.11
risk analysis
process to comprehend the nature of risk (3.10) and to determine the level of risk
Note 1 to entry: Risk analysis (3.11) provides the basis for risk evaluation and decisions about risk treatment
(3.14).
Note 2 to entry: Risk analysis (3.11) includes risk estimation.
[SOURCE: ISO/IEC 27000:2018, 3.63]
3.12
risk assessment
overall process of risk identification, risk analysis (3.11) and risk evaluation
[SOURCE: ISO/IEC 27000:2018, 3.64]
3.13
risk management
coordinated activities to direct and control an organization with regard to risk (3.10)
[SOURCE: ISO/IEC 27000:2018, 3.69]
3
© ISO/IEC 2022 – All rights reserved

---------------------- Page: 11 ----------------------
oSIST prEN ISO/IEC 27006-1:2022
ISO/IEC DIS 27006-1:2022(E)
3.14
risk treatment
process to modify risk (3.10)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing th
...