ISO/IEC 27006:2007 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems

ISO/IEC 27006 is the published ISO/IEC standard to guide accredited certification bodies on the formal processes for certifying or registering other organizations’ information security management systems.

The scope of ISO/IEC 27006 is “to specify general requirements a third-party body operating ISMS certification/registration has to meet, if it is to be recognized as competent and reliable in the operation of ISMS certification / registration.”

ISO/IEC 27006 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.

The requirements contained in ISO/IEC 27006 need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance provides additional interpretation of these requirements for any body providing ISMS certification.

ISO/IEC 27006 incorporates and supersedes EA7/03 guidance on accredited certification processes.

It is available to purchase from ISO and other sources.