ISO/IEC 27006:2011 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
Scope and purpose
ISO/IEC 27006 is the accreditation standard that guides certification bodies on the formal processes they must follow when auditing their clients’ Information Security Management Systems (ISMSs) against ISO/IEC 27001 in order to certify or register them compliant. The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited organizations are valid.
The scope of ISO/IEC 27006 is to “specify requirements and provide guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.”
Any properly-accredited body providing ISO/IEC 27001 compliance certificates must fulfill the requirements in ISO/IEC 27006 plus ISO/IEC 17021-1 and ISO 19011 in terms of their competence, suitability and reliability to perform their work properly. This is necessary to ensure that issued ISO/IEC 27001 certificates are meaningful: if literally anyone were able to issue certificates without necessarily following the certification processes specified by ISO/IEC 27006, even seriously non-compliant organizations could conceivably buy their certificates or self-certify.
ISO/IEC 27006 specifies requirements and provides guidance for compliance auditing specifically in the context of ISMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and ISO 19011.
The certification process involves auditing the management system for compliance with ISO/IEC 27001. Certification auditors have only a passing interest in the actual information security controls that are being managed by the management system. It is assumed that any organization with a compliant ISMS is in fact managing its information security risks diligently.
Status of the standard
ISO/IEC 27006 was first published in 2007. It incorporated and superseded the older EA7/03 guidance on accredited certification processes.
After ISO 17021 was revised, a fast-track update was made and the revised ISO/IEC 27006 was published in 2011 with relatively minor changes.
ISO/IEC 27006:2011 is available for CHF140 from the ISO/IEC webstore and from other sources (including ANSI INCITS at just US$30!).
The standard is now undergoing a normal review in parallel with the revision of ISO 19011 and ISO/IEC 17021. The first working draft of the revised version is available to members of SC27. The revised standard is expected to be published in 2013 or 2014.