Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems

This International Standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification. The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification.

Technologies de l'information - Techniques de sécurité - Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'information

Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo presoje in certificiranje sistemov upravljanja informacijske varnosti

Ta mednarodni standard opredeljuje zahteve in podaja navodilo za organe, ki izvajajo presoje in certificiranje sistemov upravljanja informacijske varnosti (ISMS), poleg zahtev, ki jih vsebujeta ISO/IEC 17021 in ISO/IEC 27001. Predvsem je namenjen podpori akreditacijskim in certifikacijskim organom, ki izvajajo certificiranje ISMS. Zahteve, ki jih vsebuje ta mednarodni standard, morajo biti izkazane glede na pristojnost in zanesljivost katerega koli organa, ki izvaja certificiranje ISMS, navodilo iz tega mednarodnega standarda pa podaja dodatno razlago teh zahtev za kateri koli organ, ki izvaja certificiranje ISMS.

General Information

Status
Withdrawn
Public Enquiry End Date
02-Jan-2011
Publication Date
09-Feb-2011
Withdrawal Date
07-Oct-2012
Technical Committee
Current Stage
9900 - Withdrawal (Adopted Project)
Start Date
05-Oct-2012
Due Date
28-Oct-2012
Completion Date
08-Oct-2012

Relations

Buy Standard

Standard
ISO/IEC 27006:2007
English language
12 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO/IEC 27006:2007 - Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems
English language
36 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
ISO/IEC 27006:2011
English language
41 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Standard
ISO/IEC 27006:2010
English language
41 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

МЕЖДУНАРОДНЫЙ ISO/IEC
СТАНДАРТ 27006
Первое издание
2007-03-01

Информационные технологии. Методы
и средства обеспечения безопасности.
Требования для органов,
обеспечивающих аудит и
сертификацию систем менеджмента
информационной безопасности
Information technology — Security techniques — Requirements for
bodies providing audit and certification of information security
management systems



Ответственность за подготовку русской версии несёт GOST R
(Российская Федерация) в соответствии со статьёй 18.1 Устава ISO
Ссылочный номер
ISO/IEC 27006:2007(R)
©
ISO/IEC 2007

---------------------- Page: 1 ----------------------
ISO/IEC 27006:2007(R)
Отказ от ответственности при работе в PDF
Настоящий файл PDF может содержать интегрированные шрифты. В соответствии с условиями лицензирования, принятыми
фирмой Adobe, этот файл можно распечатать или смотреть на экране, но его нельзя изменить, пока не будет получена
лицензия на интегрированные шрифты и они не будут установлены на компьютере, на котором ведется редактирование. В
случае загрузки настоящего файла заинтересованные стороны принимают на себя ответственность за соблюдение
лицензионных условий фирмы Adobe. Центральный секретариат ISO не несет никакой ответственности в этом отношении.
Adobe – торговый знак фирмы Adobe Systems Incorporated.
Подробности, относящиеся к программным продуктам, использованные для создания настоящего файла PDF, можно найти
в рубрике General Info файла; параметры создания PDF были оптимизиро4ваны для печати. Были приняты во внимание все
меры предосторожности с тем, чтобы обеспечить пригодность настоящего файла для использования комитетами-членами
ISO. В редких случаях возникновения проблемы, связанной со сказанным выше, просьба проинформировать Центральный
секретариат по адресу, приведенному ниже.


ДОКУМЕНТ ЗАЩИЩЕН АВТОРСКИМ ПРАВОМ


© ISO/IEC 2007
Все права сохраняются. Если не указано иное, никакую часть настоящей публикации нельзя копировать или использовать в
какой-либо форме или каким-либо электронным или механическим способом, включая фотокопии и микрофильмы, без
предварительного письменного согласия ISO, которое должно быть получено после запроса о разрешении, направленного по
адресу, приведенному ниже, или в комитет-член ISO в стране запрашивающей стороны.
ISO copyright office
Case postale 56 · CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Опубликовано в Швейцарии

ii © ISO/IEC 2007 – Все права сохраняются

---------------------- Page: 2 ----------------------
ISO/IEC 27006:2007(R)
Содержание Страница
Предисловие.v
Введение . vi
1 Область распространения.1
2 Нормативные ссылки.1
3 Термины и определения.1
4 Принципы.2
5 Общие требования.2
5.1 Юридические и договорные вопросы.2
5.2 Менеджмент беспристрастности .2
5.3 Обязательства и финансирование.3
6 Требования к структуре .3
6.1 Структура организации и высшее руководство .3
6.2 Комитет по обеспечению защиты беспристрастности.3
7 Требования к ресурсам.3
7.1 Компетентность руководства и персонала.3
7.2 Персонал, участвующий в деятельности по сертификации.4
7.3 Привлечение отдельных внешних аудиторов и внешних технических экспертов .6
7.4 Записи данных о персонале.6
7.5 Аутсорсинг.6
8 Требования к информации.6
8.1 Общедоступная информация.6
8.2 Документы по сертификации.7
8.3 Список сертифицированных клиентов.7
8.4 Ссылка на сертификацию и использование маркировки .7
8.5 Конфиденциальность .7
8.6 Обмен информацией между органом сертификации и его клиентами.8
9 Требования к процессу.8
9.1 Общие требования.8
9.2 Начальный аудит и сертификация. 12
9.3 Деятельность по надзору. 16
9.4 Повторная сертификация. 17
9.5 Специальные аудиты. 17
9.6 Приостановка, отмена или сокращение сферы действия сертификации. 18
9.7 Апелляции . 18
9.8 Жалобы . 18
9.9 Документы заявителей и клиентов . 18
10 Требования системы менеджмента к органам сертификации. 18
10.1 Варианты . 18
10.2 Вариант 1 —Требования системы менеджмента в соответствии с ISO 9001 . 18
10.3 Вариант 2 — Общие требования системы менеджмента . 19
Приложение А (информативное) Анализ сложности организации-клиента и конкретных для
сектора аспектов. 20
Приложение В (информативное) Примерные области компетентности аудитора . 23
Приложение С (информативное) Продолжительность аудита . 25
Приложение D (информативное) Руководство по анализу реализованных мер управления
из Приложения А ISO/IEC 27001:2005 . 31
© ISO/IEC 2007 – Все права сохраняются iii

---------------------- Page: 3 ----------------------
ISO/IEC 27006:2007(R)
Предисловие
Международная организация по стандартизации (ISO) и Международная электротехническая комиссия
(IEC) формируют специализированную систему по мировой стандартизации. Национальные
организации, являющиеся членами ISO или IEC, принимают участие в разработке международных
стандартов через технические комитеты, созданные соответствующей организацией для рассмотрения
вопросов конкретных сфер технической деятельности. Технические комитеты ISO и IEC сотрудничают
в сферах, представляющих взаимный интерес. Другие международные организации, государственные
и негосударственные, взаимодействующие с ISO и IEC, тоже принимают участие в работе. В сфере
информационной технологии ISO и IEC создали совместный технический комитет ISO/IEC JTC 1.
Международные стандарты составляются в соответствии с правилами, приведенными в Директивах
ISO/IEC, Часть 2.
Основной задачей Совместного Технического комитета является подготовка международных
стандартов. Проекты международных стандартов, принятые Техническими комитетами,
распространяются среди орга-низаций-членов для голосования. Публикация в качестве
международного стандарта требует одобрения, по крайней мере, 75 % организаций-членов,
принимающих участие в голосовании.
Следует обратить внимание на возможность того, что некоторые элементы данного документа могут
быть объектом патентного права. ISO не должна нести ответственность за установление любого или
всех таких патентных прав.
ISO/IEC 27006 был подготовлен Совместным Техническим комитетом ISO/IEC JTC 1,
Информационные технологии, Подкомитетом SC 27, Методы и средства обеспечения безопасности.
iv © ISO/IEC 2007 – Все права сохраняются

---------------------- Page: 4 ----------------------
ISO/IEC 27006:2007(R)
Введение
ISO/IEC 17021 — это международный стандарт, содержащий критерии для органов, осуществляющих
аудит и сертификацию систем менеджмента организаций. Если эти органы должны быть
аккредитованы как соответствующие ISO/IEC 17021 с целью проведения аудита и сертификации
систем менеджмента информационной безопасности (СМИБ) в соответствии с ISO/IEC 27001:2005, то
необходимы дополнительные требования и руководства к ISO/IEC 17021. Они представлены в
настоящем международном стандарте.
Текст настоящего международного стандарта повторяет структуру ISO/IEC 17021, а дополнительные
требования, характерные для СМИБ, и руководство по применению ISO/IEC 17021 для сертификации
СМИБ обозначаются аббревиатурой "ИБ".
Термин "должен" используется в этом международном стандарте для указания тех условий, которые,
отражая требования ISO/IEC 17021 и ISO/IEC 27001, являются обязательными. Термин "должен"
используется для обозначения условий, которые, хотя и являются руководством по применению этих
требований, предполагается, что будут приняты органом сертификации.
Цель настоящего международного стандарта — дать возможность органам аккредитации более
эффективно согласовывать применение ими стандартов, в отношении которых они обязаны оценивать
органы сертификации. В этом контексте любое отклонение органа сертификации от руководства
является исключением. Такие отклонения будут разрешены только на основе рассмотрения каждого
случая по отдельности, после того как орган сертификации докажет органу аккредитации, что это
исключение удовлетворяет каким-то эквивалентным образом пункт соответствующих требований
ISO/IEC 17021, ISO/IEC 27001 и настоящего международного стандарта.
ПРИМЕЧАНИЕ В данном международном стандарте термины "система менеджмента" и "система"
используются, заменяя друг друга. Определение системы менеджмента можно найти в ISO/IEC 9000:2005.
Систему менеджмента, использующуюся в этом международном стандарте, не следует путать с другими типами
системы, такими как системы информационных технологий.
© ISO/IEC 2007 – Все права сохраняются v

---------------------- Page: 5 ----------------------
МЕЖДУНАРОДНЫЙ СТАНДАРТ ISO/IEC 27006:2007(R)

Информационные технологии. Методы и средства
обеспечения безопасности. Требования к органам,
осуществляющим аудит и сертификацию систем
менеджмента информационной безопасности
1 Область распространения
В настоящем стандарте устанавливаются требования и дополнительно к требованиям, содержащимся
в ISO/IEC 17021 и ISO/IEC 27001, дается руководство для органов, осуществляющих аудит и
сертификацию СМИБ. Главным образом он предназначен для поддержки аккредитации органов
сертификации, осуществляющих сертификацию СМИБ.
Любой орган, осуществляющий сертификацию СМИБ, должен предъявлять требования, содержащиеся
в настоящем стандарте на основе компетентности и надёжности, а в руководстве предоставляется
дополнительное разъяснение этих требований к органу, осуществляющему сертификацию СМИБ.
ПРИМЕЧАНИЕ Настоящий стандарт может использоваться в качестве документа, содержащего критерии для
аккредитации, экспертной оценки или других процессов аудита.
2 Нормативные ссылки
В настоящем стандарте использованы нормативные ссылки на следующие стандарты:
ISO/IEC 17021:2006, Оценка соответствия. Требования для органов, обеспечивающих аудит и
сертификацию систем менеджмента
ISO/IEC 27001:2005, Информационная технология. Методы и средства обеспечения безопасности.
Системы менеджмента информационной безопасности. Требования
ISO/IEC 19011:2002, Руководящие указания по аудиту систем менеджмента качества и/или систем
экологического менеджмента
3 Термины и определения
В настоящем стандарте применены термины по ISO/IEC 17021, ISO/IEC 27001, а также следующие
термины с соответствующими определениями.
3.1
сертификат
certificate
документ, выданный органом сертификации, в соответствии с условиями его аккредитации и имеющий
подтверждение аккредитации.
3.2
орган сертификации
certification body
третья сторона, оценивающая и сертифицирующая СМИБ организации-клиента на соответствие
действующим стандартам СМИБ и любой дополнительной документации, устанавливаемый в
соответствии с требованиями системы
© ISO/IEC 2007 – Все права сохраняются 1

---------------------- Page: 6 ----------------------
ISO/IEC 27006:2007(R)
3.3
документ сертификации
certification document
документ, указывающий, что СМИБ организации-клиента соответствует стандартам СМИБ и
дополнительной документации, требуемой в соответствии с этой системой
3.4
маркировка
mark
юридически зарегистрированный фирменный знак или защищенным образом символ, который
выпускается по правилам органа аккредитации или органа сертификации, указывающий на то, что
орган достаточно уверен в системах или, что соответствующие продукты или субъекты отвечают
требованиям определенного стандарта
3.5
организация
organization
государственная или частная компания, корпорация, фирма, предприятие, управление или учреждение
или их часть, или их комбинация, имеющая собственные функции и администрацию, и способная
обеспечить информационную безопасность.
4 Принципы
Применяются принципы ISO/IEC 17021:2006, Раздел 4.
5 Общие требования
5.1 Юридические и договорные вопросы
Применяются требования ISO/IEC 17021:2006, 5.1.
5.2 Менеджмент беспристрастности
Применяются требования ISO/IEC 17021:2006, 5.2. Кроме того, применяются следующие, конкретные
для СМИБ, требования и положения
5.2.1 ИБ 5.2 Конфликты интересов
Органы сертификации могут выполнять следующие обязанности, не рассматривая их как консультации
или имеющие потенциальный конфликт интересов:
a) сертификацию, включая информационные совещания, совещания по планированию, изучение
документов, проведение аудита (не внутренних аудитов СМИБ или внутренних проверок
безопасности) и последующую деятельность в отношении несоответствий;
b) организацию курсов обучения и участие в них в качестве преподавателя при условии, что если эти
курсы связаны с менеджментом информационной безопасности, взаимосвязанными системами
менеджмента или с проведением аудита, то органам сертификации необходимо ограничиваться
предоставлением общей информации и рекомендациями, являющимися легко доступными для
всеобщего достояния, т.е. они не должны предоставлять консультацию конкретной компании,
которая противоречит требованиям с), ниже;
c) предоставление или публикацию по запросу информации, описывающей интерпретацию органом
сертификации требований стандартов по сертификации аудита;
d) проведение мероприятий, осуществляющихся до проведения аудита, направленные
исключительно на определение готовности к сертификационному аудиту; однако подобные
действия не должны приводить к предоставлению рекомендаций или консультации,
2 © ISO/IEC 2007 – Все права сохраняются

---------------------- Page: 7 ----------------------
ISO/IEC 27006:2007(R)
противоречащих этому пункту, и орган сертификации должен суметь подтвердить, что подобные
действия не противоречат этим требованиям, и не используются для оправдания возможной
продолжительности сертификационного аудита;
e) проведение аудитов второй и третьей стороны в соответствии со стандартами или положениями
кроме тех, которые являются частью области действия аккредитации;
f) увеличение значимости во время сертификационных аудитов и посещений в рамках надзора,
например, путём определения возможностей для улучшения, которые становятся очевидными в
процессе аудита без рекомендации конкретных решений.
Орган сертификации должен быть независим от органа или органов (включая любых лиц),
осуществляющих внутренний аудит подлежащей сертификации СМИБ организации-клиента.
5.3 Обязательства и финансирование
Применяются требования ISO/IEC 17021:2006, 5.3.
6 Требования к структуре
6.1 Структура организации и высшее руководство
Применяются требования ISO/IEC 17021:2006, 6.1.
6.2 Комитет по обеспечению защиты беспристрастности
Применяются требования ISO/IEC 17021:2006, 6.2.
7 Требования к ресурсам
7.1 Компетентность руководства и персонала
Применяются требования ISO/IEC 17021:2006, 7.1. Кроме того, применяются следующие, характерные
для СМИБ, требования и руководство.
7.1.1 ИБ 7.1 Компетентность руководства
Основные элементы компетентности, требующиеся для проведения сертификации СМИБ, должны
выбирать, обеспечивать и стоять во главе тех индивидуальных лиц, чьи навыки и общая
компетентность подходят для осуществления аудита и решения вопросов, связанных с
информационной безопасностью.
7.1.1.1 Анализ компетентности и проверка договора
Орган сертификации должен обеспечивать уверенность в том, что он обладает знанием
технологических и правовых вопросов, относящихся к СМИБ организации-клиента, которую он
оценивает.
Орган сертификации должен обладать эффективной системой для анализа компетентности в сфере
менеджмента информационной безопасности, которую ему нужно поддерживать доступной по
отношению ко всем техническим сферам, в которых он действует.
Для каждого клиента орган сертификации должен быть способен продемонстрировать осуществление
анализа и компетентности (оценка навыков в ответ на оцененные потребности) в отношении
требований каждого уместного сектора до осуществления проверки договора. Затем орган
сертификации должен осуществить проверку договора с организацией-клиентом, основываясь на
результатах анализа компетентности. В частности, орган сертификации должен быть способен
© ISO/IEC 2007 – Все права сохраняются 3

---------------------- Page: 8 ----------------------
ISO/IEC 27006:2007(R)
продемонстрировать, что он обладает компетентностью для выполнения следующих видов
деятельности:
a) понимание сфер деятельности организации-клиента и связанных с ними бизнес-рисков;
b) определение компетентности, необходимой органу сертификации для осуществления
сертификации в отношении определенной деятельности, связанной с информационной
безопасностью, угрозами активов, уязвимостями и влияниями на организацию-клиента;
c) подтверждение наличия требуемой компетентности.
7.1.1.2 Ресурсы
Руководство органа сертификации должно располагать необходимыми процессами и ресурсами для
определения компетентности отдельных аудиторов в отношении решения задач, которые они должны
выполнить в области сертификации, в которой они действуют. Компетентность аудиторов можно
повысить путем повышения квалификации, специальной полготовки и инструктажа (см. также
Приложение В). Орган сертификации должен быть способен эффективно поддерживать связь с
клиентами, которым он предоставляет услуги.
7.2 Персонал, участвующий в деятельности по сертификации
Применяются требования ISO/IEC 17021:2006, 7.2. Кроме того, применяются следующие, характерные
для СМИБ, требования и положения.
7.2.1 ИБ 7.2 Компетентность персонала органа сертификации
Органы сертификации должны иметь персонал, обладающий компетентностью в вопросах:
a) выбора и проверки компетентности аудиторов СМИБ для групп аудита, предназначенных для
проведения аудита;
b) инструктажа аудиторов СМИБ и организации любого необходимого обучения;
c) принятия решения о разрешении, поддержке, отмене, приостановке, продлении или сокращении
сроков действия сертификации;
d) организации работы, связанной с апелляциями и жалобами.
7.2.1.1 Обучение аудиторских групп
У органа сертификации должны быть критерии обучения аудиторских групп, обеспечивающие:
a) знание стандарта, относящегося к СМИБ, и других уместных нормативных документов;
b) понимание обеспечения информационной безопасности;
c) понимание оценки риска и менеджмента риска, исходя из перспективы бизнеса;
d) техническое знание деятельности, подлежащей аудиту;
e) общее знание регулирующих требований, имеющих отношение к СМИБ;
f) знание систем менеджмента;
g) понимание принципов аудита, основанных на ISO 19011;
h) знание проверки эффективности СМИБ и измерения эффективности средств контроля.
4 © ISO/IEC 2007 – Все права сохраняются

---------------------- Page: 9 ----------------------
ISO/IEC 27006:2007(R)
Эти требования к обучению применяются ко всем членам аудиторской группы за исключением
требований (d), которые можно распределить между членами аудиторской группы.
7.2.1.1.1 При выборе аудиторской группы, которая будет назначена для конкретного
сертификационного аудита, орган сертификации должен обеспечить, чтобы навыки, представленные
для каждого задания, были соответствующими. Группа должна:
a) обладать соответствующими техническими знаниями по конкретной деятельности в области
действия СМИБ, для которой проводится сертификация и, если необходимо, с взаимосвязанными
процедурами и их потенциальными рисками информационной безопасности (эту функцию могут
выполнять технические эксперты, не являющиеся аудиторами);
b) обладать достаточным уровнем понимания работы организации-клиента для проведения
надежного аудита сертификации ее СМИБ в вопросе менеджмента, связанного с аспектами
информационной безопасности ее деятельности, продуктов и услуг;
c) обладать соответствующим пониманием регулирующих требований, применяемых к СМИБ
организации-клиента.
7.2.1.1.2 При необходимости аудиторская группа может дополняться техническими экспертами,
которые могут продемонстрировать специальные знания в области технологии, подлежащей аудиту.
Необходимо отметить, что технических экспертов нельзя использовать вместо аудиторов СМИБ, но
они могут консультировать аудиторов по вопросам технической адекватности в контексте системы
менеджмента, подвергающейся аудиту. У органа по сертификации должна быть процедура по:
a) выбору аудиторов и технических экспертов на основе их компетентности, обучения, квалификации
и опыта;
b) первоначальной оценке поведения аудиторов и технических экспертов во время проведения
аудитов сертификации и последующего мониторинга деятельности аудиторов и технических
экспертов.
7.2.1.2 Менеджмент процесса принятия решений
Управленческая функция должна подразумевать наличие технической компетентности для управления
процессом принятия решений относительно разрешения, поддержки, продления, сокращения,
приостановки и отмены в сертификации СМИБ по требованиям ISO/IEC 27001.
7.2.1.3 Необходимые уровни образования, профессионального опыта, аудиторского
обучения и аудиторского опыта для аудиторов, проводящих аудиты СМИБ
7.2.1.3.1 Приведенные ниже критерии должны применяться к каждому аудитору из аудиторской
группы, осуществляющей аудит СМИБ. Аудитор должен:
a) иметь среднее образование;
b) иметь, по крайней мере, четырехлетний опыт практической работы в режиме полной занятости в
сфере информационной технологии, из которой, по крайней мере, два года [аудитор] должен
выполнять роль или функцию, связанную с информационной безопасностью;
c) успешно завершить пятидневное обучение, сфера которого охватывает аудиты СМИБ, и
менеджмент аудитов должен считаться соответствующим;
d) приобрести опыт, касающийся всего процесса оценки информационной безопасности, до принятия
на себя ответственности за деятельность в качестве аудитора. Этот опыт должен быть
приобретен посредством участия, как минимум, в четырех сертификационных аудитах общей
продолжительностью, по крайней мере, двадцать дней, включая проверку документации и анализ
риска, оценку реализации и составление отчета о результатах аудита;
© ISO/IEC 2007 – Все права сохраняются 5

---------------------- Page: 10 ----------------------
ISO/IEC 27006:2007(R)
e) обладать достаточно современным опытом;
f) быть способным представить сложные операции в широкой перспективе и понимать роль
отдельных подразделений в больших организациях-клиентах;
g) поддерживать свои знания и навыки в сфере информационной безопасности и аудита на
современном уровне путем постоянного повышения профессионального уровня.
Технические эксперты должны соответствовать критериям (a), (b), (e) и (f).
7.2.1.3.2 В дополнении к требованиям из 7.2.1.3.1 начальники групп аудита должны удовлетворять
следующим требованиям, которые должны быть продемонстрированы в аудитах под руководством и
наблюдением:
a) обладать знаниями и характерными чертами для управления процессом аудита сертификации;
b) быть аудитором, по крайней мере, в трёх полных аудитах СМИБ;
c) продемонстрировать способность эффективно общаться и в письменной, и в устной форме.
7.3 Привлечение отдельных внешних аудиторов и внешних технических экспертов
Применяются требования ISO/IEC 17021:2006, 7.3. Кроме того, применяются следующие, конкретные
для СМИБ, требования и положения.
7.3.1 ИБ 7.3 Привлечение внешних аудиторов или внешних технических экспертов в качестве
членов аудиторской группы
При привлечении внешних аудиторов или внешних технических экспертов в качестве членов
аудиторской группы, орган сертификации должен гарантировать, что они компетентны и не
вовлекаются ни напрямую, ни через своего работодателя в проектирование, внедрение или
обслуживание СМИБ или связанной с ней системой (системами) управления таким образом, что это
могло бы скомпрометировать беспристрастность.
7.3.1.1 Привлечение технических экспертов
Технические эксперты со специальными знаниями, касающимися процесса и проблем
информационной безопасности, а также законодательства, затрагивающей организацию-клиента, но
не удовлетворяющие всем критериям 7.2, могут быть членами группы аудита. Технические эксперты
должны работать под наблюдением аудитора.
7.4 Записи данных о персонале
Применяются требования ISO/IEC 17021:2006, 7.4.
7.5 Аутсорсинг
Применяются требования ISO/IEC 17021:2006, 7.5.
8 Требования к информации
8.1 Общедоступная информация
Применяются требования ISO/IEC 17021:2006, 8.1. Кроме того, применяются следующие, конкретные
для СМИБ, требования и положения.
6 © ISO/IEC 2007 – Все права сохраняются

---------------------- Page: 11 ----------------------
ISO/IEC 27006:2007(R)
8.1.1 ИБ 8.1 Процедуры разрешения, поддержания, продления, сокращения, приостановления
и отказа в сертификации
Орган сертификации должен потребовать от организации-клиента наличия документально
оформленной и внедренной СМИБ, которая соответствует ISO/IEC 27001 и другим документам,
необходимым для сертификации.
У органа сертификации должны быть документально подтверждённые процедуры для:
a) начального сертификационного аудита СМИБ организации-клиента в соответствии с положениями
ISO 19011, ISO/IEC 17021 и другими необходимыми документами;
b) надзора и повторных сертификационных аудитов СМИБ организации-клиента в соответствии с
ISO 19011 и ISO/IEC 17021 на периодической основе для непрерывного соответствия
релевантным требованиям, а также для подтверждения и записи, что организация-клиент
своевременно предпринимает корректирующие действия по исправлению всех несоответствий.
8.2 Документы по сертификации
Применяются требования ISO/IEC 17021:2006, 8.2. Кроме того, применяются следующие, конкретные
для СМИБ, требования и положения.
8.2.1 ИБ 8.2 Документы по сертификации СМИБ
Орган сертификации должен предоставить каждой из своих организаций-клиентов, чья СМИБ
сертифицируется, документы по сертификации, такие как: письмо или сертификат, подписанный
уполномоченным должностным лицом. Для организации-клиента и каждой из его сертифицирующихся
информационных систем эти документы должны определять область действия сертификации и
ISO/IEC 27001 по СМИБ, по которому эта СМИБ сертифицируется. Кроме того, в сертификате должна
быть ссылка на определённую версию заявления (утверждения) о применимости.
8.3 Список сертифицированных клиентов
Применяются требования ISO/IEC 17021:2006, 8.3.
8.4 Ссыл
...

INTERNATIONAL ISO/IEC
STANDARD 27006
First edition
2007-03-01

Information technology — Security
techniques — Requirements for bodies
providing audit and certification of
information security management
systems
Technologies de l'information — Techniques de sécurité — Exigences
pour les organismes procédant à l'audit et à la certification des
systèmes de management de la sécurité de l'information




Reference number
ISO/IEC 27006:2007(E)
©
ISO/IEC 2007

---------------------- Page: 1 ----------------------
ISO/IEC 27006:2007(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2007
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2007 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 27006:2007(E)
Contents
Foreword. iv
Introduction . v
1 Scope .1
2 Normative references .1
3 Terms and definitions .1
4 Principles.2
5 General requirements.2
5.1 Legal and contractual matter.2
5.2 Management of impartiality .2
5.3 Liability and financing.3
6 Structural requirements .3
6.1 Organizational structure and top management.3
6.2 Committee for safeguarding impartiality .3
7 Resource requirements.3
7.1 Competence of management and personnel.3
7.2 Personnel involved in the certification activities .4
7.3 Use of individual external auditors and external technical experts.6
7.4 Personnel records .6
7.5 Outsourcing.6
8 Information requirements .6
8.1 Publicly accessible information.6
8.2 Certification documents.6
8.3 Directory of certified clients .7
8.4 Reference to certification and use of marks.7
8.5 Confidentiality.7
8.6 Information exchange between a certification body and its clients.7
9 Process requirements .7
9.1 General requirements.7
9.2 Initial audit and certification.11
9.3 Surveillance activities .15
9.4 Recertification.16
9.5 Special audits.16
9.6 Suspending, withdrawing or reducing scope of certification.16
9.7 Appeals .17
9.8 Complaints .17
9.9 Records of applicants and clients .17
10 Management system requirements for certification bodies .17
10.1 Options .17
10.2 Option 1 – Management system requirements in accordance with ISO 9001.17
10.3 Option 2 – General management system requirements .17
Annex A (informative) Analysis of a client organization’s complexity and sector-specific aspects .18
Annex B (informative) Example areas of auditor competence .21
Annex C (informative) Audit time.23
Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls .29

© ISO/IEC 2007 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 27006:2007(E)
Foreword
ISO (the International Organization for Standardization) and IEC (International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO and IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental,
in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

iv © ISO/IEC 2007 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 27006:2007(E)
Introduction
ISO/IEC 17021 is an International Standard which sets out criteria for bodies operating audit and certification
of organizations' management systems. If such bodies are to be accredited as complying with ISO/IEC 17021
with the objective of auditing and certifying Information Security Management Systems (ISMS) in accordance
with ISO/IEC 27001:2005, some additional requirements and guidance to ISO/IEC 17021 are necessary.
These are provided by this International Standard.
The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific
requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the
letters “IS”.
The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting
the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate
those provisions which, although they constitute guidance for the application of the requirements, are
expected to be adopted by a certification body.
One aim of this International Standard is to enable accreditation bodies to more effectively harmonise their
application of the standards against which they are bound to assess certification bodies. In this context, any
variation from the guidance by a certification body is an exception. Such variations will only be permitted on a
case-by-case basis after the certification body has demonstrated to the accreditation body that the exception
meets in some equivalent way the relevant requirements clause of ISO/IEC 17021, ISO/IEC 27001 and the
intent of this International Standard.
NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably.
The definition of a management system can be found in ISO 9000:2005. The management system as used in this
International Standard is not to be confused with other types of system, such as IT systems.
© ISO/IEC 2007 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27006:2007(E)

Information technology — Security techniques — Requirements
for bodies providing audit and certification of information
security management systems
1 Scope
This International Standard specifies requirements and provides guidance for bodies providing audit and
certification of an information security management system (ISMS), in addition to the requirements contained
within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification
bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence
and reliability by any body providing ISMS certification, and the guidance contained in this International
Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit
processes.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17021:2006, Conformity assessment — Requirements for bodies providing audit and certification of
management systems
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO/IEC 19011, Guidelines for quality and/or environmental management systems auditing
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the
following apply.
3.1
certificate
certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an
accreditation symbol or statement
3.2
certification body
third party that assesses and certifies the ISMS of a client organization with respect to published ISMS
standards, and any supplementary documentation required under the system
3.3
certification document
document indicating that a client organization’s ISMS conforms to specified ISMS standards and any
supplementary documentation required under the system
© ISO/IEC 2007 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 27006:2007(E)
3.4
mark
legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation
body or of a certification body, indicating that adequate confidence in the systems operated by a body has
been demonstrated or that relevant products or individuals conform to the requirements of a specified
standard
3.5
organization
company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether
incorporated or not, public or private, that has its own functions and administration and is able to ensure that
information security is exercised
4 Principles
The principles from ISO/IEC 17021:2006, Clause 4 apply.
5 General requirements
5.1 Legal and contractual matter
The requirements from ISO/IEC 17021:2006, Clause 5.1 apply.
5.2 Management of impartiality
The requirements from ISO/IEC 17021:2006, Clause 5.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
5.2.1 IS 5.2 Conflicts of interest
Certification bodies can carry out the following duties without them being considered as consultancy or having
a potential conflict of interest:
a) certification, including information meetings, planning meetings, examination of documents, auditing (not
internal ISMS auditing or internal security reviews) and follow up of non-conformities;
b) arranging and participating as a lecturer in training courses, provided that, where these courses relate to
information security management, related management systems or auditing, certification bodies should
confine themselves to the provision of generic information and advice which is freely available in the
public domain, i.e. they should not provide company-specific advice which contravenes the requirements
of c) below;
c) making available or publishing on request information describing the certification body’s interpretation of
the requirements of the certification audit standards;
d) activities prior to audit, solely aimed at determining readiness for certification audit; however, such
activities should not result in the provision of recommendations or advice that would contravene this
clause and the certification body should be able to confirm that such activities do not contravene these
requirements and that they are not used to justify a reduction in the eventual certification audit duration;
e) performing second and third party audits according to standards or regulations other than those being
part of the scope of accreditation;
f) adding value during certification audits and surveillance visits, e.g., by identifying opportunities for
improvement, as they become evident during the audit, without recommending specific solutions.
The certification body shall be independent from the body or bodies (including any individuals) which provide
the internal ISMS audit of the client organization’s ISMS subject to certification.
2 © ISO/IEC 2007 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 27006:2007(E)
5.3 Liability and financing
The requirements from ISO/IEC 17021:2006, Clause 5.3 apply.
6 Structural requirements
6.1 Organizational structure and top management
The requirements from ISO/IEC 17021:2006, Clause 6.1 apply.
6.2 Committee for safeguarding impartiality
The requirements from ISO/IEC 17021:2006, Clause 6.2 apply.
7 Resource requirements
7.1 Competence of management and personnel
The requirements from ISO/IEC 17021:2006, Clause 7.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.1.1 IS 7.1 Management competence
The essential elements of competence required to perform ISMS certification are to select, provide and
manage those individuals whose skills and collective competence is appropriate to the activities to be audited
and the related information security issues.
7.1.1.1 Competence analysis and contract review
The certification body shall ensure that it has knowledge of the technological and legal developments relevant
to the ISMS of the client organization, which it assesses.
The certification body shall have an effective system for the analysis of the competencies in information
security management which it needs to have available, with respect to all the technical areas in which it
operates.
For each client, the certification body shall be able to demonstrate that it has performed a competence
analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector
prior to undertaking the contract review. The certification body shall then review the contract with the client
organization, based on the results of this competence analysis. In particular, the certification body shall be
able to demonstrate that it has the competence to complete the following activities:
a) understand the areas of activity of the client organization and the associated business risks;
b) define the competencies needed in the certification body to certify in relation to the identified activities,
and information security related threats to assets, vulnerabilities and impacts on the client organization;
c) confirm the availability of the required competencies.
7.1.1.2 Resources
The management of the certification body shall have the necessary processes and resources to enable it to
determine whether or not individual auditors are competent for the tasks they are required to perform within
the scope of certification in which they are operating. The competence of auditors may be established by
verified background experience and specific training or briefing (see also Annex B). The certification body
shall be able to communicate effectively with all those clients it provides services to.
© ISO/IEC 2007 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 27006:2007(E)
7.2 Personnel involved in the certification activities
The requirements from ISO/IEC 17021:2006, Clause 7.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.2.1 IS 7.2 Competence of certification body personnel
Certification bodies shall have personnel competent to
a) select and verify the competence of ISMS auditors for audit teams appropriate for the audit;
b) brief ISMS auditors and arrange any necessary training;
c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications;
d) set up and operate an appeals and complaints process.
7.2.1.1 Training of audit teams
The certification body shall have criteria for the training of audit teams that ensures
a) knowledge of the ISMS standard and other relevant normative documents;
b) understanding of information security;
c) understanding of risk assessment and risk management from the business perspective;
d) technical knowledge of the activity to be audited;
e) general knowledge of regulatory requirements relevant to ISMSs;
f) knowledge of management systems;
g) understanding of the principles of auditing based on ISO 19011;
h) knowledge of ISMS effectiveness review and measurement of control effectiveness.
These training requirements apply to all members of the audit team, with the exception of d), which can be
shared among members of the audit team.
7.2.1.1.1 When selecting the audit team to be appointed for a specific certification audit the certification
body shall ensure that the skills brought to each assignment are appropriate. The team shall
a) have appropriate technical knowledge of the specific activities within the scope of the ISMS for which
certification is sought and, where relevant, with associated procedures and their potential information
security risks (technical experts who are not auditors may fulfil this function);
b) have a sufficient degree of understanding of the client organization to conduct a reliable certification audit
of its ISMS in managing the information security aspects of its activities, products and services;
c) have appropriate understanding of the regulatory requirements applicable to the client organization’s
ISMS.
4 © ISO/IEC 2007 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 27006:2007(E)
7.2.1.1.2 When required, the audit team may be complemented by technical experts who can demonstrate
specific competence in a field of technology appropriate to the audit. Note should be taken that technical
experts cannot be used in place of ISMS auditors but could advise auditors on matters of technical adequacy
in the context of the management system being subjected to audit. The certification body shall have a
procedure for
a) selecting auditors and technical experts on the basis of their competence, training, qualifications and
experience;
b) initially assessing the conduct of auditors and technical experts during certification audits and
subsequently monitoring the performance of auditors and technical experts.
7.2.1.2 Management of the decision taking process
The management function shall have the technical competence and ability in place to manage the process of
decision-making regarding the granting, maintaining, extending, reducing, suspending and withdrawing of
ISMS certification to the requirements of ISO/IEC 27001.
7.2.1.3 Pre-requisite levels of education, work experience, auditor training and audit experience for
auditors conducting ISMS audits
7.2.1.3.1 The following criteria shall be applied for each auditor in the ISMS audit team. The auditor shall
a) have an education at secondary level;
b) have at least four years full time practical workplace experience in information technology, of which at
least two years are in a role or function relating to information security;
c) have successfully completed five days of training, the scope of which covers ISMS audits and audit
management shall be considered appropriate;
d) have gained experience in the entire process of assessing information security prior to assuming
responsibility for performing as an auditor. This experience should have been gained by participation in a
minimum of four certification audits for a total of at least 20 days, including review of documentation and
risk analysis, implementation assessment and audit reporting;
e) have experience which is reasonably current;
f) be able to put complex operations in a broad perspective and to understand the role of individual units in
larger client organizations;
g) keep their knowledge and skills in information security and auditing up to date through continual
professional development.
Technical experts shall comply with criteria a), b), e) and f).
7.2.1.3.2 In addition to the requirements in 7.2.1.3.1, audit team leaders shall fulfil the following
requirements, which shall be demonstrated in audits under guidance and supervision:
a) have knowledge and attributes to manage the certification audit process;
b) have been an auditor in at least three complete ISMS audits;
c) have demonstrated the capability to communicate effectively, both orally and in writing.
© ISO/IEC 2007 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 27006:2007(E)
7.3 Use of individual external auditors and external technical experts
The requirements from ISO/IEC 17021:2006, Clause 7.3 apply. In addition, the following ISMS-specific
requirements and guidance applies.
7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team
When using individual external auditors or external technical experts as part of the audit team, the certification
body shall ensure that they are competent and comply with the applicable provisions of this publication and
are not involved, either directly or through its employer with the design, implementation or maintenance of an
ISMS or related management system(s) in such a way that impartiality could be compromised.
7.3.1.1 Use of technical experts
Technical experts with specific knowledge regarding the process and information security issues and
legislation affecting the client organization, but who do not satisfy all of the criteria in 7.2, may be part of the
audit team. Technical experts shall work under the supervision of an auditor.
7.4 Personnel records
The requirements from ISO/IEC 17021:2006, Clause 7.4 apply.
7.5 Outsourcing
The requirements from ISO/IEC 17021:2006, Clause 7.5 apply.
8 Information requirements
8.1 Publicly accessible information
The requirements from ISO/IEC 17021:2006, Clause 8.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
8.1.1 IS 8.1 Procedures for granting, maintaining, extending, reducing, suspending and withdrawing
certification
The certification body shall require the client organization to have a documented and implemented ISMS
which conforms to ISO/IEC 27001 and other documents required for certification.
The certification body shall have documented procedures for
a) the initial certification audit of a client organization's ISMS, in accordance with the provisions of
ISO 19011, ISO/IEC 17021 and other relevant documents;
b) surveillance and recertification audits of a client organization's ISMS in accordance with ISO 19011 and
ISO/IEC 17021 on a periodic basis for continuing conformity with relevant requirements and for verifying
and recording that a client organization takes corrective action on a timely basis to correct all
nonconformities.
8.2 Certification documents
The requirements from ISO/IEC 17021:2006, Clause 8.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
6 © ISO/IEC 2007 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 27006:2007(E)
8.2.1 IS 8.2 ISMS Certification documents
The certification body shall provide to each of its client organizations whose ISMS is certified, certification
documents such as a letter or a certificate signed by an officer who has been assigned such responsibility. For
the client organization and each of its information systems covered by the certification, these documents shall
identify the scope of the certification granted and the ISMS standard ISO/IEC 27001 to which the ISMS is
certified. In addition, the certificate should include a reference to the specific version of the Statement of
Applicability.
8.3 Directory of certified clients
The requirements from ISO/IEC 17021:2006, Clause 8.3 apply.
8.4 Reference to certification and use of marks
The requirements from ISO/IEC 17021:2006, Clause 8.4 apply. In addition, the following ISMS-specific
requirements and guidance applies.
8.4.1 IS 8.4 Control of certification marks
The certification body shall exercise proper control over ownership, use and display of its ISMS certification
marks. If the certification body confers the right to use a mark to indicate certification of an ISMS, the
certification body should ensure that the client organization uses the specified mark only as authorised in
writing by the certification body. The certification body shall not entitle the client organization to use
...

SLOVENSKI STANDARD
SIST ISO/IEC 27006:2011
01-marec-2011
Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo
presoje in certificiranje sistemov upravljanja informacijske varnosti
Information technology - Security techniques - Requirements for bodies providing audit
and certification of information security management systems
Technologies de l'information - Techniques de sécurité - Exigences pour les organismes
procédant à l'audit et à la certification des systèmes de management de la sécurité de
l'information
Ta slovenski standard je istoveten z: ISO/IEC 27006:2007
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
SIST ISO/IEC 27006:2011 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ISO/IEC 27006:2011

---------------------- Page: 2 ----------------------

SIST ISO/IEC 27006:2011

INTERNATIONAL ISO/IEC
STANDARD 27006
First edition
2007-03-01

Information technology — Security
techniques — Requirements for bodies
providing audit and certification of
information security management
systems
Technologies de l'information — Techniques de sécurité — Exigences
pour les organismes procédant à l'audit et à la certification des
systèmes de management de la sécurité de l'information




Reference number
ISO/IEC 27006:2007(E)
©
ISO/IEC 2007

---------------------- Page: 3 ----------------------

SIST ISO/IEC 27006:2011
ISO/IEC 27006:2007(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2007
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2007 – All rights reserved

---------------------- Page: 4 ----------------------

SIST ISO/IEC 27006:2011
ISO/IEC 27006:2007(E)
Contents
Foreword. iv
Introduction . v
1 Scope .1
2 Normative references .1
3 Terms and definitions .1
4 Principles.2
5 General requirements.2
5.1 Legal and contractual matter.2
5.2 Management of impartiality .2
5.3 Liability and financing.3
6 Structural requirements .3
6.1 Organizational structure and top management.3
6.2 Committee for safeguarding impartiality .3
7 Resource requirements.3
7.1 Competence of management and personnel.3
7.2 Personnel involved in the certification activities .4
7.3 Use of individual external auditors and external technical experts.6
7.4 Personnel records .6
7.5 Outsourcing.6
8 Information requirements .6
8.1 Publicly accessible information.6
8.2 Certification documents.6
8.3 Directory of certified clients .7
8.4 Reference to certification and use of marks.7
8.5 Confidentiality.7
8.6 Information exchange between a certification body and its clients.7
9 Process requirements .7
9.1 General requirements.7
9.2 Initial audit and certification.11
9.3 Surveillance activities .15
9.4 Recertification.16
9.5 Special audits.16
9.6 Suspending, withdrawing or reducing scope of certification.16
9.7 Appeals .17
9.8 Complaints .17
9.9 Records of applicants and clients .17
10 Management system requirements for certification bodies .17
10.1 Options .17
10.2 Option 1 – Management system requirements in accordance with ISO 9001.17
10.3 Option 2 – General management system requirements .17
Annex A (informative) Analysis of a client organization’s complexity and sector-specific aspects .18
Annex B (informative) Example areas of auditor competence .21
Annex C (informative) Audit time.23
Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls .29

© ISO/IEC 2007 – All rights reserved iii

---------------------- Page: 5 ----------------------

SIST ISO/IEC 27006:2011
ISO/IEC 27006:2007(E)
Foreword
ISO (the International Organization for Standardization) and IEC (International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO and IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental,
in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

iv © ISO/IEC 2007 – All rights reserved

---------------------- Page: 6 ----------------------

SIST ISO/IEC 27006:2011
ISO/IEC 27006:2007(E)
Introduction
ISO/IEC 17021 is an International Standard which sets out criteria for bodies operating audit and certification
of organizations' management systems. If such bodies are to be accredited as complying with ISO/IEC 17021
with the objective of auditing and certifying Information Security Management Systems (ISMS) in accordance
with ISO/IEC 27001:2005, some additional requirements and guidance to ISO/IEC 17021 are necessary.
These are provided by this International Standard.
The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific
requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the
letters “IS”.
The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting
the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate
those provisions which, although they constitute guidance for the application of the requirements, are
expected to be adopted by a certification body.
One aim of this International Standard is to enable accreditation bodies to more effectively harmonise their
application of the standards against which they are bound to assess certification bodies. In this context, any
variation from the guidance by a certification body is an exception. Such variations will only be permitted on a
case-by-case basis after the certification body has demonstrated to the accreditation body that the exception
meets in some equivalent way the relevant requirements clause of ISO/IEC 17021, ISO/IEC 27001 and the
intent of this International Standard.
NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably.
The definition of a management system can be found in ISO 9000:2005. The management system as used in this
International Standard is not to be confused with other types of system, such as IT systems.
© ISO/IEC 2007 – All rights reserved v

---------------------- Page: 7 ----------------------

SIST ISO/IEC 27006:2011

---------------------- Page: 8 ----------------------

SIST ISO/IEC 27006:2011
INTERNATIONAL STANDARD ISO/IEC 27006:2007(E)

Information technology — Security techniques — Requirements
for bodies providing audit and certification of information
security management systems
1 Scope
This International Standard specifies requirements and provides guidance for bodies providing audit and
certification of an information security management system (ISMS), in addition to the requirements contained
within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification
bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence
and reliability by any body providing ISMS certification, and the guidance contained in this International
Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit
processes.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17021:2006, Conformity assessment — Requirements for bodies providing audit and certification of
management systems
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO/IEC 19011, Guidelines for quality and/or environmental management systems auditing
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the
following apply.
3.1
certificate
certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an
accreditation symbol or statement
3.2
certification body
third party that assesses and certifies the ISMS of a client organization with respect to published ISMS
standards, and any supplementary documentation required under the system
3.3
certification document
document indicating that a client organization’s ISMS conforms to specified ISMS standards and any
supplementary documentation required under the system
© ISO/IEC 2007 – All rights reserved 1

---------------------- Page: 9 ----------------------

SIST ISO/IEC 27006:2011
ISO/IEC 27006:2007(E)
3.4
mark
legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation
body or of a certification body, indicating that adequate confidence in the systems operated by a body has
been demonstrated or that relevant products or individuals conform to the requirements of a specified
standard
3.5
organization
company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether
incorporated or not, public or private, that has its own functions and administration and is able to ensure that
information security is exercised
4 Principles
The principles from ISO/IEC 17021:2006, Clause 4 apply.
5 General requirements
5.1 Legal and contractual matter
The requirements from ISO/IEC 17021:2006, Clause 5.1 apply.
5.2 Management of impartiality
The requirements from ISO/IEC 17021:2006, Clause 5.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
5.2.1 IS 5.2 Conflicts of interest
Certification bodies can carry out the following duties without them being considered as consultancy or having
a potential conflict of interest:
a) certification, including information meetings, planning meetings, examination of documents, auditing (not
internal ISMS auditing or internal security reviews) and follow up of non-conformities;
b) arranging and participating as a lecturer in training courses, provided that, where these courses relate to
information security management, related management systems or auditing, certification bodies should
confine themselves to the provision of generic information and advice which is freely available in the
public domain, i.e. they should not provide company-specific advice which contravenes the requirements
of c) below;
c) making available or publishing on request information describing the certification body’s interpretation of
the requirements of the certification audit standards;
d) activities prior to audit, solely aimed at determining readiness for certification audit; however, such
activities should not result in the provision of recommendations or advice that would contravene this
clause and the certification body should be able to confirm that such activities do not contravene these
requirements and that they are not used to justify a reduction in the eventual certification audit duration;
e) performing second and third party audits according to standards or regulations other than those being
part of the scope of accreditation;
f) adding value during certification audits and surveillance visits, e.g., by identifying opportunities for
improvement, as they become evident during the audit, without recommending specific solutions.
The certification body shall be independent from the body or bodies (including any individuals) which provide
the internal ISMS audit of the client organization’s ISMS subject to certification.
2 © ISO/IEC 2007 – All rights reserved

---------------------- Page: 10 ----------------------

SIST ISO/IEC 27006:2011
ISO/IEC 27006:2007(E)
5.3 Liability and financing
The requirements from ISO/IEC 17021:2006, Clause 5.3 apply.
6 Structural requirements
6.1 Organizational structure and top management
The requirements from ISO/IEC 17021:2006, Clause 6.1 apply.
6.2 Committee for safeguarding impartiality
The requirements from ISO/IEC 17021:2006, Clause 6.2 apply.
7 Resource requirements
7.1 Competence of management and personnel
The requirements from ISO/IEC 17021:2006, Clause 7.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.1.1 IS 7.1 Management competence
The essential elements of competence required to perform ISMS certification are to select, provide and
manage those individuals whose skills and collective competence is appropriate to the activities to be audited
and the related information security issues.
7.1.1.1 Competence analysis and contract review
The certification body shall ensure that it has knowledge of the technological and legal developments relevant
to the ISMS of the client organization, which it assesses.
The certification body shall have an effective system for the analysis of the competencies in information
security management which it needs to have available, with respect to all the technical areas in which it
operates.
For each client, the certification body shall be able to demonstrate that it has performed a competence
analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector
prior to undertaking the contract review. The certification body shall then review the contract with the client
organization, based on the results of this competence analysis. In particular, the certification body shall be
able to demonstrate that it has the competence to complete the following activities:
a) understand the areas of activity of the client organization and the associated business risks;
b) define the competencies needed in the certification body to certify in relation to the identified activities,
and information security related threats to assets, vulnerabilities and impacts on the client organization;
c) confirm the availability of the required competencies.
7.1.1.2 Resources
The management of the certification body shall have the necessary processes and resources to enable it to
determine whether or not individual auditors are competent for the tasks they are required to perform within
the scope of certification in which they are operating. The competence of auditors may be established by
verified background experience and specific training or briefing (see also Annex B). The certification body
shall be able to communicate effectively with all those clients it provides services to.
© ISO/IEC 2007 – All rights reserved 3

---------------------- Page: 11 ----------------------

SIST ISO/IEC 27006:2011
ISO/IEC 27006:2007(E)
7.2 Personnel involved in the certification activities
The requirements from ISO/IEC 17021:2006, Clause 7.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.2.1 IS 7.2 Competence of certification body personnel
Certification bodies shall have personnel competent to
a) select and verify the competence of ISMS auditors for audit teams appropriate for the audit;
b) brief ISMS auditors and arrange any necessary training;
c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications;
d) set up and operate an appeals and complaints process.
7.2.1.1 Training of audit teams
The certification body shall have criteria for the training of audit teams that ensures
a) knowledge of the ISMS standard and other relevant normative documents;
b) understanding of information security;
c) understanding of risk assessment and risk management from the business perspective;
d) technical knowledge of the activity to be audited;
e) general knowledge of regulatory requirements relevant to ISMSs;
f) knowledge of management systems;
g) understanding of the principles of auditing based on ISO 19011;
h) knowledge of ISMS effectiveness review and measurement of control effectiveness.
These training requirements apply to all members of the audit team, with the exception of d), which can be
shared among members of the audit team.
7.2.1.1.1 When selecting the audit team to be appointed for a specific certification audit the certification
body shall ensure that the skills brought to each assignment are appropriate. The team shall
a) have appropriate technical knowledge of the specific activities within the scope of the ISMS for which
certification is sought and, where relevant, with associated procedures and their potential information
security risks (technical experts who are not auditors may fulfil this function);
b) have a sufficient degree of understanding of the client organization to conduct a reliable certification audit
of its ISMS in managing the information security aspects of its activities, products and services;
c) have appropriate understanding of the regulatory requirements applicable to the client organization’s
ISMS.
4 © ISO/IEC 2007 – All rights reserved

---------------------- Page: 12 ----------------------

SIST ISO/IEC 27006:2011
ISO/IEC 27006:2007(E)
7.2.1.1.2 When required, the audit team may be complemented by technical experts who can demonstrate
specific competence in a field of technology appropriate to the audit. Note should be taken that technical
experts cannot be used in place of ISMS auditors but could advise auditors on matters of technical adequacy
in the context of the management system being subjected to audit. The certification body shall have a
procedure for
a) selecting auditors and technical experts on the basis of their competence, training, qualifications and
experience;
b) initially assessing the conduct of auditors and technical experts during certification audits and
subsequently monitoring the performance of auditors and technical experts.
7.2.1.2 Management of the decision taking process
The management function shall have the technical competence and ability in place to manage the process of
decision-making regarding the granting, maintaining, extending, reducing, suspending and withdrawing of
ISMS certification to the requirements of ISO/IEC 27001.
7.2.1.3 Pre-requisite levels of education, work experience, auditor training and audit experience for
auditors conducting ISMS audits
7.2.1.3.1 The following criteria shall be applied for each auditor in the ISMS audit team. The auditor shall
a) have an education at secondary level;
b) have at least four years full time practical workplace experience in information technology, of which at
least two years are in a role or function relating to information security;
c) have successfully completed five days of training, the scope of which covers ISMS audits and audit
management shall be considered appropriate;
d) have gained experience in the entire process of assessing information security prior to assuming
responsibility for performing as an auditor. This experience should have been gained by participation in a
minimum of four certification audits for a total of at least 20 days, including review of documentation and
risk analysis, implementation assessment and audit reporting;
e) have experience which is reasonably current;
f) be able to put complex operations in a broad perspective and to understand the role of individual units in
larger client organizations;
g) keep their knowledge and skills in information security and auditing up to date through continual
professional development.
Technical experts shall comply with criteria a), b), e) and f).
7.2.1.3.2 In addition to the requirements in 7.2.1.3.1, audit team leaders shall fulfil the following
requirements, which shall be demonstrated in audits under guidance and supervision:
a) have knowledge and attributes to manage the certification audit process;
b) have been an auditor in at least three complete ISMS audits;
c) have demonstrated the capability to communicate effectively, both orally and in writing.
© ISO/IEC 2007 – All rights reserved 5

---------------------- Page: 13 ----------------------

SIST ISO/IEC 27006:2011
ISO/IEC 27006:2007(E)
7.3 Use of individual external auditors and external technical experts
The requirements from ISO/IEC 17021:2006, Clause 7.3 apply. In addition, the following ISMS-specific
requirements and guidance applies.
7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team
When using individual external auditors or external technical experts as part of the audit team, the certification
body shall ensure that they are competent and comply with the applicable provisions of this publication and
are not involved, either directly or through its employer with the design, implementation or maintenance of an
ISMS or related management system(s) in such a way that impartiality could be compromised.
7.3.1.1 Use of technical experts
Technical experts with specific knowledge regarding the process and information security issues and
legislation affecting the client organization, but who do not satisfy all of the criteria in 7.2, may be part of the
audit team. Technical experts shall work under the supervision of an auditor.
7.4 Personnel records
The requirements from ISO/IEC 17021:2006, Clause 7.4 apply.
7.5 Outsourcing
The requirements from ISO/IEC 17021:2006, Clause 7.5 apply.
8 Information requirements
8.1 Publicly accessible information
The requirements from ISO/IEC 17021:2006, Clause 8.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
8.1.1 IS 8.1 Procedures for granting, maintaining, extending, reducing, suspending and withdrawing
certification
The certification body shall require the client organization to have a documented and implemented ISMS
which conforms to ISO/IEC 27001 and other documents required for certification.
The certification body shall have documented procedures for
a) the initial certification audit of a client organization's ISMS, in accordance with the provisions of
ISO 19011, ISO/IEC 17021 and other relevant documents;
b) surveillance and recertification audits of a client organization's ISMS in accordance with ISO 19011 and
ISO/IEC 17021 on a periodic basis for continuing conformity with relevant requirements and for verifying
and recording that a client organization takes corrective action on a timely basis to correct all
nonconformities.
8.2 Certification documents
The requirements from ISO/IEC 17021:2006, Clause 8.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
6 © ISO/IEC 2007 – All ri
...

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo presoje in certificiranje sistemov upravljanja informacijske varnostiTechnologies de l'information - Techniques de sécurité - Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'informationInformation technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems35.040Nabori znakov in kodiranje informacijCharacter sets and information coding03.120.20Certificiranje proizvodov in podjetij. Ugotavljanje skladnostiProduct and company certification. Conformity assessmentICS:Ta slovenski standard je istoveten z:ISO/IEC 27006:2007oSIST ISO/IEC 27006:2010en01-december-2010oSIST ISO/IEC 27006:2010SLOVENSKI
STANDARD



oSIST ISO/IEC 27006:2010



Reference numberISO/IEC 27006:2007(E)© ISO/IEC 2007
INTERNATIONAL STANDARD ISO/IEC27006First edition2007-03-01Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems Technologies de l'information — Techniques de sécurité — Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'information
oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
©
ISO/IEC 2007 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2007 – All rights reserved
oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) © ISO/IEC 2007 – All rights reserved iiiContents Foreword.iv Introduction.v 1 Scope.1 2 Normative references.1 3 Terms and definitions.1 4 Principles.2 5 General requirements.2 5.1 Legal and contractual matter.2 5.2 Management of impartiality.2 5.3 Liability and financing.3 6 Structural requirements.3 6.1 Organizational structure and top management.3 6.2 Committee for safeguarding impartiality.3 7 Resource requirements.3 7.1 Competence of management and personnel.3 7.2 Personnel involved in the certification activities.4 7.3 Use of individual external auditors and external technical experts.6 7.4 Personnel records.6 7.5 Outsourcing.6 8 Information requirements.6 8.1 Publicly accessible information.6 8.2 Certification documents.6 8.3 Directory of certified clients.7 8.4 Reference to certification and use of marks.7 8.5 Confidentiality.7 8.6 Information exchange between a certification body and its clients.7 9 Process requirements.7 9.1 General requirements.7 9.2 Initial audit and certification.11 9.3 Surveillance activities.15 9.4 Recertification.16 9.5 Special audits.16 9.6 Suspending, withdrawing or reducing scope of certification.16 9.7 Appeals.17 9.8 Complaints.17 9.9 Records of applicants and clients.17 10 Management system requirements for certification bodies.17 10.1 Options.17 10.2 Option 1 – Management system requirements in accordance with ISO 9001.17 10.3 Option 2 – General management system requirements.17 Annex A (informative)
Analysis of a client organization’s complexity and
sector-specific aspects.18 Annex B (informative)
Example areas of auditor competence.21 Annex C (informative)
Audit time.23 Annex D (informative)
Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls.29
oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) iv © ISO/IEC 2007 – All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO and IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) © ISO/IEC 2007 – All rights reserved vIntroduction ISO/IEC 17021 is an International Standard which sets out criteria for bodies operating audit and certification of organizations' management systems. If such bodies are to be accredited as complying with ISO/IEC 17021 with the objective of auditing and certifying Information Security Management Systems (ISMS) in accordance with ISO/IEC 27001:2005, some additional requirements and guidance to ISO/IEC 17021 are necessary. These are provided by this International Standard.
The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the letters “IS”. The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate those provisions which, although they constitute guidance for the application of the requirements, are expected to be adopted by a certification body.
One aim of this International Standard is to enable accreditation bodies to more effectively harmonise their application of the standards against which they are bound to assess certification bodies. In this context, any variation from the guidance by a certification body is an exception. Such variations will only be permitted on a case-by-case basis after the certification body has demonstrated to the accreditation body that the exception meets in some equivalent way the relevant requirements clause of ISO/IEC 17021, ISO/IEC 27001 and the intent of this International Standard. NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably. The definition of a management system can be found in ISO 9000:2005. The management system as used in this International Standard is not to be confused with other types of system, such as IT systems. oSIST ISO/IEC 27006:2010



oSIST ISO/IEC 27006:2010



INTERNATIONAL STANDARD ISO/IEC 27006:2007(E) © ISO/IEC 2007 – All rights reserved 1Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems 1 Scope This International Standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification. The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification. NOTE
This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17021:2006, Conformity assessment — Requirements for bodies providing audit and certification of management systems ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements ISO/IEC 19011, Guidelines for quality and/or environmental management systems auditing 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the following apply. 3.1 certificate certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an accreditation symbol or statement 3.2 certification body third party that assesses and certifies the ISMS of a client organization with respect to published ISMS standards, and any supplementary documentation required under the system 3.3 certification document document indicating that a client organization’s ISMS conforms to specified ISMS standards and any supplementary documentation required under the system oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) 2 © ISO/IEC 2007 – All rights reserved 3.4 mark legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation body or of a certification body, indicating that adequate confidence in the systems operated by a body has been demonstrated or that relevant products or individuals conform to the requirements of a specified standard 3.5 organization company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether incorporated or not, public or private, that has its own functions and administration and is able to ensure that information security is exercised 4 Principles The principles from ISO/IEC 17021:2006, Clause 4 apply. 5 General requirements 5.1 Legal and contractual matter The requirements from ISO/IEC 17021:2006, Clause 5.1 apply. 5.2 Management of impartiality The requirements from ISO/IEC 17021:2006, Clause 5.2 apply. In addition, the following ISMS-specific requirements and guidance apply. 5.2.1 IS 5.2 Conflicts of interest Certification bodies can carry out the following duties without them being considered as consultancy or having a potential conflict of interest: a) certification, including information meetings, planning meetings, examination of documents, auditing (not internal ISMS auditing or internal security reviews) and follow up of non-conformities; b) arranging and participating as a lecturer in training courses, provided that, where these courses relate to information security management, related management systems or auditing, certification bodies should confine themselves to the provision of generic information and advice which is freely available in the public domain, i.e. they should not provide company-specific advice which contravenes the requirements of c) below; c) making available or publishing on request information describing the certification body’s interpretation of the requirements of the certification audit standards; d) activities prior to audit, solely aimed at determining readiness for certification audit; however, such activities should not result in the provision of recommendations or advice that would contravene this clause and the certification body should be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certification audit duration; e) performing second and third party audits according to standards or regulations other than those being part of the scope of accreditation; f) adding value during certification audits and surveillance visits, e.g., by identifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions. The certification body shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit of the client organization’s ISMS subject to certification. oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) © ISO/IEC 2007 – All rights reserved 35.3 Liability and financing The requirements from ISO/IEC 17021:2006, Clause 5.3 apply. 6 Structural requirements 6.1 Organizational structure and top management The requirements from ISO/IEC 17021:2006, Clause 6.1 apply. 6.2 Committee for safeguarding impartiality The requirements from ISO/IEC 17021:2006, Clause 6.2 apply. 7 Resource requirements 7.1 Competence of management and personnel The requirements from ISO/IEC 17021:2006, Clause 7.1 apply. In addition, the following ISMS-specific requirements and guidance apply. 7.1.1 IS 7.1 Management competence The essential elements of competence required to perform ISMS certification are to select, provide and manage those individuals whose skills and collective competence is appropriate to the activities to be audited and the related information security issues. 7.1.1.1 Competence analysis and contract review The certification body shall ensure that it has knowledge of the technological and legal developments relevant to the ISMS of the client organization, which it assesses. The certification body shall have an effective system for the analysis of the competencies in information security management which it needs to have available, with respect to all the technical areas in which it operates. For each client, the certification body shall be able to demonstrate that it has performed a competence analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector prior to undertaking the contract review. The certification body shall then review the contract with the client organization, based on the results of this competence analysis. In particular, the certification body shall be able to demonstrate that it has the competence to complete the following activities: a) understand the areas of activity of the client organization and the associated business risks;
b) define the competencies needed in the certification body to certify in relation to the identified activities, and information security related threats to assets, vulnerabilities and impacts on the client organization;
c) confirm the availability of the required competencies. 7.1.1.2 Resources The management of the certification body shall have the necessary processes and resources to enable it to determine whether or not individual auditors are competent for the tasks they are required to perform within the scope of certification in which they are operating. The competence of auditors may be established by verified background experience and specific training or briefing (see also Annex B). The certification body shall be able to communicate effectively with all those clients it provides services to. oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) 4 © ISO/IEC 2007 – All rights reserved 7.2 Personnel involved in the certification activities The requirements from ISO/IEC 17021:2006, Clause 7.2 apply. In addition, the following ISMS-specific requirements and guidance apply. 7.2.1 IS 7.2 Competence of certification body personnel Certification bodies shall have personnel competent to a) select and verify the competence of ISMS auditors for audit teams appropriate for the audit; b) brief ISMS auditors and arrange any necessary training; c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications; d) set up and operate an appeals and complaints process. 7.2.1.1 Training of audit teams The certification body shall have criteria for the training of audit teams that ensures a) knowledge of the ISMS standard and other relevant normative documents; b) understanding of information security; c) understanding of risk assessment and risk management from the business perspective; d) technical knowledge of the activity to be audited; e) general knowledge of regulatory requirements relevant to ISMSs; f) knowledge of management systems; g) understanding of the principles of auditing based on ISO 19011; h) knowledge of ISMS effectiveness review and measurement of control effectiveness. These training requirements apply to all members of the audit team, with the exception of d), which can be shared among members of the audit team. 7.2.1.1.1 When selecting the audit team to be appointed for a specific certification audit the certification body shall ensure that the skills brought to each assignment are appropriate. The team shall a) have appropriate technical knowledge of the specific activities within the scope of the ISMS for which certification is sought and, where relevant, with associated procedures and their potential information security risks (technical experts who are not auditors may fulfil this function); b) have a sufficient degree of understanding of the client organization to conduct a reliable certification audit of its ISMS in managing the information security aspects of its activities, products and services; c) have appropriate understanding of the regulatory requirements applicable to the client organization’s ISMS. oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) © ISO/IEC 2007 – All rights reserved 57.2.1.1.2 When required, the audit team may be complemented by technical experts who can demonstrate specific competence in a field of technology appropriate to the audit. Note should be taken that technical experts cannot be used in place of ISMS auditors but could advise auditors on matters of technical adequacy in the context of the management system being subjected to audit. The certification body shall have a procedure for a) selecting auditors and technical experts on the basis of their competence, training, qualifications and experience;
b) initially assessing the conduct of auditors and technical experts during certification audits and subsequently monitoring the performance of auditors and technical experts. 7.2.1.2 Management of the decision taking process The management function shall have the technical competence and ability in place to manage the process of decision-making regarding the granting, maintaining, extending, reducing, suspending and withdrawing of ISMS certification to the requirements of ISO/IEC 27001. 7.2.1.3 Pre-requisite levels of education, work experience, auditor training and audit experience for auditors conducting ISMS audits 7.2.1.3.1 The following criteria shall be applied for each auditor in the ISMS audit team. The auditor shall a) have an education at secondary level; b) have at least four years full time practical workplace experience in information technology, of which at least two years are in a role or function relating to information security; c) have successfully completed five days of training, the scope of which covers ISMS audits and audit management shall be considered appropriate; d) have gained experience in the entire process of assessing information security prior to assuming responsibility for performing as an auditor. This experience should have been gained by participation in a minimum of four certification audits for a total of at least 20 days, including review of documentation and risk analysis, implementation assessment and audit reporting; e) have experience which is reasonably current; f) be able to put complex operations in a broad perspective and to understand the role of individual units in larger client organizations; g) keep their knowledge and skills in information security and auditing up to date through continual professional development. Technical experts shall comply with criteria a), b), e) and f). 7.2.1.3.2 In addition to the requirements in 7.2.1.3.1, audit team leaders shall fulfil the following requirements, which shall be demonstrated in audits under guidance and supervision: a) have knowledge and attributes to manage the certification audit process; b) have been an auditor in at least three complete ISMS audits; c) have demonstrated the capability to communicate effectively, both orally and in writing. oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) 6 © ISO/IEC 2007 – All rights reserved 7.3 Use of individual external auditors and external technical experts The requirements from ISO/IEC 17021:2006, Clause 7.3 apply. In addition, the following ISMS-specific requirements and guidance applies. 7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team When using individual external auditors or external technical experts as part of the audit team, the certification body shall ensure that they are competent and comply with the applicable provisions of this publication and are not involved, either directly or through its employer with the design, implementation or maintenance of an ISMS or related management system(s) in such a way that impartiality could be compromised. 7.3.1.1 Use of technical experts Technical experts with specific knowledge regarding the process and information security issues and legislation affecting the client organization, but who do not satisfy all of the criteria in 7.2, may be part of the audit team. Technical experts shall work under the supervision of an auditor. 7.4 Personnel records The requirements from ISO/IEC 17021:2006, Clause 7.4 apply. 7.5 Outsourcing The requirements from ISO/IEC 17021:2006, Clause 7.5 apply. 8 Information requirements 8.1 Publicly accessible information
The requirements from ISO/IEC 17021:2006, Clause 8.1 apply. In addition, the following ISMS-specific requirements and guidance apply. 8.1.1 IS 8.1 Procedures for granting, maintaining, extending, reducing, suspending and withdrawing certification The certification body shall require the client organization to have a documented and implemented ISMS which conforms to ISO/IEC 27001 and other documents required for certification. The certification body shall have documented procedures for a) the initial certification audit of a client organization's ISMS, in accordance with the provisions of ISO 19011, ISO/IEC 17021 and other relevant documents; b) surveillance and recertification audits of a client organization's ISMS in accordance with ISO 19011 and ISO/IEC 17021 on a periodic basis for continuing conformity with relevant requirements and for verifying and recording that a client organization takes corrective action on a timely basis to correct all nonconformities. 8.2 Certification documents The requirements from ISO/IEC 17021:2006, Clause 8.2 apply. In addition, the following ISMS-specific requirements and guidance apply. oSIST ISO/IEC 27006:2010



ISO/IEC 27006:2007(E) © ISO/IEC 2007 – All rights reserved 78.2.1 IS 8.2 ISMS Certification documents The certification body shall provide to each of its client organizations whose ISMS is certified, certification documents such as a letter or a certificate signed by an officer who has been assigned such responsibility. For the client organization and each of its information systems covered by the certification, these documents shall identify the scope of the certification granted and the ISMS standard ISO/IEC 27001 to which the ISMS is certified. In addition, the certificate should include a reference to the specific version of the Statement of Applicability. 8.3 Directory of certified clients The requirements from ISO/IEC 17021:2006, Clause 8.3 apply. 8.4 Reference to certification and use of marks The requirements from ISO/IEC 17021:2006, Clause 8.4 apply. In addition, the following ISMS-specific requirements and guidance applies. 8.4.1 IS 8.4 Control of certification marks The certification body shall exercise proper control over ownership, use and display of its ISMS certification marks. If the certification body confers th
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.