ISO/IEC TS 27006-2 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems according to ISO/IEC 27701 in combination with ISO/IEC 27001 (DRAFT)
ISO/IEC TS 27006 Part 2 will be an accreditation standard guiding certification bodies on the formal processes they must follow when auditing their clients’ Privacy Information Management Systems against ISO/IEC 27701 and ISO/IEC 27001 in order to certify or register them compliant. The accreditation processes laid out in the standard will give assurance that ISO/IEC 27701 certificates issued by accredited organizations are valid and meaningful.
Scope and purpose
The scope of ISO/IEC TS 27006-2 is to “specify requirements and provide guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.”
Any properly-accredited body providing ISO/IEC 27701 compliance certificates must fulfill the requirements in this standard plus the following normative standards:
- ISO/IEC 17021-1:2015 — Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements
- ISO/IEC 27006:2015 — Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
- ISO/IEC 27000 — Information technology — Security techniques — Information security management systems — Overview and vocabulary
- ISO/IEC 27001:2013 — Information technology — Security techniques — Information security management systems — Requirements
- ISO/IEC 27701:2019 — Information technology — Security techniques —Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management — Requirements and Guidelines
- ISO/IEC 29100:2011 — Information technology — Security techniques — Privacy framework
Their competence, suitability and reliability to perform their work properly is necessary to ensure that issued ISO/IEC 27701 compliant certificates are meaningful: if literally anyone were able to issue PIMS certificates without necessarily following the certification processes specified by this standard, even substantially non-compliant organizations could conceivably buy their compliance certificates or simply ‘self-certify’ (assert rather than demonstrate compliance).
The standard can also be used for “peer assessment or other audit processes”.
The standard will specify formal requirements and offer guidance for compliance auditing specifically in the context of PIMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and the other normative standards.
The certification process involves auditing the management system for compliance with ISO/IEC 27701. Certification auditors have only a passing interest in the actual privacy arangements that are being managed by the management system. It is assumed that any organization with a compliant PIMS is in fact managing its privacy arrangements diligently.
Status of the standard
The standard is currently being drafted.
There is some confusion over the title: in addition to the title above, the current draft standard also uses “Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 2: Requirements regarding ISO/IEC 27701”.
The standard follows the structure of ‘27006 with statements of the form “The requirements of ISO/IEC 27006, [section number] apply.” plus, for some sections, “In addition, the following requirements and guidance apply.” followed by briefly and formally stated requirements. For example, PIMS certification auditors obviously need to be familiar with ISO/IEC 27701 whereas ISMS certification auditors don’t.
< Previous standard ^ Up a level ^ Next standard >