ISO/IEC FDIS 27706
(Main)Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems
Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.
Technologie de l'information, cybersécurité et protection de la vie privée — Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la protection de la vie privée
General Information
Relations
Buy Standard
Standards Content (Sample)
FINAL DRAFT
International
Standard
ISO/IEC FDIS
ISO/IEC JTC 1/SC 27
Information technology,
Secretariat: DIN
cybersecurity and privacy
Voting begins on:
protection — Requirements
2024-12-27
for bodies providing audit and
Voting terminates on:
certification of privacy information
2025-02-21
management systems
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
ISO/CEN PARALLEL PROCESSING LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Reference number
FINAL DRAFT
International
Standard
ISO/IEC FDIS
ISO/IEC JTC 1/SC 27
Information technology,
Secretariat: DIN
cybersecurity and privacy
Voting begins on:
protection — Requirements
for bodies providing audit and
Voting terminates on:
certification of privacy information
management systems
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO/IEC 2024
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
ISO/CEN PARALLEL PROCESSING
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 3
5 General requirements . 3
5.1 L egal and contractual matters .3
5.2 Management of impartiality .3
5.2.1 General considerations .3
5.2.2 Conflicts of interest.3
5.3 Liability and financing .3
6 Structural requirements . 3
7 Resource requirements . 3
7.1 Competence of personnel .3
7.1.1 General considerations .3
7.1.2 Determination of competence criteria.4
7.1.3 E valuation processes .4
7.1.4 Other considerations .5
7.2 Personnel involved in the certification activities .5
7.3 Use of individual auditors and external technical experts .5
7.4 Personnel records .5
7.5 Outsourcing .5
8 Information Requirements . 5
8.1 Public information . .5
8.2 Certification documents .5
8.2.1 General .5
8.2.2 PIMS certification documents .5
8.3 Reference to certification and use of marks .5
8.4 Confidentiality .6
8.4.1 General .6
8.4.2 Access to organizational records.6
8.5 Information exchange between a certification body and its clients .6
9 Process requirements . 6
9.1 Pre-certification activities .6
9.1.1 Application .6
9.1.2 Application review . .6
9.1.3 Audit programme .6
9.1.4 Determining audit time .7
9.2 P lanning audits .7
9.2.1 Determining audit objectives, scope and criteria .7
9.2.2 Audit team selection and assignments .7
9.2.3 Audit plan .7
9.3 Initial certification .8
9.3.1 General .8
9.3.2 Initial certification audit .8
9.4 Conducting audits .9
9.4.1 General .9
9.4.2 Specific elements of the PIMS audit .9
9.4.3 Audit report .9
9.5 Certification decision . . .10
© ISO/IEC 2024 – All rights reserved
iii
9.6 Maintaining certification .10
9.6.1 General .10
9.6.2 Surveillance activities .10
9.7 Appeals .10
9.8 Complaints.10
9.9 Client records .11
10 M anagement system requirements for certification bodies .11
10.1 Options.11
10.2 Option A: General management system requirements .11
10.3 Option B: Management system requirements in accordance with ISO 9001 .11
An
...
ISO/IEC DIS FDIS 27706.2:2024(en)
Style Definition
...
Formatted: Font: Bold
ISO/IEC JTC 1/SC 27
Formatted: Font: Bold
Secretariat: DIN
Formatted: zzCover
Date: 2024-12-10-31
Information technology, cybersecurity and privacy protection — Requirements for bodies providing
Formatted: zzCover
audit and certification of privacy information management systems
Formatted: Font: Bold
DIS stage
Warning for WD’s and CD’s
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to change
without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which
they are aware and to provide supporting documentation.
Formatted: Centered
© ISO/IEC 2024
Formatted: Centered
ISO/IEC DISFDIS 27706.2:2024(en) Formatted: Font: 11.5 pt
Formatted: Font: 11.5 pt
Formatted: Font: 11.5 pt
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this
publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including
photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested
from either ISO at the address below or ISO’sISO's member body in the country of the requester.
ISO copyright officeCopyright Office
Formatted: zzCopyright
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Formatted: zzCopyright
Phone: + 41 22 749 01 11
Formatted: English (United Kingdom)
Formatted: English (United Kingdom)
E-mail: copyright@iso.org
Email: copyright@iso.org
Website: www.iso.orgwww.iso.org
Formatted: English (United Kingdom)
Formatted: zzCopyright
Published in Switzerland.
Formatted: English (United Kingdom)
Formatted: English (United Kingdom)
© ISO/IEC 2024 – All rights reserved
iii
ISO/IEC DIS 27706.2:2024(en)
Contents
Foreword . iv
Introduction . iv
1 Scope . iv
2 Normative references . iv
3 Terms, definitions and abbreviations . iv
4 Principles . iv
5 General requirements . iv
5.1 Legal and contractual matters . iv
5.2 Management of impartiality . iv
5.3 Liability and financing . iv
6 Structural requirements . iv
7 Resource requirements . iv
7.1 Competence of personnel . iv
7.2 Personnel involved in the certification activities . iv
7.3 Use of individual auditors and external technical experts . iv
7.4 Personnel records . iv
7.5 Outsourcing. iv
8 Information Requirements . iv
8.1 Public information . iv
8.2 Certification documents . iv
8.3 Reference to certification and use of marks . iv
8.4 Confidentiality. iv
8.5 Information exchange between a certification body and its clients . iv
9 Process Requirement . iv
9.1 Pre-certification activities . iv
9.2 Planning audits . iv
9.3 Initial certification . iv
9.4 Conducting audits . iv
9.5 Certification decision . iv
9.6 Maintaining certification. iv
9.7 Appeals . iv
9.8 Complaints . iv
9.9 Client records . iv
10 Management system requirements for certification bodies . iv
10.1 Options . iv
10.2 Option A: General management system requirements . iv
10.3 Option B: Management system requirements in accordance with ISO 9001 . iv
(normative) Audit time . iv
(informative) Methods for audit time calculations . iv
(normative) Required knowledge and skills . iv
Bibliography . iv
© ISO/IEC 2024 – All rights reserved
iv
ISO/IEC DISFDIS 27706.2:2024(en) Formatted: Font: 11.5 pt
Formatted: Font: 11.5 pt
Formatted: Font: 11.5 pt
Foreword .vii
Introduction . viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 3
5 General requirements . 3
5.1 Legal and contractual matters . 3
5.2 Management of impartiality . 3
5.2.1 General considerations . 3
5.2.2 Conflicts of interest . 3
5.3 Liability and financing . 3
6 Structural requirements . 4
7 Resource requirements . 4
7.1 Competence of personnel . 4
7.1.1 General considerations . 4
7.1.2 Determination of competence criteria . 4
7.1.3 Evaluation processes . 4
7.1.4 Other considerations . 5
7.2 Personnel involved in the certification activities . 5
7.3 Use of individual auditors and external technical experts. 5
7.4 Personnel records . 5
7.5 Outsourcing . 5
8 Information Requirements . 5
8.1 Public information . 5
8.2 Certification documents . 5
8.2.1 General . 5
8.2.2 PIMS certification documents . 5
8.3 Reference to certification and use of marks . 6
8.4 Confidentiality . 6
8.4.1 General . 6
8.4.2 Access to organizational records . 6
8.5 Information exchange between a certification body and its clients . 6
9 Process requirements . 6
9.1 Pre-certification activities . 6
9.1.1 Application . 6
9.1.2 Application review . 6
9.1.3 Audit programme . 6
9.1.4 Determining audit time . 7
9.2 Planning audits . 7
9.2.1 Determining audit objectives, scope and criteria . 7
9.2.2 Audit team selection and assignments . 7
9.2.3 Audit plan .
...
PROJET FINAL
Norme
internationale
ISO/IEC FDIS
ISO/IEC JTC 1/SC 27
Technologie de l'information,
Secrétariat: DIN
cybersécurité et protection de la
Début de vote:
vie privée — Exigences pour les
2024-12-27
organismes procédant à l'audit et
Vote clos le:
à la certification des systèmes de
2025-02-21
management de la protection de la
vie privée
Information security, cybersecurity and privacy protection —
Requirements for bodies providing audit and certification of
privacy information management systems
LES DESTINATAIRES DU PRÉSENT PROJET SONT
INVITÉS À PRÉSENTER, AVEC LEURS OBSERVATIONS,
NOTIFICATION DES DROITS DE PROPRIÉTÉ DONT ILS
AURAIENT ÉVENTUELLEMENT CONNAISSANCE ET À
FOURNIR UNE DOCUMENTATION EXPLICATIVE.
OUTRE LE FAIT D’ÊTRE EXAMINÉS POUR
ÉTABLIR S’ILS SONT ACCEPTABLES À DES FINS
INDUSTRIELLES, TECHNOLOGIQUES ET COM-MERCIALES,
AINSI QUE DU POINT DE VUE DES UTILISATEURS, LES
PROJETS DE NORMES
TRAITEMENT PARALLÈLE ISO/CEN
INTERNATIONALES DOIVENT PARFOIS ÊTRE CONSIDÉRÉS
DU POINT DE VUE DE LEUR POSSI BILITÉ DE DEVENIR DES
NORMES POUVANT
SERVIR DE RÉFÉRENCE DANS LA RÉGLEMENTATION
NATIONALE.
Numéro de référence
PROJET FINAL
Norme
internationale
ISO/IEC FDIS
ISO/IEC JTC 1/SC 27
Technologie de l'information,
Secrétariat: DIN
cybersécurité et protection de la
Début de vote:
vie privée — Exigences pour les
2024-12-27
organismes procédant à l'audit et
Vote clos le:
à la certification des systèmes de
2025-02-21
management de la protection de la
vie privée
Information security, cybersecurity and privacy protection —
Requirements for bodies providing audit and certification of
privacy information management systems
LES DESTINATAIRES DU PRÉSENT PROJET SONT
INVITÉS À PRÉSENTER, AVEC LEURS OBSERVATIONS,
NOTIFICATION DES DROITS DE PROPRIÉTÉ DONT ILS
AURAIENT ÉVENTUELLEMENT CONNAISSANCE ET À
FOURNIR UNE DOCUMENTATION EXPLICATIVE.
DOCUMENT PROTÉGÉ PAR COPYRIGHT
OUTRE LE FAIT D’ÊTRE EXAMINÉS POUR
ÉTABLIR S’ILS SONT ACCEPTABLES À DES FINS
© ISO/IEC 2024
INDUSTRIELLES, TECHNOLOGIQUES ET COM-MERCIALES,
AINSI QUE DU POINT DE VUE DES UTILISATEURS, LES
Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette
PROJETS DE NORMES
publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, TRAITEMENT PARALLÈLE ISO/CEN
INTERNATIONALES DOIVENT PARFOIS ÊTRE CONSIDÉRÉS
y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut DU POINT DE VUE DE LEUR POSSI BILITÉ DE DEVENIR DES
NORMES POUVANT
être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
SERVIR DE RÉFÉRENCE DANS LA RÉGLEMENTATION
NATIONALE.
ISO copyright office
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève
Tél.: +41 22 749 01 11
E-mail: copyright@iso.org
Web: www.iso.org
Publié en Suisse
Numéro de référence
© ISO/IEC 2024 – Tous droits réservés
ii
Sommaire Page
Avant-propos .v
Introduction .vi
1 Domaine d'application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Principes . 3
5 Exigences générales . . 3
5.1 Domaine juridique et contractuel .3
5.2 Gestion de l'impartialité .3
5.2.1 Considérations générales .3
5.2.2 Conflits d'intérêts .3
5.3 Responsabilité et situation financière .4
6 Exigences structurelles . 4
7 Exigences relatives aux ressources . 4
7.1 Compétence du personnel .4
7.1.1 Considérations générales .4
7.1.2 Détermination des critères de compétence .4
7.1.3 Processus d'évaluation.4
7.1.4 Autres considérations .5
7.2 Personnel intervenant dans les activités de certification .5
7.3 Intervention d'auditeurs et d'experts techniques externes individuels .5
7.4 Enregistrements relatifs au personnel .5
7.5 Externalisation .5
8 Exigences relatives aux informations . 5
8.1 Informations publiques . . .5
8.2 Documents de certification .5
8.2.1 Généralités .5
8.2.2 Documents de certification des SMVP .6
8.3 Référence à la certification et utilisation des marques .6
8.4 Confidentialité .6
8.4.1 Généralités .6
8.4.2 Accès aux enregistrements de l'organisation .6
8.5 Échange d'informations entre l'organisme de certification et ses clients .6
9 Exigences relatives aux processus . 6
9.1 Activités préalables à la certification .6
9.1.1 Demande de certification .6
9.1.2 Revue de la demande .7
9.1.3 Programme d'audit .7
9.1.4 Détermination du temps d'audit .7
9.2 Planification des audits .7
9.2.1 Détermination des objectifs, du domaine d'application et des critères de l'audit .7
9.2.2 Constitution de l'équipe d'audit et affectation des missions .8
9.2.3 Plan d'audit .8
9.3 Certification initiale .8
9.3.1 Généralités .8
9.3.2 Audit de certification initiale .8
9.4 Réalisation des audits .9
9.4.1 Généralités .9
9.4.2 Éléments spécifiques de l'audit de SMVP .9
9.4.3 Rapport d'audit .10
9.5 Décision de certification .10
© ISO/IEC 2024 – Tous droits réservés
iii
9.6 Maintien de la certification .10
9.6.1 Généralités .10
9.6.2 Activités de surveillance .10
9.7 Appels .11
9.8 Plaintes .11
9.9 Enregistrements relatifs au client .11
10 Exigences relatives au système de management des organismes de certification .11
10.1 Options.11
10.2 Option A: Exigences générales relatives au système de management .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.