ISO/IEC 27706 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems [DRAFT]

Abstract

“This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.”

[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]

Introduction

This accreditation standard guides certification bodies on the formal processes they must follow when auditing their clients’ Privacy Information Management Systems against ISO/IEC 27701 and ISO/IEC 27001 in order to certify or register them. The accreditation processes laid out in the standard give assurance that ISO/IEC 27701 certificates issued by accredited organisations are valid, comparable and meaningful.

Scope and purpose

Scope is to “specify requirements and provide guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to  ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1.”

This standard may also be used for peer assessment or other PIMS audit processes such as internal audits.

Any properly-accredited body providing ISO/IEC 27701 certificates must fulfill the requirements in this standard plus ISO/IEC 17021-1, ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27006:2015, ISO/IEC 27701 and ISO/IEC 29100.

Their competence, suitability and reliability to perform their work properly is necessary to ensure that issued ISO/IEC 27701 certificates are meaningful: if literally anyone were able to issue PIMS certificates without necessarily following the certification processes specified by this standard, even substantially non-conformant organisations could conceivably buy their certificates or simply ‘self-certify’ (assert rather than demonstrate conformity). Accreditation is an assurance control.

Content

The standard will specify formal requirements and offer guidance for conformity auditing specifically in the context of PIMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and the other normative standards.

It will follow the structure of ISO/IEC 27006-1 i.e.

Preamble, introduction, scope, normative references, definitions ...
 

4. Principles
5. General requirements
6. Structural requirements
7. Resource requirements
8. Information requirements
9. Process requirements
10. Management system requirements for certification bodies

ISO/IEC 27706 will be based firmly on ISO/IEC 27006-1. To avoid duplication, each section will mostly make statements of the form “The requirements of ISO/IEC 27006-1, [section number] apply”.

For some sections, additional requirements and guidance will apply. For example, PIMS certification auditors obviously need to be familiar with ISO/IEC 27701 whereas ISMS certification auditors don’t.

Status of the standard

This standard will update ISO/IEC TS 27006-2, the first edition of which was published in 2021.

It is at Draft International Standard stage.

Personal comments

As with ISO/IEC 27006-1, the certification process involves auditing the management system (specifically) for conformity with ISO/IEC 27701. Certification auditors have only a passing interest in the actual privacy arrangements that are being managed by the management system, doing sufficient checks to confirm that the PIMS is operational. It is presumed that any organisation with a PIMS that conforms to the standard probably does in fact have suitable privacy controls in place, thanks to the operation of said PIMS. More subtly, the standard does not demand particular, detailed privacy arrangements that may be inappropriate or insufficient if implemented in practice, and hopefully reduces the possibility of assertive certification auditors seeking to second-guess or override informed management decisions about how the organisation is addressing its privacy risks. The auditors’ job is simply to provide assurance by assessing conformity with the mandatory requirements of the standard.