ISO/IEC 27000-series

ISO/IEC 27006: Requirements for bodies providing audit and certification of information security management systems

crceriskby
1 Comment on ISO/IEC 27006: Requirements for bodies providing audit and certification of information security management systems

ISO/IEC 27006 provides requirements and guidance for bodies providing audit and certification of an Information Security Management System (ISMS). It is an extension of ISO/IEC 17021-1, which specifies general requirements for certification bodies performing audits and certifications of management systems. ISO/IEC 27006 focuses on ensuring that certification bodies are competent, consistent, and impartial in their assessment of ISMSs based on ISO/IEC 27001.

Key Components of ISO/IEC 27006

  1. Introduction:
    • Purpose: Explains the objective of ISO/IEC 27006, which is to ensure that certification bodies are competent to audit and certify ISMSs.
    • Audience: Intended for certification bodies, auditors, and organizations seeking ISMS certification.
  2. Scope:
    • Applicability: Applicable to all certification bodies providing audit and certification services for ISMSs, regardless of size or location.
  3. Normative References:

Structure and Content

ISO/IEC 27006 is structured to align with ISO/IEC 17021-1 and includes additional requirements specific to the certification of ISMSs. The standard ensures that certification bodies have the necessary competence, processes, and impartiality to effectively audit and certify ISMSs.

  1. Clause 4: Principles:
    • Impartiality: Certification bodies must demonstrate impartiality and independence in their auditing and certification activities.
    • Competence: Certification bodies must have the necessary competence to perform ISMS audits.
    • Responsibility: Certification bodies are responsible for their audit and certification decisions.
    • Openness: Certification bodies should be transparent about their certification processes and criteria.
    • Confidentiality: Certification bodies must ensure the confidentiality of information obtained during audits.
  2. Clause 5: General Requirements:
    • Legal and Contractual Matters: Certification bodies must comply with legal and contractual requirements.
    • Management of Impartiality: Certification bodies must manage and document potential conflicts of interest to ensure impartiality.
  3. Clause 6: Structural Requirements:
    • Organizational Structure: Certification bodies must have an organizational structure that supports impartial and competent auditing and certification activities.
    • Roles and Responsibilities: Clearly define roles and responsibilities within the certification body to support effective ISMS auditing and certification.
  4. Clause 7: Resource Requirements:
    • Competence of Personnel: Certification bodies must ensure that personnel involved in ISMS audits have the necessary competence, including education, training, and experience.
    • Outsourcing: When outsourcing audit activities, certification bodies must ensure that outsourced auditors meet the same competence requirements.
  5. Clause 8: Information Requirements:
    • Public Information: Certification bodies must provide public access to information about their audit and certification processes.
    • Confidentiality: Ensure that information obtained during audits is kept confidential, except as required by law.
  6. Clause 9: Process Requirements:
    • Pre-certification Activities: Certification bodies must conduct a thorough review of the applicant organization’s ISMS documentation.
    • Audit Planning: Develop audit plans that cover the scope, objectives, and criteria of the ISMS audit.
    • On-Site Audits: Conduct on-site audits to verify the implementation and effectiveness of the ISMS.
    • Audit Reporting: Prepare audit reports that summarize findings, conclusions, and recommendations.
    • Certification Decision: Make certification decisions based on objective evidence gathered during the audit.
  7. Clause 10: Management System Requirements for Certification Bodies:
    • Management System: Certification bodies must establish and maintain a management system that supports the consistent and effective delivery of ISMS audit and certification services.
    • Internal Audits and Management Reviews: Conduct regular internal audits and management reviews to ensure the effectiveness of the management system.

Detailed Guidance

  1. Competence Requirements for Auditors:
    • Knowledge and Skills: Auditors must have knowledge of information security principles, ISMS standards, and the specific context of the organization being audited.
    • Continuing Professional Development: Certification bodies must provide ongoing training and development opportunities to maintain auditor competence.
  2. Audit Process:
    • Stage 1 Audit: Review the organization’s ISMS documentation to determine readiness for the stage 2 audit.
    • Stage 2 Audit: Conduct an on-site audit to assess the implementation and effectiveness of the ISMS.
    • Surveillance Audits: Conduct regular surveillance audits to ensure continued compliance with ISMS requirements.
    • Re-certification Audits: Conduct re-certification audits to renew the ISMS certification.
  3. Audit Reporting:
    • Clear and Objective Reporting: Ensure that audit reports are clear, objective, and provide sufficient detail to support the certification decision.
    • Nonconformities: Document nonconformities identified during the audit and ensure that the organization takes appropriate corrective actions.
  4. Certification Decision Process:
    • Impartial Review: Ensure that certification decisions are made by personnel who were not involved in the audit.
    • Objective Evidence: Base certification decisions on objective evidence gathered during the audit.

Benefits of ISO/IEC 27006

  • Consistent and Reliable Certification: Ensures that certification bodies provide consistent and reliable ISMS certification services.
  • Competent Auditors: Ensures that auditors have the necessary competence to effectively assess ISMSs.
  • Impartiality and Objectivity: Enhances the impartiality and objectivity of the ISMS audit and certification process.
  • Confidence and Trust: Builds confidence and trust among stakeholders by demonstrating the certification body’s commitment to high standards of auditing and certification.
  • Continuous Improvement: Encourages continuous improvement in the certification body’s processes and practices.

ISO/IEC 27006 is a valuable resource for certification bodies seeking to provide high-quality ISMS audit and certification services, ensuring that organizations can trust the certification process and the competence of the auditors.

1 comment

  1. Pingback: The ISO/IEC 27000-series (ISMS Family of Standards) 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Cyber Risk Countermeasures Education (CRCE)

Subscribe now to keep reading and get access to the full archive.

Continue reading