ISO/IEC 27006 INTERNATIONAL STANDARD Third edition 2015-10-01 Informationtechnology-Security techniquesRequirements for bodies providing audit and certification ofinformation security managementsystems Technologies del'information-Techniques de securite-Exigences pour lesorganismes procedant a I'audit eta la certification des systemes demanagementdela securitedeI'information Referencenumber IS0/IEC 27006:2015(E) ISO/IEC2015 IS0/IEC27006:2015(E) COPYRIGHTPROTECTEDDOCUMENT @ IS0/IEC 2015, Published in Switzerland Abyghtyrneersedlalestronicotherwspemifiebianicplaitdfixlisgplbbikotopyimgyobqostingintprndtuoedotnttilizet otimeayisoithout prior written permission. Permission can be requested from either ISO at the address below or Iso's member body in the country of the requester. f3odeBpxribAic8.CP401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 copyright@iso.org 47 www.iso.org ii IS0/IEC 2015-All rights reserved IS0/IEC27006:2015(E) Contents Page Foreword Introduction. .vi 2 Scope 1 3 Normativereferences .1 4 Terms and definitions 1 5 Principles 1 General requirements 2 5.1 Legal and contractual matters 2 5.2 Management ofimpartiality 2 i 6 7 Structural requirements 2 Resourcerequirements 2 7.1 Competenceofpersonnel 2 7.1.1 IS 7.1.1 General considerations .3 7.2 ParonnellSndl.edDeternthreationcertificationCantpeiteeseriteria 3 7.2.1IS7.2Demonstrationofauditorknowledgeand experience 6 7.3 Use of individual external auditors and external technical experts. 7.3.1 7.4 Personnel records. 8 7.5 Outsourcing. Informationrequirements 8 8.1 Public information .8 8.2 Certificationdocuments 8 8.3 ReferenceSBo2EsvisficationCartifisatifmdotasments 8 8.4 Confidentiality .8 8.4.1 IS 8.4 Access to organizational records 8 9 Process requirements 8 9.1 Pre-certification activities .8 9.1.1 Application .8 9.1.3 Applicationprogzaewme 6 9.1.4 Determining audit time 10 9.1.5 Multi-site sampling 10 9.2 11 9.2.1 Determiningauditobjectives,scopeand criteria 11 9.2.2 Auditteamselectionandassignments 12 ntial ceraiflit ban 9.3 12 9.3.1 IS 9.3.1 Initial certification audit .13 9.4 Conducting audits. .14 3:4:2 IS 9.4 General 14 SpecificelementsoftheISMSaudit 9.4.3 IS 9.4 Audit report .14 9.5 Certification decision. 15 @ IS0/IEC 2015 - All rights reserved iii IS0/IEC27006:2015(E) 9.6 MaintainingGenerailfication 15 9.6.2 Surveillanceactivities. 15 9.6.3 Re-certification 16 9:6:4 Susgial augitswithdrawing or reducing the scope of certification 17 9.7 Appeals 17 9.8 Complaints 17 10 Managementsystemrequirementsforcertificationbodies .17 10.1 Options 17 10.1.1IS10.1ISMS implementation 17 10.3 Option A:B4ieangeralentmarygtemeistrstemirementsreqaicemntartse.with.IS0.9.00.1 17 AnnexA(informative)KnowledgeandskillsforISMSauditingandcertification .18 AnnexB(normative)Audittime .20 AnnexC(informative)Methodsforaudittimecalculations .25 AnnexD(informative)GuidanceforreviewofimplementedIS0/IEC27001:2013, AnnexAcontrols 28 Bibliography .35 IS0/IEC 2015 - All rights reserved IS0/IEC 27006:2015(E) Foreword ISO(the International OrganizationforStandardization)andIEC (theInternational Electrotechnical fimmbiasiofijsormIRfespeciadipedesysthedeveloplabaidefrstendatidizaltion.StNadiarddthudieghtechniaab committees established bythe respective organization todeal with particularfields of technical activity.IsOandIECtechnicalcommittees collaborateinfieldsof mutual interest.Otherinternational rgaizathnsjeldvofrinfoemafiandehngboerseatadieeaafsrithtalishedanafoialstetakeartonthfttee IS8/IECJTC1. Thedessribedis ts ysec brrdevielep abisaentpaaediahasethadiffsrenpjts farthersiterin aedarefor thedifferenttypesofdocumentshouldbenoted.Thisdoe draftedinaccordancewiththe editorial rules ofthe ISO/IEC Directives, Part2 (see www.iso.org/directives) AfnateotrightawntschanlFpshabiney trah sbshteoflespontsible fthisrderitmyingany heathaipaten subject rights. Details of any patent rights identified during the development of the doe entwillbe-inthe Introductionand/or