FprEN ISO 27706
(Main)Information technology, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems (ISO/IEC FDIS 27706:2024)
Information technology, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems (ISO/IEC FDIS 27706:2024)
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.
Anforderungen an Stellen, die Informationssicherheits-Managementsysteme auditieren und zertifizieren (ISO/IEC FDIS 27706:2024)
Dieses Dokument legt, zusätzlich zu den Anforderungen in ISO/IEC 17021-1, Anforderungen fest und bietet
eine Anleitung für Stellen, die Audits und Zertifizierungen von Datenschutz-Managementsystemen (PIMS)
nach ISO/IEC 27701 vornehmen.
Die in diesem Dokument enthaltenen Anforderungen werden von Stellen, die PIMS-Zertifizierungen durchführen,
im Hinblick auf Kompetenz und Zuverlässigkeit nachgewiesen. Die in diesem Dokument enthaltene
Anleitung bietet eine zusätzliche Interpretation dieser Anforderungen für Stellen, die PIMS-Zertifizierungen
durchführen.
ANMERKUNG Dieses Dokument kann als Kriteriendokument für die Akkreditierung, die Bewertung unter Gleichrangigen
oder für andere Auditprozesse verwendet werden.
Exigences pour les organismes procédant à l’audit et à la certification des systèmes de management de la sécurité de l’information (ISO/IEC FDIS 27706:2024)
Zahteve za organe, ki izvajajo presojanje in certificiranje sistemov upravljanja informacijske varnosti - 2. del: Sistemi za upravljanje informacij o zasebnosti (ISO/IEC/DIS 27006-2:2023)
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-september-2023
Zahteve za organe, ki izvajajo presojanje in certificiranje sistemov upravljanja
informacijske varnosti - 2. del: Sistemi za upravljanje informacij o zasebnosti
(ISO/IEC/DIS 27006-2:2023)
Requirements for bodies providing audit and certification of information security
management systems - Part 2: Privacy information management systems (ISO/IEC/DIS
27006-2:2023)
Anforderungen an Stellen, die Informationssicherheits-Managementsysteme auditieren
und zertifizieren - Teil 2: Datenschutz-Managementsysteme (ISO/IEC/DIS 27006-2:2023)
Exigences pour les organismes procédant à l’audit et à la certification des systèmes de
management de la sécurité de l’information - Partie 2: Systèmes de management de la
protection de la vie privée (ISO/IEC/DIS 27006-2:2023)
Ta slovenski standard je istoveten z: prEN ISO/IEC 27006-2
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27006-2
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2023-07-18 2023-10-10
Requirements for bodies providing audit and certification
of information security management systems —
Part 2:
Privacy information management systems
Exigences pour les organismes procédant à l’audit et à la certification des systèmes de management des
informations de sécurité —
Partie 2: Systèmes de management des informations de sécurité
ICS: 03.120.20; 35.030
This document is circulated as received from the committee secretariat.
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
ISO/CEN PARALLEL PROCESSING
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27006-2:2023(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2023
ISO/IEC DIS 27006-2:2023(E)
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27006-2
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
Requirements for bodies providing audit and certification
of information security management systems —
Part 2:
Privacy information management systems
Exigences pour les organismes procédant à l’audit et à la certification des systèmes de management des
informations de sécurité —
Partie 2: Systèmes de management des informations de sécurité
ICS: 03.120.20; 35.030
This document is circulated as received from the committee secretariat.
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
© ISO/IEC 2023
ISO/CEN PARALLEL PROCESSING
THEREFORE SUBJECT TO CHANGE AND MAY
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
NOT BE REFERRED TO AS AN INTERNATIONAL
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on STANDARD UNTIL PUBLISHED AS SUCH.
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
IN ADDITION TO THEIR EVALUATION AS
or ISO’s member body in the country of the requester. BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
ISO copyright office
USER PURPOSES, DRAFT INTERNATIONAL
CP 401 • Ch. de Blandonnet 8
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
CH-1214 Vernier, Geneva
POTENTIAL TO BECOME STANDARDS TO
Phone: +41 22 749 01 11
WHICH REFERENCE MAY BE MADE IN
Reference number
Email: copyright@iso.org
NATIONAL REGULATIONS.
Website: www.iso.org ISO/IEC DIS 27006-2:2023(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
Published in Switzerland
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
ii
© ISO/IEC 2023 – All rights reserved
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2023
ISO/IEC DIS 27006-2:2023(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 3
5 General requirements . 3
5.1 Legal and contractual matters . 3
5.2 Management of impartiality . 3
5.2.1 General . 3
5.2.2 Conflicts of interest. 3
5.3 Liability and financing . 3
6 Structural requirements .3
7 Resource requirements .3
7.1 Competence of personnel . 3
7.1.1 General . 3
7.1.2 General considerations . 4
7.1.3 Determination of competence criteria. 4
7.2 Personnel involved in the certification activities . 5
7.2.1 General . 5
7.2.2 Demonstration of auditor knowledge and experience . 5
7.3 Use of individual external auditors and external technical experts . 6
7.4 Personnel records . 6
7.5 Outsourcing . 6
8 Information requirements . 6
8.1 Public information . . 6
8.2 Certification documents . 6
8.2.1 General . 6
8.2.2 PIMS Certification documents . 6
8.3 Reference to certification and use of marks . 7
8.4 Confidentiality . 7
8.5 Information exchange between a certification body and its clients . 7
9 Process requirements . 7
9.1 Pre-certification activities . 7
9.1.1 Application . 7
9.1.2 Application review . . 7
9.1.3 Audit programme . 7
9.1.4 Determining audit time . 8
9.1.5 Multi-site sampling . . 8
9.1.6 Multiple management systems . 8
9.2 Planning audits . 8
9.2.1 Determining audit objectives, scope and criteria . 8
9.2.2 Audit team selection and assignments . 8
9.2.3 Audit plan . 8
9.3 Initial certification . 9
9.4 Conducting audits . 9
9.4.1 General . 9
9.4.2 Specific elements of the ISMS audit . 9
9.4.3 Audit report . 9
9.5 Certification decision . . . 9
9.5.1 General . 9
iii
© ISO/IEC 2023 – All rights reserved
ISO/IEC DIS 27006-2:2023(E)
9.5.2 Certification decision .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.