iTeh Standards logo
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC TS 27006-2:2021

(Main)

Requirements for bodies providing audit and certification of information security management systems - Part 2: Privacy information management systems

Requirements for bodies providing audit and certification of information security management systems - Part 2: Privacy information management systems

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

Exigences pour les organismes procédant à l’audit et à la certification des systèmes de management des informations de sécurité — Partie 2: Systèmes de management des informations de sécurité

General Information

Status
Published
Publication Date
25-Feb-2021
ICS
03.120.20 - Product and company certification. Conformity assessment
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 5 - Identity management and privacy technologies
Current Stage
9599 - Withdrawal of International Standard
Start Date
14-Oct-2025
Completion Date
30-Oct-2025
Ref Project

Relations

Revised
ISO/IEC 27706:2025 - Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems
Effective Date
06-Jun-2022

Overview

ISO/IEC TS 27006-2:2021 is a Technical Specification that defines additional requirements and guidance for bodies auditing and certifying Privacy Information Management Systems (PIMS) implemented to ISO/IEC 27701 together with ISO/IEC 27001. Published in 2021, it supplements ISO/IEC 27006 by specifying PIMS‑specific competence, process and information requirements. The document is primarily intended to support accreditation bodies and to harmonize assessment of certification bodies offering PIMS certification.

Key topics and requirements

This TS follows the structure of ISO/IEC 27006 and identifies PIMS-specific elements (prefixed “PS”). Major topics include:

  • Scope and normative basis - Clarifies that ISO/IEC 27006 and ISO/IEC 27701 apply alongside this TS.
  • Legal and contractual matters - Requirements for agreements, normative references and contractual clarity.
  • Management of impartiality - Conflict of interest rules; notably certification bodies shall not provide PIMS consultancy (e.g., acting as external DPO or performing data protection reviews).
  • Structural and resource requirements - Organizational arrangements for reliable PIMS certification.
  • Competence of personnel - Determination of competence criteria, auditor knowledge/experience, selection and use of external auditors and technical experts.
  • Information requirements - Public information, certification documentation, confidentiality and exchange of client information.
  • Process requirements - Pre‑certification, application review, audit planning (time, multi‑site sampling, multi‑system audits), conducting audits (initial, surveillance, re‑certification, special audits), certification decisions, appeals and complaints.
  • Management system requirements for certification bodies - Options for implementing a management system (including alignment with ISO 9001).

Practical applications and users

ISO/IEC TS 27006-2 is used to:

  • Guide accreditation bodies assessing certification bodies for PIMS accreditation.
  • Define demonstrable competence and impartiality criteria for certification bodies offering ISO/IEC 27701 certification.
  • Support audit teams (lead auditors, technical experts) in planning and conducting PIMS audits consistent with ISO/IEC 27001 controls and privacy extensions.
  • Serve as a criteria document for peer assessments or other audit processes. Benefits include harmonized accreditation decisions, clearer competence requirements for auditors, and strengthened confidence in certified PIMS.

Related standards

  • ISO/IEC 27006 (requirements for ISMS certification bodies)
  • ISO/IEC 27701 (PIMS extension to ISO/IEC 27001/27002)
  • ISO/IEC 27001 (information security management)
  • ISO/IEC 17021-1 (management system certification bodies)
  • ISO/IEC 27000, ISO/IEC 29100

Keywords: ISO/IEC TS 27006-2, PIMS certification, ISO/IEC 27701, certification bodies, accreditation, privacy information management systems, audit requirements.

ISO/IEC TS 27006-2:2021 - Requirements for bodies providing audit and certification of information security management systems — Part 2: Privacy information management systems Released:2/26/2021ISO/IEC TS 27006-2:2021 - Requirements for bodies providing audit and certification of information security management systems — Part 2: Privacy information management systems Released:2/26/2021
PreviousNext
Technical specification
ISO/IEC TS 27006-2:2021 - Requirements for bodies providing audit and certification of information security management systems — Part 2: Privacy information management systems Released:2/26/2021
English language
9 pages
sale 15% off
Preview
sale 15% off
Preview

Frequently Asked Questions

ISO/IEC TS 27006-2:2021 is a technical specification published by the International Organization for Standardization (ISO). Its full title is "Requirements for bodies providing audit and certification of information security management systems - Part 2: Privacy information management systems". This standard covers: This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

ISO/IEC TS 27006-2:2021 is classified under the following ICS (International Classification for Standards) categories: 03.120.20 - Product and company certification. Conformity assessment; 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.

ISO/IEC TS 27006-2:2021 has the following relationships with other standards: It is inter standard links to ISO/IEC 27706:2025. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

You can purchase ISO/IEC TS 27006-2:2021 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ISO standards.

Standards Content (Sample)


TECHNICAL ISO/IEC TS
SPECIFICATION 27006-2
First edition
2021-02
Requirements for bodies providing
audit and certification of information
security management systems —
Part 2:
Privacy information management
systems
Exigences pour les organismes procédant à l’audit et à la certification
des systèmes de management des informations de sécurité —
Partie 2: Systèmes de management des informations de sécurité
Reference number
©
ISO/IEC 2021
© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 2
5 General requirements . 2
5.1 Legal and contractual matters . 2
5.2 Management of impartiality . 2
5.3 Liability and financing . 2
6 Structural requirements . 2
7 Resource requirements . 2
7.1 Competence of personnel . 2
7.1.1 PS 7.1.1 General considerations . 2
7.1.2 PS 7.1.2 Determination of competence criteria . 2
7.2 Personnel involved in the certification activities . 3
7.2.1 PS 7.2 Demonstration of auditor knowledge and experience . 4
7.2.2 PS 7.2.1.1 Selecting auditors . 4
7.3 Use of individual external auditors and external technical experts . 4
7.4 Personnel records. 4
7.5 Outsourcing. 4
8 Information requirements . 4
8.1 Public information . 4
8.2 Certification documents . 4
8.2.1 PS 8.2 PIMS Certification documents . 4
8.3 Reference to certification and use of marks . 5
8.4 Confidentiality . 5
8.5 Information exchange between a certification body and its clients . 5
9 Process requirements . 5
9.1 Pre-certification activities . 5
9.1.1 Application . 5
9.1.2 Application review . 5
9.1.3 Audit programme . 5
9.1.4 Determining audit time . 6
9.1.5 Multi-site sampling . 7
9.1.6 Multiple management systems . 7
9.2 Planning audits . 7
9.2.1 Determining audit objectives, scope and criteria . 7
9.2.2 Audit team selection and assignments . 7
9.2.3 Audit plan . 7
9.3 Initial certification . 7
9.4 Conducting audits . 7
9.4.1 IS 9.4 General . 7
9.4.2 IS 9.4 Specific elements of the ISMS audit . 7
9.4.3 IS 9.4 Audit report . 7
9.5 Certification decision . 7
9.6 Maintaining certification . 8
9.6.1 General. 8
9.6.2 Surveillance activities . 8
9.6.3 Re-certification . 8
9.6.4 Special audits . 8
© ISO/IEC 2021 – All rights reserved iii

9.6.5 Suspending, withdrawing or reducing the scope of certification . 8
9.7 Appeals . 8
9.8 Complaints . 8
9.9 Client records . 8
10 Management system requirements for certification bodies . 8
10.1 Options . 8
10.2 Option A: General management system requirements . 8
10.3 Option B: Management system requirements in accordance with ISO 9001. 9
iv © ISO/IEC 2021 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 27006 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2021 – All rights reserved v

Introduction
ISO/IEC 27006 sets out criteria for bodies providing audit and certification of information security
management systems. If such bodies are also to be accredited as complying with ISO/IEC 27006 with
the objective of auditing and certifying privacy information management systems (PIMS) in accordance
with ISO/IEC 27701:2019, some additional requirements and guidance to ISO/IEC 27006 are necessary.
These are provided by this document.
The text in this document follows the structure of ISO/IEC 27006 and the additional PIMS-specific
requirements and guidance on the application of ISO/IEC 27006 for PIMS certification are identified by
the letters “PS”.
The primary purpose of this document is to enable accreditation bodies to more effectively harmonize
their application of the standards against which they are bound to assess certification bodies.
vi © ISO/IEC 2021 – All rights reserved

TECHNICAL SPECIFICATION ISO/IEC TS 27006-2:2021(E)
Requirements for bodies providing audit and certification
of information security management systems —
Part 2:
Privacy information management systems
1 Scope
This document specifies requirements and provides guidance for bodies providing audit and
certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in
combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and
ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing
PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and
reliability by anybody providing PIMS certification, and the guidance contained in this document
provides additional interpretation of these requirements for any b
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

The article discusses ISO/IEC TS 27006-2:2021, which outlines the requirements for bodies that provide audit and certification of privacy information management systems (PIMS). The standard focuses on certifying PIMS according to ISO/IEC 27701 and ISO/IEC 27001, in addition to the requirements in ISO/IEC 27006 and ISO/IEC 27701. The main purpose of this document is to support the accreditation of certification bodies that offer PIMS certification. It emphasizes the need for competence and reliability in demonstrating the requirements outlined in the document. The guidance provided in the standard offers further interpretation of these requirements for the bodies providing PIMS certification. This document can also be utilized as a criteria document for accreditation, peer assessment, or other audit processes.

This May Also Interest You

ISO
ISO/IEC 27706:2025(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the requirements contained within ISO/IEC 17021-1. The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing PIMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing PIMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    24 pages
    English language
    sale 15% off
  • Standard
    25 pages
    French language
    sale 15% off
ISO
ISO/IEC 27006-1:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of information security management systems - Part 1: General

This document specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1. The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    47 pages
    English language
    sale 15% off
  • Standard
    53 pages
    French language
    sale 15% off
ISO
ISO/IEC 27007:2020(Main)
Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing

This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

  • Standard
    39 pages
    English language
    sale 15% off
  • Standard
    42 pages
    French language
    sale 15% off
ISO
ISO 21805:2023/Amd 1:2025(Amendment)
Guidance and recommendations on design, selection and installation of vents to safeguard the structural integrity of enclosures protected by gaseous fire-extinguishing systems - Amendment 1
  • Standard
    1 page
    English language
    sale 15% off
ISO
ISO/IEC TS 29125:2017/Amd 1:2020/Cor 1:2025(Corrigendum)
Information technology - Telecommunications cabling requirements for remote powering of terminal equipment - Amendment 1 - Technical Corrigendum 1
  • Technical specification
    1 page
    English language
    sale 15% off
ISO
ISO/IEC 11801-1:2017/Amd 1:2025/Cor 1:2025(Corrigendum)
Information technology - Generic cabling for customer premises - Part 1: General requirements - Amendment 1 - Technical Corrigendum 1
  • Standard
    1 page
    English language
    sale 15% off
ISO
ISO/IEC TS 29125:2017/Amd 2:2024/Cor 1:2025(Corrigendum)
Information technology - Telecommunications cabling requirements for remote powering of terminal equipment - Amendment 2 - Technical Corrigendum 1
  • Technical specification
    4 pages
    English language
    sale 15% off
ISO
ISO 6670:2025(Main)
Instant coffee - Sampling method for bulk units with liners

1.1 This document specifies a sampling method for a consignment of instant coffee, shipped in 10 package units or more. This document is applicable to cases which have inner linings of moisture-resistant material hermetically sealed because of the hygroscopic nature of instant coffee and which are in package units greater than 10 kg net mass, typically up to 50 kg. This document is also applicable to units of more than 50 kg, usually called “big bags” or “supersacks”. The cases are generally made of cardboard of appropriate strength and the big bags are made of suitable plastic material. 1.2 This document is also applicable to the selection and preparation of a sufficiently representative sample of the consignment, which is intended: a) to serve as a basis for an offer for sale; b) for examination to verify that the instant coffee to be offered for sale satisfies the producer’s sales specification; c) for examination to determine one or more of the characteristics of the instant coffee for technical, commercial, administrative and arbitration purposes; d) for retention as a reference sample for use, if required, in litigation. 1.3 This document is applicable to all types of instant coffee, as defined in ISO 3509, contained in all types of units with liners, with the exception stated in 1.4. 1.4 For bulk density and particle size, this document is applicable to spray-dried powder and freeze-dried instant coffees only, as defined in ISO 3509, due to the intrinsic fragility of particles of agglomerated instant coffee, which leads to greater breakdown and headspace in the final packed units for the consumer.

  • Standard
    6 pages
    English language
    sale 15% off
ISO
ISO 13315-5:2025(Main)
Environmental management for concrete and concrete structures - Part 5: Execution of concrete structures

This document provides the principles and procedures of environmental management for execution activities of concrete structures, which comprises earthwork/foundation work, formwork, reinforcement work, concreting work and waste treatment. Additional works for concrete structures such as electric work and utility work are outside the scope of this standard.

  • Standard
    20 pages
    English language
    sale 15% off
ISO
ISO 22544:2025(Main)
Laboratory design - Vocabulary

This document defines the core terms and definitions in the field of laboratory design.

  • Standard
    30 pages
    English language
    sale 15% off
  • Draft
    38 pages
    French language
    sale 15% off