< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27006:2015 — Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems (third edition)
ISO/IEC 27006 is the accreditation standard that guides certification bodies on the formal processes they must follow when auditing their clients’ Information Security Management Systems against ISO/IEC 27001 in order to certify or register them compliant. The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited organizations are valid and meaningful.
Scope and purpose
The scope of ISO/IEC 27006 is to “specify requirements and provide guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.”
Any properly-accredited body providing ISO/IEC 27001 compliance certificates must fulfill the requirements in ISO/IEC 27006 plus ISO/IEC 17021-1 and ISO 19011 in terms of their competence, suitability and reliability to perform their work properly. This is necessary to ensure that issued ISO/IEC 27001 compliance certificates are meaningful, and truly indicate that the organization has fully satisfied the requriements of ISO/IEC 27001. If literally anyone were able to issue certificates without necessarily following the certification processes specified in this standard, even substantially non-compliant organizations could conceivably buy their ISMS certificates or simply ‘self-certify’ (assert rather than demonstrate compliance), discrediting the whole certification structure.
ISO/IEC 27006 specifies requirements and provides guidance for compliance auditing specifically in the context of ISMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and ISO 19011.
The certification process involves auditing the management system for compliance with ISO/IEC 27001. Certification auditors have only a passing interest in the actual information risks and the information security controls that are being managed by the management system. It is assumed that any organization with a compliant ISMS is in fact managing its information risks diligently.
Status of the standard
ISO/IEC 27006 was first published in 2007, incorporating and superseding the EA7/03 guidance on accredited certification processes.
A second edition was published in 2011, reflecting changes to ISO 17021.
Following revisions to ISO/IEC 27001, ISO 19011 and ISO/IEC 17021-1, the current third edition was substantially revised and published in 2015.
Minor wording changes were published as an amendment in 2020.
A revision project started work on the fourth edition at the end of 2020. The new version will become “Part 1: General” and will have the new title for SC27. It will reference part 2 and potentially certification of other ‘sector-specific’ information risk and security-related management systems. It will hopefully resolve concerns over the mixture of ‘should’ and ‘shall’ verb forms, and other inconsistencies/errors in the text. The revision project is expected to take 2 years.
One of the issues with the current third edition of ‘27006 concerns the advice to base the number of audit days required on how many employees the organization has - a curious suggestion at best. Number of employees within the ISMS scope has some relevance, I guess, but surely the number of audit days is best determined by the auditors, ideally based on their experience with auditing ISMSs at similar organizations of similar maturity in similar industries? Essentially, planning a given audit requires a risk-based determination, specifically audit risk, a particular subset of information risk. If auditors can’t be trusted to work this out for themselves, discussing and agreeing the plan with their client, then there are bigger issues at stake than the number of planned audit days!
ISO/IEC 27001 gives organizations latitude on how they design and document their ISMS, and hence certification auditors cannot simply follow a straightforward compliance checklist: they need greater knowledge of both management systems and information security concepts. As far as I’m concerned, that’s good!
If your organization is sufficiently concerned about another’s compliance with ISO/IEC 27001 to ask to see their certificate, you should check that the certificate:
- Is genuine and current (ask the certification body to confirm);
- Was issued to the organization you are concerned about (not some minor subsidiary or a legal/paper entity);
- Was issued by a certification body that is duly accredited to issue ISO/IEC 27001 compliance certificates (implying that they have suitable auditors who follow the specified certification processes) - and yes you can check that through the accreditation system;
- Covers the appropriate ISMS (so check the formal Scope and SoA too!).
Otherwise, why even bother asking to see it? You might as well just take their word for it. “Oh yeh, we’re secure, we’re certified, we’re compliant blah blah”.
Hint: as a professional, you are personally accountable for your decision to rely on their certificate and any further assurance checks you undertake.
The requirement to specify the SoA on ISO/IEC 27001 compliance certificates has the unfortunate side-effect of impeding updating or maintaining an ISMS where that would affect the SoA e.g. responding to newly-identified information risks or to incorporate additional controls. Since that hampers a fundamental principle or purpose of having a management system, it may constitute a substantive defect in ISO/IEC 27006 ... and perhaps other ISO27k standards too.
ISO/IEC TS 27006-2:2021 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 2: Privacy information management systems
This accreditation standard guides certification bodies on the formal processes they must follow when auditing their clients’ Privacy Information Management Systems against ISO/IEC 27701 and ISO/IEC 27001 in order to certify or register them compliant. The accreditation processes laid out in the standard give assurance that ISO/IEC 27701 certificates issued by accredited organizations are valid, comparable and meaningful.
Scope and purpose
The scope of ISO/IEC TS 27006-2 is to:
“specify requirements and provide guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.”
This standard may also be used for peer assessment or other PIMS audit processes such as internal audits.
Any properly-accredited body providing ISO/IEC 27701 compliance certificates must fulfill the requirements in this standard plus the following normative standards:
- ISO/IEC 17021-1:2015 — Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements
- ISO/IEC 27006:2015 — Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
- ISO/IEC 27000 — Information technology — Security techniques — Information security management systems — Overview and vocabulary
- ISO/IEC 27001:2013 — Information technology — Security techniques — Information security management systems — Requirements
- ISO/IEC 27701:2019 — Information technology — Security techniques —Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management — Requirements and Guidelines
- ISO/IEC 29100:2011 — Information technology — Security techniques — Privacy framework
Their competence, suitability and reliability to perform their work properly is necessary to ensure that issued ISO/IEC 27701-compliance certificates are meaningful: if literally anyone were able to issue PIMS certificates without necessarily following the certification processes specified by this standard, even substantially non-compliant organizations could conceivably buy their compliance certificates or simply ‘self-certify’ (assert rather than demonstrate compliance). Accreditation is an assurance control.
The standard specifies formal requirements and offers guidance for compliance auditing specifically in the context of PIMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and the other normative standards.
Part 2 follows the structure of part 1 with statements of the form “The requirements of ISO/IEC 27006, [section number] apply.” plus, for some sections, “In addition, the following requirements and guidance apply.” followed by briefly and formally stated requirements. For example, PIMS certification auditors obviously need to be familiar with ISO/IEC 27701 whereas ISMS certification auditors don’t.
As with part 1, the certification process involves auditing the management system (specifically) for compliance with ISO/IEC 27701. Certification auditors have only a passing interest in the actual privacy arrangements that are being managed by the management system. It is assumed that any organization with a compliant PIMS does in fact have appropriate privacy controls in place.
Status of the standard
The SC 27 project set off in 2019, initially drafting ISO/IEC 27558 before becoming ISO/IEC TS 27006-2. The project moved along at lightning speed (for SC27!) thanks to market pressure for PIMS certification.
Part 2 was published in February 2021.
As with ‘27001 ISMS certification, ‘27006 part 2 concerns the management system. For certification, an organization must manage its privacy arrangements in accordance with all the mandatory requirements of ‘27701 ... which is subtly different from actually having all the appropriate privacy arrangements in place. For compliance auditors, the challenge is that ‘appropriate’ is not laid out in ‘27701 but is determined by the organisation itself.
The audit time anticipated for PIMS auditing is specified as a proportion of that needed for ISMS certification audits, paving the way for dual-certification for PIMS and ISMS. However, I am dubious about the need for the standards to specify audit time at all: personally, I would feel more comfortable if accredited certification bodies’ compliance auditors determined it for themselves, in negotiation with their clients, taking account of factors such as the size and complexity of the organization, the scope of the PIMS, the amount of assurance required by third parties likely to rely on the compliance certificates, and so forth. Perhaps I am naive to think that the auditors will plan and conduct their assignments professionally and competently, without undue commercial pressure from their management.
< Previous standard ^ Up a level ^ Next standard >