ISO/IEC 27006
Go home

ISO/IEC 27006:2011  Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems

Scope and purpose

ISO/IEC 27006 is the accreditation standard that guides certification bodies on the formal processes they must follow when auditing their clients’ Information Security Management Systems (ISMSs) against ISO/IEC 27001 in order to certify or register them compliant.  The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited organizations are valid.

The scope of ISO/IEC 27006 is to “specify requirements and provide guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001.  It is primarily intended to support the accreditation of certification bodies providing ISMS certification.”

Any properly-accredited body providing ISO/IEC 27001 compliance certificates must fulfill the requirements in ISO/IEC 27006 plus ISO/IEC 17021-1 and ISO 19011 in terms of their competence, suitability and reliability to perform their work properly.  This is necessary to ensure that issued ISO/IEC 27001 certificates are meaningful: if literally anyone were able to issue certificates without necessarily following the certification processes specified by ISO/IEC 27006, even seriously non-compliant organizations could conceivably buy their certificates or self-certify. 

Content

ISO/IEC 27006 specifies requirements and provides guidance for compliance auditing specifically in the context of ISMSs, in addition to the  general accreditation requirements laid down by ISO/IEC 17021-1 and ISO 19011. 

The certification process involves auditing the management system for compliance with ISO/IEC 27001. Certification auditors have only a passing interest in the actual information security controls that are being managed by the management system.  It is assumed that any organization with a compliant ISMS is in fact managing its information security risks diligently.

Status of the standard

ISO/IEC 27006 was first published in 2007.  It incorporated and superseded the older EA7/03 guidance on accredited certification processes.

After ISO 17021 was revised, a fast-track update was made and the revised ISO/IEC 27006 was published in 2011 with relatively minor changes.

ISO/IEC 27006:2011 is available for CHF140 from the ISO/IEC webstore and from other sources (including ANSI INCITS at just US$30!).

The standard is now undergoing a normal review in parallel with the revision of ISO 19011 and ISO/IEC 17021.  The first working draft of the revised version is available to members of SC27.  The revised standard is expected to be published in 2013 or 2014.

Copyright © 2013 IsecT Ltd.