ISO/IEC 27006:2011 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27006 is the accreditation standard that guides certification bodies on the formal processes they must follow when auditing their clients’ Information Security Management Systems (ISMSs) against ISO/IEC 27001 in order to certify or register them compliant. The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited organizations are valid.
Scope and purpose
The scope of ISO/IEC 27006 is to “specify requirements and provide guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.”
Any properly-accredited body providing ISO/IEC 27001 compliance certificates must fulfill the requirements in ISO/IEC 27006 plus ISO/IEC 17021-1 and ISO 19011 in terms of their competence, suitability and reliability to perform their work properly. This is necessary to ensure that issued ISO/IEC 27001 certificates are meaningful: if literally anyone were able to issue certificates without necessarily following the certification processes specified by ISO/IEC 27006, even seriously non-compliant organizations could conceivably buy their certificates or self-certify.
ISO/IEC 27006 specifies requirements and provides guidance for compliance auditing specifically in the context of ISMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and ISO 19011.
The certification process involves auditing the management system for compliance with ISO/IEC 27001. Certification auditors have only a passing interest in the actual information security controls that are being managed by the management system. It is assumed that any organization with a compliant ISMS is in fact managing its information security risks diligently.
Status of the standard
ISO/IEC 27006 was first published in 2007. It incorporated and superseded the older EA7/03 guidance on accredited certification processes.
After ISO 17021 was revised, a fast-track update was made and the revised ISO/IEC 27006 was published in 2011 with relatively minor changes.
The standard is now undergoing a normal review in parallel with the revision of ISO 19011 and ISO/IEC 17021, and the new release of ISO/IEC 27001. The revised standard looks likely to be published in 2014.
The next version of this standard is likely to be substantially different due to the substantive changes in the standards on which it is based. In general, ISO certification processes are being aligned and streamlined to make them more consistent with each other across various fields e.g. the management systems for quality, environmental protection and information security. The advantages of alignment include:
Standardization and cross-fertilization between the fields of certification (e.g. an organization’s “quality assurance manual” should not be totally alien to someone familiar with its “information security manual” - ‘someone’ being staff, managers, auditors and interested third parties);
Easier awareness, training and cross-training of auditors for various types of certification audit;
Easier awareness, training and cross-training of employees for various management systems;
More consistent certification, surveillance and re-certification audit processes;
Greater auditor and auditee familiarity with the process through greater practice, increasing the focus on the findings and the outcome;
More possibility for multiple parallel certifications, perhaps reducing costs;
A larger pool of qualified candidates for jobs associated with designing, implementing, operating and auditing the management systems.
The key disadvantage is short-term disruption as the new order takes root.
It has been pointed out that the new version of 27001 gives organizations more latitude on how they design and document their ISMS, and hence certification auditors cannot determine compliance as easily: they will need greater knowledge of both management systems and information security concepts.