ISO/IEC 27006-1
ISO/IEC 27006-1:2024 — Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General
(fourth edition)
Abstract
ISO/IEC 27006 part 1 "specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in [ISO/IEC 27006-1] are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in [ISO/IEC 27006-1] provides additional interpretation of these requirements for bodies providing ISMS certification.
NOTE [ISO/IEC 27006-1] can be used as a criteria document for accreditation, peer assessment or other audit processes.”
[Source: ISO/IEC 27006-1:2024]
Introduction
ISO/IEC 27006-1 is the accreditation standard that guides Certification Bodies on the formal processes they must follow when auditing their clients’ Information Security Management Systems against ISO/IEC 27001 in order to certify or register them. The accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates issued by accredited CBs are valid, consistent and meaningful.
ISO/IEC 27006-1 specifies requirements and provides guidance for conformity auditing specifically in the context of ISMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 and ISO 19011. The conformity assessment/certification process involves auditing the information security management system for conformity with ISO/IEC 27001.
The standard provides guidance specific to ISMS certifications where applicable - for example, in order to remain independent and objective, the CB cannot also provide information security reviews or internal audits of the client’s ISMS. [Since no exclusion period is specified in the standard, this could be interpreted as a permanent or indefinite exclusion, or it may mean contemporaneously or within a few months or ... whatever.]
Scope
The scope is to “specify requirements and provide guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.”
Any duly-accredited CB providing ISO/IEC 27001 conformity certificates must fulfill the requirements in ISO/IEC 27006-1 plus ISO/IEC 17021-1 and ISO 19011 in terms of their competence, suitability and reliability to perform their work properly. This is necessary to ensure that issued ISO/IEC 27001 certificates are meaningful, and truly indicate that the organisation has fully satisfied the stated requirements. Since literally anyone can issue certificates without necessarily following the certification processes specified in this standard, even substantially non-conformant organisations could conceivably purchase their ISMS certificates or simply ‘self-certify’ (assert rather than demonstrate conformity), potentially discrediting the whole certification structure. In other words, accreditation is an important control for certification.
Structure
The standard follows the structure of ISO/IEC 17021-1 clause-by-clause:
4: Principles
5: General requirements
6: Structural requirements
7: Resource requirements
8: Information requirements
9: Process requirements
10: Management system requirements
Annex A: Knowledge and skills for ISMS auditing and certification
Annex B: Further competence considerations
Annex C: Audit time - putting sufficient effort into the conformity assessment
Annex D: Methods for audit time calculations - determining how much effort is 'sufficient'
Annex E: Guidance for review of implemented ISO/IEC 27001:2022, Annex A controls
Status
The first edition of ISO/IEC 27006 was published in 2007.
The second edition was published in 2011.
The third edition was substantially revised and published in 2015, with minor wording changes as an amendment in 2020.
The fourth edition was published as ISO/IEC 27006-1 in 2024. It builds upon two normative references - ISO/IEC 17021-1:2015 and ISO/IEC 27001:2022.
Meanwhile, SC 27 is working on the structure of ISO/IEC 27006-1 and other issues, including concerns raised but not entirely resolved in exchanges with CASCO.
See also ISO/IEC 27007 for further guidance on auditing an ISMS plus ISO/IEC TS 27008 for guidance on auditing information security controls.
[Note: ISO/IEC 27006-2 was published in 2021 covering PIMS certification against ISO/IEC 27701 but was renumbered in 2025, becoming ISO/IEC 27706.]
Commentary
Certification auditors have limited interest in the organisation’s information risks and information security controls that are supposedly being managed through the ISMS, needing to confirm "whether controls are implemented and effective and meet their stated information security objectives". It is largely assumed that any organisation with an operational ISMS in conformity with the standard is, in fact, determining its objectives and managing its information risks diligently.
ISO/IEC 27001 gives organisations latitude on how they design and document their ISMS, and hence certification auditors cannot simply follow a straightforward conformity checklist: they need to understand both management systems and information risk and security concepts. As far as I’m concerned, that’s a good thing!
The requirement to specify the Statement of Applicability on ISO/IEC 27001 conformity certificates has the unfortunate side-effect of impeding maintenance updates to an ISMS if that would affect the SoA e.g. responding to newly-identified information risks or to incorporate additional controls. Since that hampers a fundamental principle or purpose of having a management system, it may constitute a substantive defect in ISO/IEC 27006-1 ... and perhaps other ISO management system standards too. In practice, however, it appears nobody (except me?) has noticed and is bothered by this.