Final Committee Draft ISO/IEC FCD 27006 Date: 2006-05-18 Reference number: ISO/IEC JTC 1/SC 27 N5098 Supersedes document SC27 N4972rev2 THIS DOCUMENT IS STILL UNDER STUDY AND SUBJECT TO CHANGE. IT SHOULD NOT BE USED FOR REFERENCE PURPOSES. ISO/IEC JTC 1/SC27 Circulated to P- and O-members, and to technical committees and organizations in Information technology - liaison for voting (P-members only) by: Security techniques Secretariat: Germany (DIN) 2006-09-18 Please return all votes and comments in electronic form directly to the SC 27 Secretariat by the due date indicated. ISO/IEC FCD 27006 Title: Information technology – Security techniques – Requirements for the accreditation of bodies providing certification of information security management systems Project: 27006 Explanatory Report Status SC27 Decision Reference documents Input National Body New Work Item Proposal (N4933) Output Background information Summary of voting on NP presented in N4934 (with 27006 (1.27.53) presented in Att. 1 = EA-7/03) N5011 Regional Consultation Meetings (Berlin, Montreal, Singapore) 23/24 March 2006 Background on ISMS 27001 Certification – Revision of EA-7/03 (N4971rev1) Revised draft N4972rev1 Summary of Minutes of the Concurrent review Regional Meetings presented of discussion draft in N5009 presented in N4972 Joint EA-7/03 Task Force National Body Comments Revised draft N4972rev2 (revised version of EA-7/03, March 2006) Meeting in Frankfurt on 2 (see in N5099) May 2006 Joint EA-7/03 Task Force Meeting in Madrid during the 32nd WG1 Meeting on 8th May 2006 Revised draft of N4972rev2 SC27/WG1 Resolution 8 of the 32nd Meeting in Madrid, 8th -12th May 2006 Text for FCD 27006 (N5098) FCD Registration and Consideration In accordance with resolution 8 of its 18th Plenary Meeting in Madrid, 16th – 17th May 2006, SC27 endorsed the accelerated approval process for project 1.27.53 (27006). Consequently, document SC27 N5098 has been registered with the ISO Central Secretariat (ITTF) as FCD and is hereby submitted for a four-month FCD letter ballot closing by 2006-09-18 Medium: Livelink-server No. of pages: 1 + 49 Address Reply to: Secretariat, ISO/IEC JTC 1/SC27 DIN Deutsches Institut fuer Normung e.V., Burggrafenstr. 6, 10772 Berlin , Germany Telephone: + 49 2601-2652; Facsimile: + 49 2601-1723; E-Mail: krystyna.passia@din.de, http://www.ni.din.de/sc27 © ISO/IEC 2006 – All rights reserved ISO/IEC JTC 1/SC 27 N5098 Date: 2006-05-18 ISO/IEC FCD 27006 ISO/IEC JTC 1/SC 27/WG 1 Secretariat: DIN Information technology — Security techniques — Requirements for the accreditation of bodies providing certification of information security management systems Technologies de l'information — Techniques de sécurité Warning This document is not an ISO International Standard. It is distributed for review and comment. It is subject to change without notice and may not be referred to as an International Standard. Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation. Document type: International Standard Document subtype: Document stage: (40) Enquiry Document language: E G:\ni\PASSIA\ISO_IEC_JTC1_SC27\PROJECT_admin\NP_27006_Jan2006\O3_00_FCD_27006_May2006\S C27N5098_Text_FCD_27006_May2006\ISO-IEC_27006_(E).doc STD Version 2.2 ISO/IEC FCD 27006 Copyright notice This ISO document is a Draft International Standard and is copyright-protected by ISO. Except as permitted under the applicable laws of the user's country, neither this ISO draft nor any extract from it may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, photocopying, recording or otherwise, without prior written permission being secured. Requests for permission to reproduce should be addressed to either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Reproduction may be subject to royalty payments or a licensing agreement. Violators may be prosecuted. ii © ISO/IEC 2006 – All rights reserved ISO/IEC JTC 1/SC27 N5098 CONTENTS 0. INTRODUCTION TO THIS STANDARD 5 1. SCOPE 7 2. NORMATIVE REFERENCES 7 3. TERMS AND DEFINITIONS 7 4. PRINCIPLES FOR CERTIFICATION BODIES 8 4.1 General 8 4.2 Impartiality 8 4.3 Competenc