ISO/IEC 27006:2011
(Main)Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27006:2011 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification. The requirements contained in ISO/IEC 27006:2011 need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in ISO/IEC 27006:2011 provides additional interpretation of these requirements for any body providing ISMS certification.
Technologies de l'information — Techniques de sécurité — Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'information
Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo presojanje in certificiranje sistemov upravljanja informacijske varnosti
Ta mednarodni standard določa zahteve in podaja navodila za organe, ki izvajajo presojanje in certificiranje sistemov upravljanja informacijske varnosti (ISMS), ter se uporablja kot dodatek k zahtevam, določenim v standardih ISO/IEC 17021 in ISO/IEC 27001. Namenjen je predvsem kot podpora akreditaciji certifikacijskih organov, ki izvajajo certifikacijo ISMS. Za izpolnjevanje zahtev, ki jih vsebuje ta mednarodni standard, mora vsak organ, ki izvaja certifikacijo ISMS, izkazati kompetentnost in zanesljivost, navodila v tem mednarodnem standardu pa podajajo dodatno interpretacijo teh zahtev za vsak organ, ki izvaja certifikacijo ISMS.
General Information
Relations
Buy Standard
Standards Content (Sample)
SLOVENSKI STANDARD
SIST ISO/IEC 27006:2012
01-november-2012
1DGRPHãþD
SIST ISO/IEC 27006:2011
Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo
presojanje in certificiranje sistemov upravljanja informacijske varnosti
Information technology -- Security techniques -- Requirements for bodies providing audit
and certification of information security management systems
Technologies de l'information -- Techniques de sécurité -- Exigences pour les
organismes procédant à l'audit et à la certification des systèmes de management de la
sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27006:2011
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST ISO/IEC 27006:2012 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27006:2012
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27006:2012
INTERNATIONAL ISO/IEC
STANDARD 27006
Second edition
2011-12-01
Information technology — Security
techniques — Requirements for bodies
providing audit and certification of
information security management
systems
Technologies de l'information — Techniques de sécurité — Exigences
pour les organismes procédant à l'audit et à la certification des
systèmes de management de la sécurité de l'information
Reference number
ISO/IEC 27006:2011(E)
©
ISO/IEC 2011
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
Contents Page
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 2
5 General requirements . 2
5.1 Legal and contractual matter . 2
5.2 Management of impartiality . 2
5.3 Liability and financing . 3
6 Structural requirements . 3
6.1 Organizational structure and top management . 3
6.2 Committee for safeguarding impartiality . 3
7 Resource requirements . 3
7.1 Competence of management and personnel . 3
7.2 Personnel involved in the certification activities . 4
7.3 Use of individual external auditors and external technical experts . 6
7.4 Personnel records . 6
7.5 Outsourcing . 6
8 Information requirements . 6
8.1 Publicly accessible information . 6
8.2 Certification documents . 7
8.3 Directory of certified clients . 7
8.4 Reference to certification and use of marks. 7
8.5 Confidentiality . 7
8.6 Information exchange between a certification body and its clients . 7
9 Process requirements . 8
9.1 General requirements . 8
9.2 Initial audit and certification . 11
9.3 Surveillance activities . 15
9.4 Recertification . 16
9.5 Special audits . 16
9.6 Suspending, withdrawing or reducing scope of certification . 16
9.7 Appeals . 17
9.8 Complaints . 17
9.9 Records of applicants and clients . 17
10 Management system requirements for certification bodies . 17
10.1 Options . 17
10.2 Option 1 – Management system requirements in accordance with ISO 9001 . 17
10.3 Option 2 – General management system requirements . 17
Annex A (informative) Analysis of a client organization’s complexity and sector-specific aspects . 19
Annex B (informative) Example areas of auditor competence . 22
Annex C (informative) Audit time . 24
Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls . 30
© ISO/IEC 2011 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 27006:2007), which has been technically
revised.
iv © ISO/IEC 2011 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
Introduction
ISO/IEC 17021 sets out criteria for bodies operating audit and certification of organizations' management
systems. If such bodies are to be accredited as complying with ISO/IEC 17021 with the objective of auditing
and certifying information security management systems (ISMS) in accordance with ISO/IEC 27001:2005,
some additional requirements and guidance to ISO/IEC 17021 are necessary. These are provided by this
International Standard.
The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific
requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the
letters “IS”.
The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting
the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate
recommendation.
One aim of this International Standard is to enable accreditation bodies to more effectively harmonize their
application of the standards against which they are bound to assess certification bodies.
NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably.
The definition of a management system can be found in ISO 9000:2005. The management system as used in this
International Standard is not to be confused with other types of system, such as IT systems.
© ISO/IEC 2011 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27006:2012
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27006:2012
INTERNATIONAL STANDARD ISO/IEC 27006:2011(E)
Information technology — Security techniques — Requirements
for bodies providing audit and certification of information
security management systems
1 Scope
This International Standard specifies requirements and provides guidance for bodies providing audit and
certification of an information security management system (ISMS), in addition to the requirements contained
within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification
bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence
and reliability by any body providing ISMS certification, and the guidance contained in this International
Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other
audit processes.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of
management systems
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO 19011, Guidelines for auditing management systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the
following apply.
3.1
certificate
certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an
accreditation symbol or statement
3.2
certification body
third party that assesses and certifies the ISMS of a client organization with respect to published ISMS
standards, and any supplementary documentation required under the system
© ISO/IEC 2011 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
3.3
certification document
document indicating that a client organization's ISMS conforms to specified ISMS standards and any
supplementary documentation required under the system
3.4
mark
legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation
body or of a certification body, indicating that adequate confidence in the systems operated by a body has
been demonstrated or that relevant products or individuals conform to the requirements of a specified
standard
3.5
organization
company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether
incorporated or not, public or private, that has its own functions and administration and is able to ensure that
information security is exercised
4 Principles
The principles from ISO/IEC 17021:2011, Clause 4 apply.
5 General requirements
5.1 Legal and contractual matter
The requirements from ISO/IEC 17021:2011, Clause 5.1 apply.
5.2 Management of impartiality
The requirements from ISO/IEC 17021:2011, Clause 5.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
5.2.1 IS 5.2 Conflicts of interest
Certification bodies can carry out the following duties without them being considered as consultancy or having
a potential conflict of interest:
a) certification, including information meetings, planning meetings, examination of documents, auditing (not
internal ISMS auditing or internal security reviews) and follow up of non-conformities;
b) arranging and participating as a lecturer in training courses, provided that, where these courses relate to
information security management, related management systems or auditing, certification bodies shall
confine themselves to the provision of generic information and advice which is freely available in the
public domain, i.e. they shall not provide company-specific advice which contravenes the requirements of
c) below;
c) making available or publishing on request information describing the certification body’s interpretation of
the requirements of the certification audit standards (see 9.1.1.1);
d) activities prior to audit, solely aimed at determining readiness for certification audit; however, such
activities shall not result in the provision of recommendations or advice that would contravene this clause
and the certification body shall be able to confirm that such activities do not contravene these
requirements and that they are not used to justify a reduction in the eventual certification audit duration;
2 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
e) performing second and third party audits according to standards or regulations other than those being
part of the scope of accreditation;
f) adding value during certification audits and surveillance visits, e.g., by identifying opportunities for
improvement, as they become evident during the audit, without recommending specific solutions.
The certification body shall be independent from the body or bodies (including any individuals) which provide
the internal ISMS audit of the client organization’s ISMS subject to certification.
5.3 Liability and financing
The requirements from ISO/IEC 17021:2011, Clause 5.3 apply.
6 Structural requirements
6.1 Organizational structure and top management
The requirements from ISO/IEC 17021:2011, Clause 6.1 apply.
6.2 Committee for safeguarding impartiality
The requirements from ISO/IEC 17021:2011, Clause 6.2 apply.
7 Resource requirements
7.1 Competence of management and personnel
The requirements from ISO/IEC 17021:2011, Clause 7.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.1.1 IS 7.1.1 General considerations
The essential elements of competence required to perform ISMS certification are to select, provide and
manage those individuals whose skills and collective competence is appropriate to the activities to be audited
and the related information security issues.
7.1.1.1 Competence analysis and contract review
The certification body shall ensure that it has knowledge of the technological and legal developments relevant
to the ISMS of the client organization, which it assesses.
The certification body shall have an effective system for the analysis of the competencies in information
security management which it needs to have available, with respect to all the technical areas in which it
operates.
For each client, the certification body shall be able to demonstrate that it has performed a competence
analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector
prior to undertaking the contract review. The certification body shall then review the contract with the client
organization, based on the results of this competence analysis. In particular, the certification body shall be
able to demonstrate that it has the competence to complete the following activities:
a) understand the areas of activity of the client organization and the associated business risks;
© ISO/IEC 2011 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
b) define the competencies needed in the certification body to certify in relation to the identified activities,
and information security related threats to assets, vulnerabilities and impacts on the client organization;
c) confirm the availability of the required competencies.
7.1.1.2 Resources
The management of the certification body shall have the necessary processes and resources to enable it to
determine whether or not individual auditors are competent for the tasks they are required to perform within
the scope of certification in which they are operating. The competence of auditors may be established by
verified background experience and specific training or briefing (see also Annex B). The certification body
shall be able to communicate effectively with all those clients it provides services to.
7.1.2 IS 7.1.2 Determination of Competence Criteria
Additional information on knowledge and skills is provided in Annex B to support the competence criteria of
ISO/IEC 17021.
7.2 Personnel involved in the certification activities
The requirements from ISO/IEC 17021:2011, Clause 7.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.2.1 IS 7.2 Competence of certification body personnel
Certification bodies shall have personnel competent to
a) select and verify the competence of ISMS auditors for audit teams appropriate for the audit;
b) brief ISMS auditors and arrange any necessary training;
c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications;
d) set up and operate an appeals and complaints process.
7.2.1.1 Training of audit teams
The certification body shall have criteria for the training of audit teams that ensures
a) knowledge of the ISMS standard and other relevant normative documents;
b) understanding of information security;
c) understanding of risk assessment and risk management from the business perspective;
d) technical knowledge of the activity to be audited;
e) general knowledge of regulatory requirements relevant to ISMSs;
f) knowledge of management systems;
g) understanding of the principles of auditing based on ISO 19011;
h) knowledge of ISMS effectiveness review and measurement of control effectiveness.
These training requirements apply to all members of the audit team, with the exception of d), which can be
shared among members of the audit team.
4 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
7.2.1.1.1 When selecting the audit team to be appointed for a specific certification audit the certification
body shall ensure that the skills brought to each assignment are appropriate. The team shall
a) have appropriate technical knowledge of the specific activities within the scope of the ISMS for which
certification is sought and, where relevant, with associated procedures and their potential information
security risks (technical experts who are not auditors may fulfil this function);
b) have a sufficient degree of understanding of the client organization to conduct a reliable certification audit
of its ISMS in managing the information security aspects of its activities, products and services;
c) have appropriate understanding of the regulatory requirements applicable to the client organization’s
ISMS.
7.2.1.1.2 When required, the audit team may be complemented by technical experts who can demonstrate
specific competence in a field of technology appropriate to the audit. Note should be taken that technical
experts cannot be used in place of ISMS auditors but could advise auditors on matters of technical adequacy
in the context of the management system being subjected to audit. The certification body shall have a
procedure for
a) selecting auditors and technical experts on the basis of their competence, training, qualifications and
experience;
b) initially assessing the conduct of auditors and technical experts during certification audits and
subsequently monitoring the performance of auditors and technical experts.
7.2.1.2 Management of the decision taking process
The management function shall have the technical competence and ability in place to manage the process of
decision-making regarding the granting, maintaining, extending, reducing, suspending and withdrawing of
ISMS certification to the requirements of ISO/IEC 27001.
7.2.1.3 Pre-requisite levels of education, work experience, auditor training and audit experience for
auditors conducting ISMS audits
7.2.1.3.1 The following criteria shall be applied for each auditor in the ISMS audit team. The auditor shall
a) have an education at secondary level;
b) have at least four years full time practical workplace experience in information technology, of which at
least two years are in a role or function relating to information security;
c) have successfully completed five days of training, the scope of which covers ISMS audits and audit
management shall be considered appropriate;
d) have gained experience in the entire process of assessing information security prior to assuming
responsibility for performing as an auditor. This experience should have been gained by participation in a
minimum of four certification audits for a total of at least 20 days, including review of documentation and
risk analysis, implementation assessment and audit reporting;
e) have experience which is reasonably current;
f) be able to put complex operations in a broad perspective and to understand the role of individual units in
larger client organizations;
g) keep their knowledge and skills in information security and auditing up to date through continual
professional development.
Technical experts shall comply with criteria a), b), e) and f).
© ISO/IEC 2011 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
7.2.1.3.2 In addition to the requirements in 7.2.1.3.1, audit team leaders shall fulfil the following
requirements, which shall be demonstrated in audits under guidance and supervision:
a) have knowledge and skills to manage the certification audit process;
b) have been an auditor in at least three complete ISMS audits;
c) have demonstrated the capability to communicate effectively, both orally and in writing.
7.3 Use of individual external auditors and external technical experts
The requirements from ISO/IEC 17021:2011, Clause 7.3 apply. In addition, the following ISMS-specific
requirements and guidance applies.
7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team
When using individual external auditors or external technical experts as part of the audit team, the certification
body shall ensure that they are competent and comply with the applicable provisions of this publication and
are not involved, either directly or through its employer with the design, implementation or maintenance of an
ISMS or related management system(s) in such a way that impartiality could be compromised.
7.3.1.1 Use of technical experts
Technical experts with specific knowledge regarding the process and information security issues and
legislation affecting the client organization, but who do not satisfy all of the criteria in 7.2, may be part of the
audit team. Technical experts shall work under the supervision of an auditor.
7.4 Personnel records
The requirements from ISO/IEC 17021:2011, Clause 7.4 apply.
7.5 Outsourcing
The requirements from ISO/IEC 17021:2011, Clause 7.5 apply.
8 Information requirements
8.1 Publicly accessible information
The requirements from ISO/IEC 17021:2011, Clause 8.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
8.1.1 IS 8.1 Procedures for granting, maintaining, extending, reducing, suspending and withdrawing
certification
The certification body shall require the client organization to have a documented and implemented ISMS
which conforms to ISO/IEC 27001 and other documents required for certification.
The certification body shall have documented procedures for
a) the initial certification audit of a client organization's ISMS, in accordance with the provisions of
ISO/IEC 17021 and other relevant documents;
b) surveillance and recertification audits of a client organization's ISMS in accordance with ISO/IEC 17021
on a periodic basis for continuing conformity with relevant requirements and for verifying and recording
that a client organization takes corrective action on a timely basis to correct all nonconformities.
6 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 14 ----------------------
SIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
8.2 Certification documents
The requirements from ISO/IEC 17021:2011, Clause 8.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
8.2.1 IS 8.2 ISMS Certification documents
The certification body shall provide to each of its client organizations whose ISMS is certified, certification
documents such as a letter or a certificate signed by an officer who has been assigned such responsibility. For
the client organization and each of its information systems covered by the certification, these documents shall
identify the scope of the certification granted and the ISMS standard ISO/IEC 27001 to which the ISMS is
certified. In addition, the certificate shall include a reference to the specific version of the Statement of
Applicability.
NOTE A change to the Statement of Applicability which does not change the coverage of the controls of the scope of
certification need not require an update of the certificate.
8.3 Directory of certified clients
The requirements from ISO/IEC 17021:2011, Clause 8.3 apply.
8.4 Refere
...
INTERNATIONAL ISO/IEC
STANDARD 27006
Second edition
2011-12-01
Information technology — Security
techniques — Requirements for bodies
providing audit and certification of
information security management
systems
Technologies de l'information — Techniques de sécurité — Exigences
pour les organismes procédant à l'audit et à la certification des
systèmes de management de la sécurité de l'information
Reference number
ISO/IEC 27006:2011(E)
©
ISO/IEC 2011
---------------------- Page: 1 ----------------------
ISO/IEC 27006:2011(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27006:2011(E)
Contents Page
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 2
5 General requirements . 2
5.1 Legal and contractual matter . 2
5.2 Management of impartiality . 2
5.3 Liability and financing . 3
6 Structural requirements . 3
6.1 Organizational structure and top management . 3
6.2 Committee for safeguarding impartiality . 3
7 Resource requirements . 3
7.1 Competence of management and personnel . 3
7.2 Personnel involved in the certification activities . 4
7.3 Use of individual external auditors and external technical experts . 6
7.4 Personnel records . 6
7.5 Outsourcing . 6
8 Information requirements . 6
8.1 Publicly accessible information . 6
8.2 Certification documents . 7
8.3 Directory of certified clients . 7
8.4 Reference to certification and use of marks. 7
8.5 Confidentiality . 7
8.6 Information exchange between a certification body and its clients . 7
9 Process requirements . 8
9.1 General requirements . 8
9.2 Initial audit and certification . 11
9.3 Surveillance activities . 15
9.4 Recertification . 16
9.5 Special audits . 16
9.6 Suspending, withdrawing or reducing scope of certification . 16
9.7 Appeals . 17
9.8 Complaints . 17
9.9 Records of applicants and clients . 17
10 Management system requirements for certification bodies . 17
10.1 Options . 17
10.2 Option 1 – Management system requirements in accordance with ISO 9001 . 17
10.3 Option 2 – General management system requirements . 17
Annex A (informative) Analysis of a client organization’s complexity and sector-specific aspects . 19
Annex B (informative) Example areas of auditor competence . 22
Annex C (informative) Audit time . 24
Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls . 30
© ISO/IEC 2011 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27006:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 27006:2007), which has been technically
revised.
iv © ISO/IEC 2011 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27006:2011(E)
Introduction
ISO/IEC 17021 sets out criteria for bodies operating audit and certification of organizations' management
systems. If such bodies are to be accredited as complying with ISO/IEC 17021 with the objective of auditing
and certifying information security management systems (ISMS) in accordance with ISO/IEC 27001:2005,
some additional requirements and guidance to ISO/IEC 17021 are necessary. These are provided by this
International Standard.
The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific
requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the
letters “IS”.
The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting
the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate
recommendation.
One aim of this International Standard is to enable accreditation bodies to more effectively harmonize their
application of the standards against which they are bound to assess certification bodies.
NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably.
The definition of a management system can be found in ISO 9000:2005. The management system as used in this
International Standard is not to be confused with other types of system, such as IT systems.
© ISO/IEC 2011 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27006:2011(E)
Information technology — Security techniques — Requirements
for bodies providing audit and certification of information
security management systems
1 Scope
This International Standard specifies requirements and provides guidance for bodies providing audit and
certification of an information security management system (ISMS), in addition to the requirements contained
within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification
bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence
and reliability by any body providing ISMS certification, and the guidance contained in this International
Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other
audit processes.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of
management systems
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO 19011, Guidelines for auditing management systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the
following apply.
3.1
certificate
certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an
accreditation symbol or statement
3.2
certification body
third party that assesses and certifies the ISMS of a client organization with respect to published ISMS
standards, and any supplementary documentation required under the system
© ISO/IEC 2011 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 27006:2011(E)
3.3
certification document
document indicating that a client organization's ISMS conforms to specified ISMS standards and any
supplementary documentation required under the system
3.4
mark
legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation
body or of a certification body, indicating that adequate confidence in the systems operated by a body has
been demonstrated or that relevant products or individuals conform to the requirements of a specified
standard
3.5
organization
company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether
incorporated or not, public or private, that has its own functions and administration and is able to ensure that
information security is exercised
4 Principles
The principles from ISO/IEC 17021:2011, Clause 4 apply.
5 General requirements
5.1 Legal and contractual matter
The requirements from ISO/IEC 17021:2011, Clause 5.1 apply.
5.2 Management of impartiality
The requirements from ISO/IEC 17021:2011, Clause 5.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
5.2.1 IS 5.2 Conflicts of interest
Certification bodies can carry out the following duties without them being considered as consultancy or having
a potential conflict of interest:
a) certification, including information meetings, planning meetings, examination of documents, auditing (not
internal ISMS auditing or internal security reviews) and follow up of non-conformities;
b) arranging and participating as a lecturer in training courses, provided that, where these courses relate to
information security management, related management systems or auditing, certification bodies shall
confine themselves to the provision of generic information and advice which is freely available in the
public domain, i.e. they shall not provide company-specific advice which contravenes the requirements of
c) below;
c) making available or publishing on request information describing the certification body’s interpretation of
the requirements of the certification audit standards (see 9.1.1.1);
d) activities prior to audit, solely aimed at determining readiness for certification audit; however, such
activities shall not result in the provision of recommendations or advice that would contravene this clause
and the certification body shall be able to confirm that such activities do not contravene these
requirements and that they are not used to justify a reduction in the eventual certification audit duration;
2 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27006:2011(E)
e) performing second and third party audits according to standards or regulations other than those being
part of the scope of accreditation;
f) adding value during certification audits and surveillance visits, e.g., by identifying opportunities for
improvement, as they become evident during the audit, without recommending specific solutions.
The certification body shall be independent from the body or bodies (including any individuals) which provide
the internal ISMS audit of the client organization’s ISMS subject to certification.
5.3 Liability and financing
The requirements from ISO/IEC 17021:2011, Clause 5.3 apply.
6 Structural requirements
6.1 Organizational structure and top management
The requirements from ISO/IEC 17021:2011, Clause 6.1 apply.
6.2 Committee for safeguarding impartiality
The requirements from ISO/IEC 17021:2011, Clause 6.2 apply.
7 Resource requirements
7.1 Competence of management and personnel
The requirements from ISO/IEC 17021:2011, Clause 7.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.1.1 IS 7.1.1 General considerations
The essential elements of competence required to perform ISMS certification are to select, provide and
manage those individuals whose skills and collective competence is appropriate to the activities to be audited
and the related information security issues.
7.1.1.1 Competence analysis and contract review
The certification body shall ensure that it has knowledge of the technological and legal developments relevant
to the ISMS of the client organization, which it assesses.
The certification body shall have an effective system for the analysis of the competencies in information
security management which it needs to have available, with respect to all the technical areas in which it
operates.
For each client, the certification body shall be able to demonstrate that it has performed a competence
analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector
prior to undertaking the contract review. The certification body shall then review the contract with the client
organization, based on the results of this competence analysis. In particular, the certification body shall be
able to demonstrate that it has the competence to complete the following activities:
a) understand the areas of activity of the client organization and the associated business risks;
© ISO/IEC 2011 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 27006:2011(E)
b) define the competencies needed in the certification body to certify in relation to the identified activities,
and information security related threats to assets, vulnerabilities and impacts on the client organization;
c) confirm the availability of the required competencies.
7.1.1.2 Resources
The management of the certification body shall have the necessary processes and resources to enable it to
determine whether or not individual auditors are competent for the tasks they are required to perform within
the scope of certification in which they are operating. The competence of auditors may be established by
verified background experience and specific training or briefing (see also Annex B). The certification body
shall be able to communicate effectively with all those clients it provides services to.
7.1.2 IS 7.1.2 Determination of Competence Criteria
Additional information on knowledge and skills is provided in Annex B to support the competence criteria of
ISO/IEC 17021.
7.2 Personnel involved in the certification activities
The requirements from ISO/IEC 17021:2011, Clause 7.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.2.1 IS 7.2 Competence of certification body personnel
Certification bodies shall have personnel competent to
a) select and verify the competence of ISMS auditors for audit teams appropriate for the audit;
b) brief ISMS auditors and arrange any necessary training;
c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications;
d) set up and operate an appeals and complaints process.
7.2.1.1 Training of audit teams
The certification body shall have criteria for the training of audit teams that ensures
a) knowledge of the ISMS standard and other relevant normative documents;
b) understanding of information security;
c) understanding of risk assessment and risk management from the business perspective;
d) technical knowledge of the activity to be audited;
e) general knowledge of regulatory requirements relevant to ISMSs;
f) knowledge of management systems;
g) understanding of the principles of auditing based on ISO 19011;
h) knowledge of ISMS effectiveness review and measurement of control effectiveness.
These training requirements apply to all members of the audit team, with the exception of d), which can be
shared among members of the audit team.
4 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27006:2011(E)
7.2.1.1.1 When selecting the audit team to be appointed for a specific certification audit the certification
body shall ensure that the skills brought to each assignment are appropriate. The team shall
a) have appropriate technical knowledge of the specific activities within the scope of the ISMS for which
certification is sought and, where relevant, with associated procedures and their potential information
security risks (technical experts who are not auditors may fulfil this function);
b) have a sufficient degree of understanding of the client organization to conduct a reliable certification audit
of its ISMS in managing the information security aspects of its activities, products and services;
c) have appropriate understanding of the regulatory requirements applicable to the client organization’s
ISMS.
7.2.1.1.2 When required, the audit team may be complemented by technical experts who can demonstrate
specific competence in a field of technology appropriate to the audit. Note should be taken that technical
experts cannot be used in place of ISMS auditors but could advise auditors on matters of technical adequacy
in the context of the management system being subjected to audit. The certification body shall have a
procedure for
a) selecting auditors and technical experts on the basis of their competence, training, qualifications and
experience;
b) initially assessing the conduct of auditors and technical experts during certification audits and
subsequently monitoring the performance of auditors and technical experts.
7.2.1.2 Management of the decision taking process
The management function shall have the technical competence and ability in place to manage the process of
decision-making regarding the granting, maintaining, extending, reducing, suspending and withdrawing of
ISMS certification to the requirements of ISO/IEC 27001.
7.2.1.3 Pre-requisite levels of education, work experience, auditor training and audit experience for
auditors conducting ISMS audits
7.2.1.3.1 The following criteria shall be applied for each auditor in the ISMS audit team. The auditor shall
a) have an education at secondary level;
b) have at least four years full time practical workplace experience in information technology, of which at
least two years are in a role or function relating to information security;
c) have successfully completed five days of training, the scope of which covers ISMS audits and audit
management shall be considered appropriate;
d) have gained experience in the entire process of assessing information security prior to assuming
responsibility for performing as an auditor. This experience should have been gained by participation in a
minimum of four certification audits for a total of at least 20 days, including review of documentation and
risk analysis, implementation assessment and audit reporting;
e) have experience which is reasonably current;
f) be able to put complex operations in a broad perspective and to understand the role of individual units in
larger client organizations;
g) keep their knowledge and skills in information security and auditing up to date through continual
professional development.
Technical experts shall comply with criteria a), b), e) and f).
© ISO/IEC 2011 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 27006:2011(E)
7.2.1.3.2 In addition to the requirements in 7.2.1.3.1, audit team leaders shall fulfil the following
requirements, which shall be demonstrated in audits under guidance and supervision:
a) have knowledge and skills to manage the certification audit process;
b) have been an auditor in at least three complete ISMS audits;
c) have demonstrated the capability to communicate effectively, both orally and in writing.
7.3 Use of individual external auditors and external technical experts
The requirements from ISO/IEC 17021:2011, Clause 7.3 apply. In addition, the following ISMS-specific
requirements and guidance applies.
7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team
When using individual external auditors or external technical experts as part of the audit team, the certification
body shall ensure that they are competent and comply with the applicable provisions of this publication and
are not involved, either directly or through its employer with the design, implementation or maintenance of an
ISMS or related management system(s) in such a way that impartiality could be compromised.
7.3.1.1 Use of technical experts
Technical experts with specific knowledge regarding the process and information security issues and
legislation affecting the client organization, but who do not satisfy all of the criteria in 7.2, may be part of the
audit team. Technical experts shall work under the supervision of an auditor.
7.4 Personnel records
The requirements from ISO/IEC 17021:2011, Clause 7.4 apply.
7.5 Outsourcing
The requirements from ISO/IEC 17021:2011, Clause 7.5 apply.
8 Information requirements
8.1 Publicly accessible information
The requirements from ISO/IEC 17021:2011, Clause 8.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
8.1.1 IS 8.1 Procedures for granting, maintaining, extending, reducing, suspending and withdrawing
certification
The certification body shall require the client organization to have a documented and implemented ISMS
which conforms to ISO/IEC 27001 and other documents required for certification.
The certification body shall have documented procedures for
a) the initial certification audit of a client organization's ISMS, in accordance with the provisions of
ISO/IEC 17021 and other relevant documents;
b) surveillance and recertification audits of a client organization's ISMS in accordance with ISO/IEC 17021
on a periodic basis for continuing conformity with relevant requirements and for verifying and recording
that a client organization takes corrective action on a timely basis to correct all nonconformities.
6 © ISO/IEC 2011 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 27006:2011(E)
8.2 Certification documents
The requirements from ISO/IEC 17021:2011, Clause 8.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
8.2.1 IS 8.2 ISMS Certification documents
The certification body shall provide to each of its client organizations whose ISMS is certified, certification
documents such as a letter or a certificate signed by an officer who has been assigned such responsibility. For
the client organization and each of its information systems covered by the certification, these documents shall
identify the scope of the certification granted and the ISMS standard ISO/IEC 27001 to which the ISMS is
certified. In addition, the certificate shall include a reference to the specific version of the Statement of
Applicability.
NOTE A change to the Statement of Applicability which does not change the coverage of the controls of the scope of
certification need not require an update of the certificate.
8.3 Directory of certified clients
The requirements from ISO/IEC 17021:2011, Clause 8.3 apply.
8.4 Reference to certification and use of marks
The requirements from ISO/IEC 17021:2011, Clause 8.4 apply. In addition, the following ISMS-specific
requirements and guidance applies.
8.4.1 IS 8.4 Control of certification marks
The certification body shall exercise proper control over ownership, use and display of its ISMS certification
marks. If the certification body confers the right to use a mark to indicate certification of an ISMS, the
certification body shall ensure that the client organization uses the specified mark only as authorised in writing
by the certification body. The certification body shall not entitle the client organization to use this mark on a
product, or in a way that may be interpreted as denoting product conformity.
8.5 Confidentiality
The requirements from ISO/IEC 17021:2011, Clause 8.5 apply. In addition, the following ISMS-specific
requirements and guidance applies.
8.5.1 IS 8.5 Access to organizational records
Before the certification audit, the certification body shall ask the client organization to report if any ISMS
records cannot be made available for review by the audit team because they contain confidential or sensitive
information. The certification body shall determine whether the ISMS can be adequately audited in the
absence of these records. If the certification body concludes that it is not possible to adequately audit the
ISMS without reviewing the identified confidential or sensitive records, it shall advise the client organization
that the certification audit cannot take place
...
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo presoje in certificiranje sistemov upravljanja informacijske varnostiTechnologies de l'information -- Techniques de sécurité -- Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'informationInformation technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems35.040Nabori znakov in kodiranje informacijCharacter sets and information coding03.120.20Certificiranje proizvodov in podjetij. Ugotavljanje skladnostiProduct and company certification. Conformity assessmentICS:Ta slovenski standard je istoveten z:ISO/IEC 27006:2011oSIST ISO/IEC 27006:2012en,fr,de01-februar-2012oSIST ISO/IEC 27006:2012SLOVENSKI
STANDARD
oSIST ISO/IEC 27006:2012
Reference numberISO/IEC 27006:2011(E)© ISO/IEC 2011
INTERNATIONAL STANDARD ISO/IEC27006Second edition2011-12-01 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems Technologies de l'information — Techniques de sécurité — Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'information
oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E)
COPYRIGHT PROTECTED DOCUMENT
©
ISO/IEC 2011 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii
© ISO/IEC 2011 – All rights reserved
oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E) © ISO/IEC 2011 – All rights reserved
iii Contents Page Foreword . iv Introduction . v 1 Scope . 1 2 Normative references . 1 3 Terms and definitions . 1 4 Principles . 2 5 General requirements . 2 5.1 Legal and contractual matter . 2 5.2 Management of impartiality . 2 5.3 Liability and financing . 3 6 Structural requirements . 3 6.1 Organizational structure and top management . 3 6.2 Committee for safeguarding impartiality . 3 7 Resource requirements . 3 7.1 Competence of management and personnel . 3 7.2 Personnel involved in the certification activities . 4 7.3 Use of individual external auditors and external technical experts . 6 7.4 Personnel records . 6 7.5 Outsourcing . 6 8 Information requirements . 6 8.1 Publicly accessible information . 6 8.2 Certification documents . 7 8.3 Directory of certified clients . 7 8.4 Reference to certification and use of marks. 7 8.5 Confidentiality . 7 8.6 Information exchange between a certification body and its clients . 7 9 Process requirements . 8 9.1 General requirements . 8 9.2 Initial audit and certification . 11 9.3 Surveillance activities . 15 9.4 Recertification . 16 9.5 Special audits . 16 9.6 Suspending, withdrawing or reducing scope of certification . 16 9.7 Appeals . 17 9.8 Complaints . 17 9.9 Records of applicants and clients . 17 10 Management system requirements for certification bodies . 17 10.1 Options . 17 10.2 Option 1 – Management system requirements in accordance with ISO 9001 . 17 10.3 Option 2 – General management system requirements . 17 Annex A (informative)
Analysis of a client organization’s complexity and
sector-specific aspects . 19 Annex B (informative)
Example areas of auditor competence . 22 Annex C (informative)
Audit time . 24 Annex D (informative)
Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls . 30
oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E) iv
© ISO/IEC 2011 – All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 27006:2007), which has been technically revised. oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E) © ISO/IEC 2011 – All rights reserved
v Introduction ISO/IEC 17021 sets out criteria for bodies operating audit and certification of organizations' management systems. If such bodies are to be accredited as complying with ISO/IEC 17021 with the objective of auditing and certifying information security management systems (ISMS) in accordance with ISO/IEC 27001:2005, some additional requirements and guidance to ISO/IEC 17021 are necessary. These are provided by this International Standard. The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the letters “IS”. The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate recommendation. One aim of this International Standard is to enable accreditation bodies to more effectively harmonize their application of the standards against which they are bound to assess certification bodies. NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably. The definition of a management system can be found in ISO 9000:2005. The management system as used in this International Standard is not to be confused with other types of system, such as IT systems. oSIST ISO/IEC 27006:2012
oSIST ISO/IEC 27006:2012
INTERNATIONAL STANDARD ISO/IEC 27006:2011(E) © ISO/IEC 2011 – All rights reserved 1 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems 1 Scope This International Standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification. The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification. NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of management systems ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements ISO 19011, Guidelines for auditing management systems 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the following apply. 3.1 certificate certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an accreditation symbol or statement 3.2 certification body third party that assesses and certifies the ISMS of a client organization with respect to published ISMS standards, and any supplementary documentation required under the system oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E) 2
© ISO/IEC 2011 – All rights reserved 3.3 certification document document indicating that a client organization's ISMS conforms to specified ISMS standards and any supplementary documentation required under the system 3.4 mark legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation body or of a certification body, indicating that adequate confidence in the systems operated by a body has been demonstrated or that relevant products or individuals conform to the requirements of a specified standard 3.5 organization company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether incorporated or not, public or private, that has its own functions and administration and is able to ensure that information security is exercised 4 Principles The principles from ISO/IEC 17021:2011, Clause 4 apply. 5 General requirements 5.1 Legal and contractual matter The requirements from ISO/IEC 17021:2011, Clause 5.1 apply. 5.2 Management of impartiality The requirements from ISO/IEC 17021:2011, Clause 5.2 apply. In addition, the following ISMS-specific requirements and guidance apply. 5.2.1 IS 5.2 Conflicts of interest Certification bodies can carry out the following duties without them being considered as consultancy or having a potential conflict of interest: a) certification, including information meetings, planning meetings, examination of documents, auditing (not internal ISMS auditing or internal security reviews) and follow up of non-conformities; b) arranging and participating as a lecturer in training courses, provided that, where these courses relate to information security management, related management systems or auditing, certification bodies shall confine themselves to the provision of generic information and advice which is freely available in the public domain, i.e. they shall not provide company-specific advice which contravenes the requirements of c) below; c) making available or publishing on request information describing the certification body’s interpretation of the requirements of the certification audit standards (see 9.1.1.1); d) activities prior to audit, solely aimed at determining readiness for certification audit; however, such activities shall not result in the provision of recommendations or advice that would contravene this clause and the certification body shall be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certification audit duration; oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E) © ISO/IEC 2011 – All rights reserved 3 e) performing second and third party audits according to standards or regulations other than those being part of the scope of accreditation; f) adding value during certification audits and surveillance visits, e.g., by identifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions. The certification body shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit of the client organization’s ISMS subject to certification. 5.3 Liability and financing The requirements from ISO/IEC 17021:2011, Clause 5.3 apply. 6 Structural requirements 6.1 Organizational structure and top management The requirements from ISO/IEC 17021:2011, Clause 6.1 apply. 6.2 Committee for safeguarding impartiality The requirements from ISO/IEC 17021:2011, Clause 6.2 apply. 7 Resource requirements 7.1 Competence of management and personnel The requirements from ISO/IEC 17021:2011, Clause 7.1 apply. In addition, the following ISMS-specific requirements and guidance apply. 7.1.1 IS 7.1.1 General considerations The essential elements of competence required to perform ISMS certification are to select, provide and manage those individuals whose skills and collective competence is appropriate to the activities to be audited and the related information security issues. 7.1.1.1 Competence analysis and contract review The certification body shall ensure that it has knowledge of the technological and legal developments relevant to the ISMS of the client organization, which it assesses. The certification body shall have an effective system for the analysis of the competencies in information security management which it needs to have available, with respect to all the technical areas in which it operates. For each client, the certification body shall be able to demonstrate that it has performed a competence analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector prior to undertaking the contract review. The certification body shall then review the contract with the client organization, based on the results of this competence analysis. In particular, the certification body shall be able to demonstrate that it has the competence to complete the following activities: a) understand the areas of activity of the client organization and the associated business risks; oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E) 4
© ISO/IEC 2011 – All rights reserved b) define the competencies needed in the certification body to certify in relation to the identified activities, and information security related threats to assets, vulnerabilities and impacts on the client organization; c) confirm the availability of the required competencies. 7.1.1.2 Resources The management of the certification body shall have the necessary processes and resources to enable it to determine whether or not individual auditors are competent for the tasks they are required to perform within the scope of certification in which they are operating. The competence of auditors may be established by verified background experience and specific training or briefing (see also Annex B). The certification body shall be able to communicate effectively with all those clients it provides services to. 7.1.2 IS 7.1.2 Determination of Competence Criteria Additional information on knowledge and skills is provided in Annex B to support the competence criteria of ISO/IEC 17021. 7.2 Personnel involved in the certification activities The requirements from ISO/IEC 17021:2011, Clause 7.2 apply. In addition, the following ISMS-specific requirements and guidance apply. 7.2.1 IS 7.2 Competence of certification body personnel Certification bodies shall have personnel competent to a) select and verify the competence of ISMS auditors for audit teams appropriate for the audit; b) brief ISMS auditors and arrange any necessary training; c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications; d) set up and operate an appeals and complaints process. 7.2.1.1 Training of audit teams The certification body shall have criteria for the training of audit teams that ensures a) knowledge of the ISMS standard and other relevant normative documents; b) understanding of information security; c) understanding of risk assessment and risk management from the business perspective; d) technical knowledge of the activity to be audited; e) general knowledge of regulatory requirements relevant to ISMSs; f) knowledge of management systems; g) understanding of the principles of auditing based on ISO 19011; h) knowledge of ISMS effectiveness review and measurement of control effectiveness. These training requirements apply to all members of the audit team, with the exception of d), which can be shared among members of the audit team. oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E) © ISO/IEC 2011 – All rights reserved 5 7.2.1.1.1 When selecting the audit team to be appointed for a specific certification audit the certification body shall ensure that the skills brought to each assignment are appropriate. The team shall a) have appropriate technical knowledge of the specific activities within the scope of the ISMS for which certification is sought and, where relevant, with associated procedures and their potential information security risks (technical experts who are not auditors may fulfil this function); b) have a sufficient degree of understanding of the client organization to conduct a reliable certification audit of its ISMS in managing the information security aspects of its activities, products and services; c) have appropriate understanding of the regulatory requirements applicable to the client organization’s ISMS. 7.2.1.1.2 When required, the audit team may be complemented by technical experts who can demonstrate specific competence in a field of technology appropriate to the audit. Note should be taken that technical experts cannot be used in place of ISMS auditors but could advise auditors on matters of technical adequacy in the context of the management system being subjected to audit. The certification body shall have a procedure for a) selecting auditors and technical experts on the basis of their competence, training, qualifications and experience; b) initially assessing the conduct of auditors and technical experts during certification audits and subsequently monitoring the performance of auditors and technical experts. 7.2.1.2 Management of the decision taking process The management function shall have the technical competence and ability in place to manage the process of decision-making regarding the granting, maintaining, extending, reducing, suspending and withdrawing of ISMS certification to the requirements of ISO/IEC 27001. 7.2.1.3 Pre-requisite levels of education, work experience, auditor training and audit experience for auditors conducting ISMS audits 7.2.1.3.1 The following criteria shall be applied for each auditor in the ISMS audit team. The auditor shall a) have an education at secondary level; b) have at least four years full time practical workplace experience in information technology, of which at least two years are in a role or function relating to information security; c) have successfully completed five days of training, the scope of which covers ISMS audits and audit management shall be considered appropriate; d) have gained experience in the entire process of assessing information security prior to assuming responsibility for performing as an auditor. This experience should have been gained by participation in a minimum of four certification audits for a total of at least 20 days, including review of documentation and risk analysis, implementation assessment and audit reporting; e) have experience which is reasonably current; f) be able to put complex operations in a broad perspective and to understand the role of individual units in larger client organizations; g) keep their knowledge and skills in information security and auditing up to date through continual professional development. Technical experts shall comply with criteria a), b), e) and f). oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E) 6
© ISO/IEC 2011 – All rights reserved 7.2.1.3.2 In addition to the requirements in 7.2.1.3.1, audit team leaders shall fulfil the following requirements, which shall be demonstrated in audits under guidance and supervision: a) have knowledge and skills to manage the certification audit process; b) have been an auditor in at least three complete ISMS audits; c) have demonstrated the capability to communicate effectively, both orally and in writing. 7.3 Use of individual external auditors and external technical experts The requirements from ISO/IEC 17021:2011, Clause 7.3 apply. In addition, the following ISMS-specific requirements and guidance applies. 7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team When using individual external auditors or external technical experts as part of the audit team, the certification body shall ensure that they are competent and comply with the applicable provisions of this publication and are not involved, either directly or through its employer with the design, implementation or maintenance of an ISMS or related management system(s) in such a way that impartiality could be compromised. 7.3.1.1 Use of technical experts Technical experts with specific knowledge regarding the process and information security issues and legislation affecting the client organization, but who do not satisfy all of the criteria in 7.2, may be part of the audit team. Technical experts shall work under the supervision of an auditor. 7.4 Personnel records The requirements from ISO/IEC 17021:2011, Clause 7.4 apply. 7.5 Outsourcing The requirements from ISO/IEC 17021:2011, Clause 7.5 apply. 8 Information requirements 8.1 Publicly accessible information The requirements from ISO/IEC 17021:2011, Clause 8.1 apply. In addition, the following ISMS-specific requirements and guidance apply. 8.1.1 IS 8.1 Procedures for granting, maintaining, extending, reducing, suspending and withdrawing certification The certification body shall require the client organization to have a documented and implemented ISMS which conforms to ISO/IEC 27001 and other documents required for certification. The certification body shall have documented procedures for a) the initial certification audit of a client organization's ISMS, in accordance with the provisions of ISO/IEC 17021 and other relevant documents; b) surveillance and recertification audits of a client organization's ISMS in accordance with ISO/IEC 17021 on a periodic basis for continuing conformity with relevant requirements and for verifying and recording that a client organization takes corrective action on a timely basis to correct all nonconformities. oSIST ISO/IEC 27006:2012
ISO/IEC 27006:2011(E) © ISO/IEC 2011 – All rights reserved 7 8.2 Certification documents The requirements from ISO/IEC 17021:2011, Clause 8.2 apply. In addition, the following ISMS-specific requirements and guidance apply. 8.2.1 IS 8.2 ISMS Certification documents The certification body shall provide to each of its client organizations whose ISMS is certified, certification documents such as a letter or a certificate signed by an officer who has been assigned such responsibility. For the client organization and each of its information systems covered by the certification, these documents shall identify the scope of the certification granted and the ISMS standard ISO/IEC 27001 to which the ISMS is certified. In addition, the certificate shall include a reference to the specific version of the Statement of Applicability. NOTE A change to the Statement of Applicability which does not change the coverage of the controls of the scope of certification need not require an update of the certificate. 8.3 Directory of certified clients The requirements from ISO/IEC 17021:2011, Clause 8.3 apply. 8.4 Reference to certification and use of marks The requirements from ISO/IEC 17021:2011, Clause 8.4 apply. In addition, the following ISMS-specific requirements and guidance applies. 8.4.1 IS 8.4 Control of certification marks The certification body shall exercise proper control over ownership, use and display of its ISMS certification marks. If the certification body confers the right to use a mark to indicate certification of an ISMS, the certification body shall ensure that the client organization uses the specified mark only as authorised in writing by the certification body. The certification body shall not entitle the client organization to use this mark on a product, or in a way that may be interpreted as denoting product conformity. 8.5 Confidentiality The requirements from ISO/IEC 17021:2011, Clause 8.5 apply. In addition, the following ISMS-specific requirements and guidance applies. 8.5.1 IS 8.5 Access to organizational records Before the certification audit, the certification body shall ask the client organization to report if any ISMS records cannot be made available for review by the audit team because they contain confidential or sensitive information. The certification body shall determine whether the ISMS can be adequately audited in
...
S L O V E N S K I SIST ISO/IEC 27006
STANDARD
november 2012
Informacijska tehnologija – Varnostne tehnike – Zahteve za organe, ki
izvajajo presojanje in certificiranje sistemov upravljanja informacijske
varnosti
Information technology – Security techniques – Requirements for bodies
providing audit and certification of information security management systems
Technologies de l'information – Techniques de sécurité – Exigences pour les
organismes procédant à l'audit et à la certification des systèmes de management
de la sécurité de l'information
Referenčna oznaka
ICS 03.120.20; 35.040 SIST ISO/IEC 27006:2012 (sl)
Nadaljevanje na straneh 2 do 40
© 2015-07. Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO/IEC 27006 : 2012
NACIONALNI PREDGOVOR
Standard SIST ISO/IEC 27006 (sl), Informacijska tehnologija – Varnostne tehnike – Zahteve za
organe, ki izvajajo presojanje in certificiranje sistemov upravljanja informacijske varnosti, 2012, ima
status slovenskega standarda in je istoveten mednarodnemu standardu ISO/IEC 27006 (en),
Information technology – Security techniques – Requirements for bodies providing audit and
certification of information security management systems, 2011-12.
NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27006:2011 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.
Slovenski standard SIST ISO/IEC 27006:2012 je prevod mednarodnega standarda ISO/IEC
27006:2011. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni mednarodni
standard v angleškem jeziku. Slovenski standard SIST ISO/IEC 27006:2012 je pripravil tehnični odbor
SIST/TC ITC Informacijska tehnologija.
Odločitev za izdajo tega standarda je dne 26. septembra 2012 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI
S privzemom tega evropskega standarda veljajo za omejeni namen referenčnih standardov vsi
standardi, navedeni v izvirniku, razen tistih, ki so že sprejeti v nacionalno standardizacijo:
SIST ISO/IEC 17021:2011 Ugotavljanje skladnosti – Zahteve za organe, ki presojajo in certificirajo
sisteme vodenja (ISO/IEC 17021:2011)
SIST ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (zamenjan s SIST ISO/IEC 27001:2013)
SIST ISO 19011 Smernice za presojanje sistemov vodenja (ISO 19011:2011)
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27006:2011
OPOMBI
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27006:2012 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
2
---------------------- Page: 2 ----------------------
SIST ISO/IEC 27006 : 2012
VSEBINA Stran
Predgovor . 5
Uvod . 6
1 Področje uporabe . 7
2 Zveza s standardi . 7
3 Izrazi in definicije . 7
4 Načela. 8
5 Splošne zahteve . 8
5.1 Pravne in pogodbene zahteve . 8
5.2 Obvladovanje nepristranskosti . 8
5.3 Obveznosti in financiranje . 8
6 Strukturne zahteve . 9
6.1 Organizacijska struktura in najvišje vodstvo . 9
6.2 Odbor za varovanje nepristranskosti . 9
7 Zahteve glede virov . 9
7.1 Kompetentnost vodstva in osebja . 9
7.2 Osebje, vključeno v aktivnosti certificiranja . 10
7.3 Uporaba posameznih zunanjih presojevalcev in zunanjih tehničnih strokovnjakov . 11
7.4 Zapisi o osebju . 12
7.5 Oddajanje del zunanjim izvajalcem . 12
8 Zahteve glede informacij . 12
8.1 Javno dostopne informacije . 12
8.2 Certifikacijski dokumenti . 12
8.3 Register certificiranih strank . 12
8.4 Sklicevanje na certifikacijo in uporaba znakov . 12
8.5 Zaupnost . 13
8.6 Izmenjava informacij med certifikacijskim organom in njihovimi strankami . 13
9 Zahteve glede procesov . 13
9.1 Splošne zahteve . 13
9.2 Začetna presoja in certifikacija . 16
9.3 Nadzorne aktivnosti . 20
9.4 Obnovitev certifikacije . 21
9.5 Posebne presoje . 21
9.6 Začasni odvzem, preklic ali krčenje obsega certifikata . 21
9.7 Prizivi . 21
9.8 Pritožbe . 21
9.9 Zapisi o vložnikih in strankah . 22
10 Zahteve za sistem vodenja certifikacijskih organov . 22
10.1 Možnosti . 22
10.2 Možnost št. 1 – Zahteve za sistem vodenja v skladu z ISO 9001 . 22
3
---------------------- Page: 3 ----------------------
SIST ISO/IEC 27006 : 2012
10.3 Možnost št. 2 – Splošne zahteve za sistem vodenja . 22
Dodatek A (informativni): Analiza kompleksnosti organizacije stranke in specifičnih sektorskih
vidikov . 23
Dodatek B (informativni): Primer področij kompetentnosti presojevalca . 26
Dodatek C (informativni): Čas presoje . 28
Dodatek D (informativni): Navodila za pregled uvedenih kontrol po ISO/IEC 27001:2005,
dodatek A . 33
4
---------------------- Page: 4 ----------------------
SIST ISO/IEC 27006 : 2012
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili iz 2. dela Direktiv ISO/IEC.
Glavna naloga združenega tehničnega odbora je priprava mednarodnih standardov. Osnutki
mednarodnih standardov, ki jih sprejme združeni tehnični odbor, se pošljejo nacionalnim organom v
glasovanje. Za objavo kot mednarodni standard je treba pridobiti soglasje najmanj 75 % glasov
glasujočih nacionalnih organov.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega dokumenta predmet patentnih pravic.
ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih patentnih pravic.
ISO/IEC 27006 je pripravil združeni tehnični odbor ISO/IEC JTC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
Ta druga izdaja razveljavlja in nadomešča prvo izdajo (ISO/IEC 27005:2008), ki je bila tehnično
revidirana.
5
---------------------- Page: 5 ----------------------
SIST ISO/IEC 27006 : 2012
Uvod
Standard ISO/IEC 17021 določa kriterije za organe, ki presojajo in certificirajo sisteme vodenja
organizacij. Če so ti organi akreditirani v skladu z ISO/IEC 17021 ter nameravajo presojati in
certificirati sisteme upravljanja informacijske varnosti (SUIV) v skladu z ISO/IEC 27001:2005,
potrebujejo nekatere dodatne zahteve in navodila k ISO/IEC 17021. Ti so na voljo v tem
mednarodnem standardu.
Besedilo v tem mednarodnem standardu sledi strukturi ISO/IEC 17021 in zato so dodatne zahteve,
specifične za SUIV, in navodila o uporabi ISO/IEC 17021 za certificiranje SUIV označeni s črkama
"IV".
V celotnem mednarodnem standardu je modalni glagol "morati" uporabljen za označevanje tistih
določil, ki odražajo zahteve ISO/IEC 17021 in ISO/IEC 27001 ter so obvezne. Izraz "naj" se uporablja
za izražanje priporočil.
Eden od ciljev tega mednarodnega standarda je omogočiti akreditacijskim organom, da uspešneje
uskladijo svojo uporabo standardov s tistimi, katerim so zavezani pri ocenjevanju certifikacijskih
organov.
OPOMBA: V tem mednarodnem standardu se izraza "sistem upravljanja" in "sistem" uporabljata izmenično. Definicijo
sistema upravljanja (vodenja) je mogoče najti v ISO 9000:2005. Sistem upravljanja, kot se uporablja v tem
mednarodnem standardu, se ne sme zamenjati z drugimi vrstami sistemov, kot so sistemi IT.
6
---------------------- Page: 6 ----------------------
SIST ISO/IEC 27006 : 2012
Informacijska tehnologija – Varnostne tehnike – Zahteve za organe, ki izvajajo
presojanje in certificiranje sistemov upravljanja informacijske varnosti
1 Področje uporabe
Ta mednarodni standard določa zahteve in daje navodila organom, ki presojajo in certificirajo sistem
upravljanja informacijske varnosti (SUIV), kot dodatek k zahtevam, ki jih vsebujeta ISO/IEC 17021 in
ISO/IEC 27001. Namenjen je predvsem v podporo akreditiranju certifikacijskih organov, ki nudijo
certificiranje SUIV.
Izpolnjevanje zahtev iz tega mednarodnega standarda mora vsak organ, ki nudi certificiranje SUIV,
dokazati z vidika kompetentnosti in zanesljivosti, navodila iz tega mednarodnega standarda pa
vsakemu organ, ki nudi certificiranje SUIV, zagotavljajo dodatno razlago teh zahtev.
OPOMBA: Ta mednarodni standard se lahko uporablja kot dokument kriterijev za akreditacijo, medsebojno ocenjevanje ali
druge procese presoje.
2 Zveza s standardi
Za uporabo tega standarda so nujno potrebni naslednji navedeni dokumenti. Pri datiranih sklicevanjih
se uporablja zgolj navedena izdaja. Pri nedatiranih sklicevanjih se uporablja zadnja izdaja
navedenega dokumenta (vključno z dopolnili).
ISO/IEC 17021:2006 Ugotavljanje skladnosti – Zahteve za organe, ki presojajo in certificirajo
sisteme vodenja
ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve
ISO/IEC 19011 Smernice za presojanje sistemov vodenja
3 Izrazi in definicije
V tem dokumentu se uporabljajo izrazi in definicije, podani v ISO/IEC 17021, ISO/IEC 27001 in v
nadaljevanju.
3.1
certifikat
certifikat, ki ga izda certifikacijski organ v skladu s pogoji svoje akreditacije in ima znak akreditacije ali
izjavo
3.2
certifikacijski organ
tretja stranka, ki ocenjuje in certificira SUIV organizacije stranke glede na objavljene standarde SUIV
in vso dodatno dokumentacijo, ki se potrebuje v sistemu
3.3
certifikacijski dokument
dokument, ki dokazuje, da je SUIV organizacije stranke v skladu z določenimi standardi SUIV in vso
dodatno dokumentacijo, ki se potrebuje v sistemu
3.4
znak
zakonito registrirana blagovna znamka ali drugačen zaščiten simbol, ki je izdan v skladu s pravili
akreditacijskega ali certifikacijskega organa in kaže, da so ti organi dokazali ustrezno zaupanje v
delovanje sistemov in da ustrezni proizvodi oziroma posamezniki ustrezajo zahtevam določenega
standarda
7
---------------------- Page: 7 ----------------------
SIST ISO/IEC 27006 : 2012
3.5
organizacija
družba, korporacija, podjetje, organ ali institucija ali kombinacija vseh teh, ki je bodisi združena ali ne,
javna ali zasebna, ima lastne naloge in upravo ter je sposobna zagotoviti izvajanje informacijske
varnosti
4 Načela
Veljajo načela iz ISO/IEC 17021:2011, točka 4.
5 Splošne zahteve
5.1 Pravne in pogodbene zadeve
Veljajo zahteve iz ISO/IEC 17021:2011, točka 5.1.
5.2 Obvladovanje nepristranskosti
Veljajo zahteve iz ISO/IEC 17021:2011, točka 5.2. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
5.2.1 IV 5.2 Nasprotje interesov
Certifikacijski organi lahko opravljajo naslednje naloge, ne da bi bile obravnavane kot svetovanje ali da
bi vsebovale morebitno nasprotje interesov:
a) certificiranje, vključno z informativnimi srečanji, srečanji načrtovanj, pregledi dokumentov,
presojanjem (ki ni notranje presojanje SUIV ali notranje ocenjevanje varnosti) in spremljanjem
neskladnosti,
b) urejanje in sodelovanje kot predavatelj v programih usposabljanja, pri čemer se morajo
certifikacijski organi, kadar se ti programi nanašajo na upravljanje informacijske varnosti in z njimi
povezanih sistemov upravljanja ali presojanja, omejiti le na zagotavljanje splošnih informacij in
nasvetov, ki so brezplačno na voljo v javnem interesu, kar pomeni, da ne smejo dajati specifičnih
nasvetov posameznim podjetjem, ki so v nasprotju z zahtevami iz c) spodaj,
c) omogočanje dostopa do informacij ali objavljanje informacij na zahtevo, v katerih certifikacijski
organ razlaga zahteve standardov o certifikacijski presoji (glej 9.1.1.1),
d) aktivnosti pred presojo, namenjene zgolj ugotavljanju pripravljenosti na certifikacijsko presojo,
vendar pa takšne aktivnosti ne smejo voditi v dajanje priporočil ali nasvetov, ki bi bili lahko v
nasprotju s to točko, certifikacijski organ pa mora biti sposoben potrditi, da te aktivnosti niso v
nasprotju s temi zahtevami ter da se ne uporabljajo za utemeljitev skrajšanja trajanja morebitne
certifikacijske presoje,
e) izvajanje presoj v vlogi druge in tretje stranke, v skladu s standardi ali predpisi, razen tistih, ki so
del obsega akreditacije,
f) dodajanje vrednosti med certifikacijskimi presojami in rednimi obiski, na primer, s
prepoznavanjem možnosti za izboljšave, ko te postanejo očitne med presojanjem, brez priporočil
posebnih rešitev.
Certifikacijski organ mora biti neodvisen od organa ali organov (vključno z vsemi posamezniki), ki
izvajajo notranjo presojo SUIV organizacije stranke, ki je predmet certificiranja.
5.3 Obveznosti in financiranje
Veljajo zahteve iz ISO/IEC 17021:2011, točka 5.3.
8
---------------------- Page: 8 ----------------------
SIST ISO/IEC 27006 : 2012
6 Strukturne zahteve
6.1 Organizacijska struktura in najvišje vodstvo
Veljajo zahteve iz ISO/IEC 17021:2011, točka 6.1.
6.2 Odbor za varovanje nepristranskosti
Veljajo zahteve iz ISO/IEC 17021:2011, točka 6.2.
7 Zahteve glede virov
7.1 Kompetentnost vodstva in osebja
Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.1. Poleg tega pa veljajo naslednje zahteve in
navodila, specifični za SUIV.
7.1.1 IV 7.1.1 Splošno
Bistveni elementi kompetentnosti, potrebni za izvajanje certificiranja SUIV, so izbiranje, zagotavljanje
in vodenje tistih posameznikov, katerih veščine in kolektivna kompetentnost so primerne za presojane
aktivnosti in za povezana vprašanja informacijske varnosti.
7.1.1.1 Analiza kompetentnosti in pregled pogodb
Certifikacijski organ mora zagotoviti, da ima znanje o tehnološkem in pravnem razvoju, pomembnem
za SUIV organizacije stranke, katerega ocenjuje.
Certifikacijski organ mora imeti uspešen sistem za analiziranje kompetentnosti pri upravljanju
informacijske varnosti, ki jih mora imeti na voljo, glede na vsa strokovna področja, na katerih deluje.
Za vsako stranko mora biti certifikacijski organ sposoben dokazati, da je pred pregledom pogodbe
izvedel analizo kompetentnosti (ocenjevanje veščin kot odgovor na ovrednotene potrebe) za zahteve
vsakega pomembnega sektorja. Certifikacijski organ mora nato na podlagi rezultatov te analize
pregledati pogodbo z organizacijo stranke. Še posebej mora biti certifikacijski organ sposoben
dokazati, da je kompetenten za dokončanje naslednjih aktivnosti:
a) da razume področja dejavnosti organizacije stranke in s tem povezana poslovna tveganja,
b) da opredeli kompetence, potrebne certifikacijskemu organu za certificiranje v zvezi s
prepoznanimi aktivnostmi in informacijsko varnostjo glede na grožnje dobrinam, ranljivosti in
vplive na organizacijo stranke,
c) da potrdi razpoložljivost potrebnih kompetenc.
7.1.1.2 Viri
Vodstvo certifikacijskega organa mora imeti potrebne procese in vire, da je sposobno ugotoviti, ali so
posamezni presojevalci kompetentni za naloge, ki jih morajo opravljati v obsegu certifikacije, v
katerem delujejo. Kompetentnost presojevalcev se lahko ugotavlja s preverjanjem osnovnih veščin in
posebnim usposabljanjem ali kratkimi napotki (glej tudi dodatek B). Certifikacijski organ mora biti
sposoben učinkovito komunicirati z vsemi tistimi strankami, ki jim zagotavlja storitve.
7.1.2 IV Določanje kriterijev kompetentnosti
V dodatku B so navedene dodatne informacije o znanju in veščinah, ki podpirajo kriterije
kompetentnosti iz ISO/IEC 17021.
9
---------------------- Page: 9 ----------------------
SIST ISO/IEC 27006 : 2012
7.2 Osebje, vključeno v aktivnosti certificiranja
Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.2. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
7.2.1 IV 7.2 Kompetentnost osebja certifikacijskega organa
Certifikacijski organi morajo imeti osebje, kompetentno, da:
a) izbere in preveri kompetentnost presojevalcev SUIV za presojevalske skupine, primerne za
presojo,
b) da napotke presojevalcem SUIV in uredi vsako potrebno usposabljanje,
c) odloča o podelitvi, vzdrževanju, preklicu, začasnem odvzemu, razširitvi ali krčenju obsega
certifikacije,
d) vzpostavi in vodi proces pritožb in prizivov.
7.2.1.1 Usposabljanje presojevalskih skupin
Certifikacijski organ mora imeti kriterije za usposabljanje presojevalskih skupin tako, da zagotovijo:
a) znanje o standardih za SUIV in o drugih ustreznih normativnih dokumentih,
b) razumevanje informacijske varnosti,
c) razumevanje ocenjevanja tveganja in obvladovanja tveganja z vidika poslovanja,
d) tehnično znanje o presojani aktivnosti,
e) splošno znanje o regulativnih zahtevah, pomembnih za SUIV,
f) znanje o sistemih vodenja,
g) razumevanje načel presojanja, ki temeljijo na ISO 19011,
h) znanje o uspešnosti pregleda SUIV in merjenju uspešnosti nadzora.
Te zahteve za usposabljanje veljajo za vse člane presojevalske skupine, razen d), ki se lahko razdeli
med člani presojevalske skupine.
7.2.1.1.1 Pri izbiri presojevalske skupine, ki bo imenovana za posebno certifikacijsko presojo, mora
certifikacijski organ zagotoviti, da so veščine, ki jih prinese vsak imenovani, ustrezne. Skupina mora:
a) imeti ustrezno tehnično znanje o posebnih aktivnostih v obsegu SUIV, za katerega se zahteva
certificiranje, in kjer je to primerno, z njimi povezanih postopkih in njihovih morebitnih
informacijskih varnostnih tveganjih (tehnični strokovnjaki, ki niso presojevalci, lahko opravljajo to
funkcijo),
b) imeti zadostno stopnjo razumevanja organizacije stranke, da izvede zanesljivo certifikacijsko
presojo njenega SUIV pri upravljanju vidikov informacijske varnosti pri njenih aktivnostih,
proizvodih in storitvah,
c) imeti ustrezno razumevanje regulativnih zahtev glede SUIV organizacije stranke.
7.2.1.1.2 Kadar je potrebno, se presojevalska skupina lahko dopolni s tehničnimi strokovnjaki, ki
lahko dokažejo posebne kompetence na področju tehnike, primerne za presojo. Pri tem naj se
opomni, da tehničnih strokovnjakov ni mogoče uporabiti namesto presojevalcev SUIV, lahko pa
svetujejo presojevalcem o zadevah tehnične ustreznosti v okviru presojanega sistema upravljanja.
Certifikacijski organ mora imeti postopek za:
a) izbiro presojevalcev in tehničnih strokovnjakov na podlagi njihove kompetentnosti,
usposobljenosti, kvalifikacij in izkušenj,
b) začetno ocenjevanje ravnanja presojevalcev in tehničnih strokovnjakov med certifikacijskimi
10
---------------------- Page: 10 ----------------------
SIST ISO/IEC 27006 : 2012
presojami in nato spremljanje dela presojevalcev in tehničnih strokovnjakov.
7.2.1.2 Vodenje procesa sprejemanja odločitev
Vodstvena funkcija mora biti tehnično kompetentna in sposobna voditi proces sprejemanja odločitev v
zvezi s podelitvijo, vzdrževanjem, razširitvijo in krčenjem obsega, začasnim odvzemom in preklicem
certifikacije SUIV na podlagi zahtev ISO/IEC 27001.
7.2.1.3 Zahtevane stopnje izobrazbe, delovne izkušnje, usposobljenost in izkušnje za
presojevalce, ki izvajajo presoje SUIV
7.2.1.3.1 Vsak presojevalec v presojevalski skupini za SUIV mora izpolnjevati naslednje kriterije.
Presojevalec mora:
a) imeti srednješolsko izobrazbo,
b) imeti najmanj štiri leta praktičnih izkušenj s polnim delovnim časom na delovnem mestu s
področja informacijske tehnologije, od katerih je bil vsaj dve leti v vlogi ali funkciji, povezani z
informacijsko varnostjo,
c) uspešno zaključiti pet dni usposabljanja s področja, ki zajema presoje SUIV, in ga mora vodstvo
presoje šteti za ustreznega,
d) pridobiti izkušnje v celotnem procesu ocenjevanja informacijske varnosti, preden prevzame
odgovornost za izvajanje kot presojevalec. Te izkušnje naj pridobi s sodelovanjem v najmanj štirih
certifikacijskih presojah v skupnem trajanju najmanj 20 dni, vključno s pregledom dokumentacije
in analizami tveganja, izvajanjem ocenjevanja in poročanjem o presoji,
e) imeti izkušnje, ki so razumno posodobljene,
f) biti sposoben postaviti zapletene postopke v širše perspektive in razumeti vlogo posameznih enot
v večjih organizacijah stranke,
g) ohranjati na tekočem svoje znanje in veščine na področju informacijske varnosti in presojanja z
nenehnim strokovnim razvojem.
Tehnični strokovnjaki morajo izpolnjevati kriterije a), b), e) in f).
7.2.1.3.2 Dodatno k zahtevam iz 7.2.1.3.1 morajo vodje presojevalske skupine izpolnjevati naslednje
zahteve, ki jih morajo pokazati pri vodeni in nadzorovani presoji:
a) imeti znanje in veščine za vodenje procesa certifikacijske presoje,
b) so bili presojevalci v vsaj treh celotnih presojah SUIV,
c) so pokazali sposobnost uspešnega komuniciranja, tako ustnega kot pisnega.
7.3 Uporaba posameznih zunanjih presojevalcev in zunanjih tehničnih strokovnjakov
Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.3. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
7.3.1 IV 7.3 Uporaba zunanjih presojevalcev ali zunanjih tehničnih strokovnjakov kot del
presojevalske skupine
Kadar so del presojevalske skupine tudi posamezni zunanji presojevalci ali zunanji tehnični strokovnjaki,
mora certifikacijski organ zagotoviti, da so usposobljeni in v skladu z veljavnimi določili te publikacije ter
da niso, bodisi neposredno ali prek svojega delodajalca, vključeni v snovanje, izvajanje ali vzdrževanje
SUIV ali podobnega(-ih) sistema(-v) za upravljanje tako, da bi bila lahko ogrožena nepristranskost.
7.3.1.1 Uporaba tehničnih strokovnjakov
Tehnični strokovnjaki s posebnim znanjem v zvezi s procesom ter vprašanji informacijske varnosti in
11
---------------------- Page: 11 ----------------------
SIST ISO/IEC 27006 : 2012
zakonodaje, ki vplivajo na organizacijo stranke, ki pa ne izpolnjujejo vseh kriterijev iz 7.2, so lahko del
presojevalske skupine. Tehnični strokovnjaki morajo delovati pod nadzorom presojevalca.
7.4 Zapisi o osebju
Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.4.
7.5 Oddajanje del zunanjim izvajalcem
Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.5.
8 Zahteve glede informacij
8.1 Javno dostopne informacije
Veljajo zahteve iz ISO/IEC 17021:2011, točka 8,1. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
8.1.1 IV 8.1 Postopki za podelitev, vzdrževanje, razširitev ali krčenje obsega, začasni
odvzem ali preklic certifikacije
Certifikacijski organ mora zahtevati od organizacije stranke, da ima dokumentiran in izveden SUIV, ki
je skladen z ISO/IEC 27001 in drugimi dokumenti, zahtevanimi za certifikacijo.
Certifikacijski organ mora imeti dokumentirane postopke za:
a) začetno certifikacijsko presojo SUIV organizacije stranke v skladu z določili ISO/IEC 17021 in
drugimi ustreznimi dokumenti,
b) redne in obnovitvene certifikacijske presoje SUIV organizacije stranke v skladu z ISO/IEC 17021
v rednih časovnih presledkih za nadaljnjo skladnost z ustreznimi zahtevami ter za preverjanje in
poročanje, da organizacija stranke izvaja popravne ukrepe pravočasno za popravilo vseh
neskladnosti.
8.2 Certifikacijski dokumenti
Veljajo zahteve iz ISO/IEC 17021:2011, točka 8.2. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
8.2.1 IV 8.2 Certifikacijski dokumenti SUIV
Certifikacijski organ mora vsaki svoji stranki, katere SUIV je certificiran, zagotoviti certifikacijske
dokumente, kot so pismo ali certifikat, ki ga je podpisala uradna oseba, imenovana za podpisovanje.
Za stranko organizacije in vsak njen informacijski sistem, ki ga certifikacija zajema, morajo ti
dokumenti določiti obseg, za katerega je certifikacija dodeljena, in navesti standard ISO/IEC 27001 o
sistemih upravljanja informacijske varnosti, po katerem je bil SUIV certificiran. Poleg tega se mora
certifikacija sklicevati na posebno različico izjave o uporabnosti.
8.3 Register certificiranih strank
Veljajo zahteve iz ISO/IEC 17021:2011, točka 8.3.
8.4 Sklicevanje na certifikacijo in uporaba znakov
Veljajo zahteve iz ISO/IEC 17021:2011, točka 8.4. Poleg tega veljajo še naslednje zahteve in
navodila, specifični za SUIV.
12
---------------------- Page: 12 ----------------------
SIST ISO/IEC 27006 : 2012
8.4.1 IV 8.4 Nadzor nad certifikacijskimi znaki
Certifikacijski organ mora izvajati ustrezen nadzor nad lastništvom, uporabo in prikazom svojih
certifikacijskih znakov za SUIV. Če certifikacijski organ podeli pravico do uporabe znaka za prikaz
certifikacije SUIV, mora zagotoviti, da organizacija stranke uporablja poseben znak le na način, kot jo
je pisno poob
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.