ISO/IEC 27006:2011 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems 
ISO/IEC 27006 is the published ISO/IEC accreditation standard that guides certification bodies on the formal processes for auditing their clients’ Information Security Management Systems against ISO/IEC 27001 in order to certify or register them compliant.
The scope of ISO/IEC 27006 is to ‘specify requirements and provide guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.’
ISO/IEC 27006 specifies requirements and provides guidance for compliance auditing in the ISMS context, specifically, in addition to the general accreditation requirements contained within ISO/IEC 17021-1 and ISO 19011. It is focused on auditing the management system, with only a passing interest in the actual information security risks and controls that are being managed by the management system.
Any accredited body providing ISO/IEC 27001 compliance certificates needs to fulfill the requirements in ISO/IEC 27006 plus those in ISO/IEC 17021 and ISO 19011 in terms of their competence, suitability and reliability to perform their work properly.
ISO/IEC 27006 incorporates and supersedes the older EA7/03 guidance on accredited certification processes.
It is available to purchase from ISO and other sources, including ANSI INCITS (just US$30!).
Status of the standard
ISO 17021, a normative reference for ’27006, has been revised, hence a fast-track update to ISO/IEC 27006:2007 was made. ’27006 was successfully aligned with the new version of ISO 17021 with relatively minor changes - basically “should” became “shall”. The revised version of ISO/IEC 27006 was published in December 2011.
The revised 2011 version of the standard will go through a normal, lengthier, systematic review process in parallel with the planned revision of ISO 19011 and, in due course, ISO/IEC 17021.
|
