SIST EN ISO/IEC 27706:2025

SLOVENSKI STANDARD
01-december-2025
Nadomešča:
SIST-TS CEN ISO/IEC/TS 27006-2:2023
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Zahteve za
organe, ki izvajajo presojanje in certificiranje sistemov za vodenje informacij o
zasebnosti (ISO/IEC 27706:2025)
Information security, cybersecurity and privacy protection - Requirements for bodies
providing audit and certification of privacy information management systems (ISO/IEC
27706:2025)
Anforderungen an Stellen, die Informationssicherheits-Managementsysteme auditieren
und zertifizieren (ISO/IEC 27706:2025)
Sécurité de l'information, cybersécurité et protection de la vie privée - Exigences pour les
organismes procédant à l'audit et à la certification des systèmes de management de la
protection de la vie privée (ISO/IEC 27706:2025)
Ta slovenski standard je istoveten z: EN ISO/IEC 27706:2025
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 27706

NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2025
ICS 03.120.20; 35.030
Supersedes CEN ISO/IEC/TS 27006-2:2022
English version
Information security, cybersecurity and privacy protection
- Requirements for bodies providing audit and certification
of privacy information management systems (ISO/IEC
27706:2025)
Sécurité de l'information, cybersécurité et protection Anforderungen an Stellen, die Informationssicherheits-
de la vie privée - Exigences pour les organismes Managementsysteme auditieren und zertifizieren
procédant à l'audit et à la certification des systèmes de (ISO/IEC 27706:2025)
management de la protection de la vie privée (ISO/IEC
27706:2025)
This European Standard was approved by CEN on 22 March 2025.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 27706:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
This document (EN ISO/IEC 27706:2025) has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology" in collaboration with Technical Committee CEN-CENELEC/ JTC 13
“Cybersecurity and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by April 2026, and conflicting national standards shall be
withdrawn at the latest by April 2026.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes CEN ISO/IEC/TS 27006-2:2022.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN and CENELEC
websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27706:2025 has been approved by CEN-CENELEC as EN ISO/IEC 27706:2025
without any modification.
International
Standard
ISO/IEC 27706
First edition
Information security, cybersecurity
2025-10
and privacy protection —
Requirements for bodies providing
audit and certification of privacy
information management systems
Sécurité de l'information, cybersécurité et protection de la vie
privée — Exigences pour les organismes procédant à l'audit et à
la certification des systèmes de management de la protection de
la vie privée
Reference number
ISO/IEC 27706:2025(en) © ISO/IEC 2025

ISO/IEC 27706:2025(en)
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
ISO/IEC 27706:2025(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 3
5 General requirements . 3
5.1 Legal and contractual matters .3
5.2 Management of impartiality .3
5.2.1 General considerations .3
5.2.2 Conflicts of interest.3
5.3 Liability and financing .3
6 Structural requirements . 3
7 Resource requirements . 3
7.1 Competence of personnel .3
7.1.1 General considerations .3
7.1.2 Determination of competence criteria.4
7.1.3 Evaluation processes .4
7.1.4 Other considerations .5
7.2 Personnel involved in the certification activities .5
7.3 Use of individual auditors and external technical experts .5
7.4 Personnel records .5
7.5 Outsourcing .5
8 Information Requirements . 5
8.1 Public information . .5
8.2 Certification documents .5
8.2.1 General .5
8.2.2 PIMS certification documents .5
8.3 Reference to certification and use of marks .5
8.4 Confidentiality .6
8.4.1 General .6
8.4.2 Access to organizational records.6
8.5 Information exchange between a certification body and its clients .6
9 Process requirements . 6
9.1 Pre-certification activities .6
9.1.1 Application .6
9.1.2 Application review . .6
9.1.3 Audit programme .
...