ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.
ISO/IEC 27006 lays out formal requirements for accredited organizations which certify other organizations compliant with ISO/IEC 27001.
It effectively replaces EA 7/03 (Guidelines for the Accreditation of bodies operating certification/ registration of. Information Security Management Systems).
The standard helps ensure that ISO/IEC 27001 certificates issued by accredited organizations are meaningful and trustworthy, in other words it is a matter of assurance.
Description of standard
ISO 27006 outlines requirements to be accredited for third parties who audit and certify information security management systems (ISMS), in addition to the requirements set by ISO 17021 1 and ISO 27001. This standard was first published in 2007, and it had to be revised twice due to significant changes made to ISO 17021 standard. The current version is ISO 27006 third edition published in 2015.
ISO 27006:2015 sets standards for demonstration of ISMS auditors' competence. Certification Body auditing ISMS is required to verify each auditor on the auditing team has the knowledge of:
- ISMS monitoring, measurement, analysis, and evaluation,
- Information security,
- Management systems,
- Auditing principles, and
- Technical knowledge of systems to be audited.
All auditors on the team must collectively be versed in information systems management terminology, principles, and techniques. They must know all requirements from ISO 27001, all controls listed in ISO 27002. Also, auditors must be aware of business management practices, the legal and regulatory requirements in a particular information systems field, geography, and jurisdictions.
Competence must also be demonstrated by personnel reviewing the audits and making certification decisions. They need to have sufficient knowledge to verify the accuracy of the certification scope. Also, they need to have general knowledge of management systems, audit procedures, principles, and techniques.
ISO27006:2015 also outlines adequate education, professional development, training covering ISMS audits, and current/relevant experience level.
Intent of standard
The primary intent of ISO 27006 is to support the accreditation for third parties certifying the information security management system. Any accredited third-party auditing and confirming compliance with ISO 27001 must follow the requirements in this standard to ensure the ISMS certifications are valid. Accredited third parties need to demonstrate their competence and reliability.
A mid-size organization seeking ISO 27001 certification need to hire an accredited certification body to complete ISMS certification audit. The organization should complete due diligence to ensure the selected auditing firm complies with ISO27006:2015 standard. During the audit, the organization should ensure all documentation necessary to complete the audit is available, provide the auditing team ISMS records, including but limited to information about ISMS design and effectiveness of the controls.
- "ISO/IEC 27006:2015 - Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems". www.iso.org. Retrieved 2018-07-02.
- "ISO/IEC 27006:2015 Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems". Joint Technical Committee ISO/IEC JTC 1 - Information Technology and Subcommittee SC 27 - IT security techniques. January 10, 2015 – via Distributed through American National Standards Institute (ANSI).