< Previous standard      ^ Up a level ^      Next standard >

 ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems (first edition)

Abstract

“[ISO/IEC 27706] specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the requirements contained within ISO/IEC 17021-1.

The requirements contained in [ISO/IEC 27706] are demonstrated in terms of competence and reliability by bodies providing PIMS certification.  The guidance contained in [ISO/IEC 27706] provides additional interpretation of these requirements for bodies providing PIMS certification.

NOTE [ISO/IEC 27706] can be used as a criteria document for accreditation, peer assessment or other audit processes.”

[Source: ISO/IEC 27706:2025 scope]

Introduction

This accreditation standard guides certification bodies on the formal processes they must follow when auditing clients’ Privacy Information Management Systems against ISO/IEC 27701 in order to certify or register them. The accreditation processes laid out in the standard give assurance that ISO/IEC 27701 certificates issued by accredited organisations are valid, comparable, meaningful and hence commercially valuable.

Scope and purpose

This standard is primarily aimed at PIMS certification auditors.  It may also be used for peer assessment or other PIMS audit processes such as internal or supplier privacy audits.

Any properly-accredited body providing ISO/IEC 27701 certificates must fulfill the requirements in this standard plus ISO/IEC 17021-1. Their auditors’ competence, suitability and reliability to perform their work properly is necessary to ensure that issued ISO/IEC 27701 certificates are meaningful: if literally anyone were able to issue PIMS certificates without necessarily following the certification processes specified by this standard, even substantially non-conformant organisations could conceivably buy their certificates or simply ‘self-certify’ (assert rather than demonstrate conformity). Accreditation is an assurance control.

Content

The standard formally specifies requirements and offers guidance for conformity auditing specifically in the context of PIMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 plus ISO/IEC 17000 and ISO/IEC 27701.

ISO/IEC 27706 is firmly based on ISO/IEC 17021-1, with the same structure:

Preamble, introduction, scope, normative references, definitions ...

4. Principles
5. General requirements
6. Structural requirements
7. Resource requirements
8. Information requirements
9. Process requirement
10. Management system requirements for certification bodies

Annex A: audit time

Annex B: methods for audit time calculations

Annex C: required knowledge and skills

To avoid unnecessary duplication, each section mostly makes statements of the form “The requirements of ISO/IEC 17021-1, [section number] apply”.

Status of the standard

This standard updated and replaced ISO/IEC TS 27006-2:2021, replacing references in the first edition to ISO/IEC 27001 with references to ISO/IEC 17021-1. ‘27006-2 was officially withdrawn.

It was published in October 2025.

Personal comments

In the same manner as ISO/IEC 27006-1 specifies requirements for certification of an ISMS against ISO/IEC 27001, the PIMS certification process involves auditing the management system (specifically) for conformity to the mandatory requirements in ISO/IEC 27701. Certification auditors have only a passing interest in the actual privacy arrangements that are being managed by the management system, doing sufficient checks to confirm that the PIMS is operational. It is presumed that any organisation with a PIMS that conforms to the standard probably does in fact have suitable privacy controls in place, and will ensure they remain appropriate and functional due to the operation of said PIMS. More subtly, the standard does not demand particular, detailed privacy arrangements or controls that may be inappropriate or insufficient if implemented in some situations, and hopefully reduces the possibility of assertive certification auditors seeking to second-guess or override informed management decisions about how the organisation is addressing its privacy risks. The auditors’ job is simply to provide assurance by assessing conformity of the management system with the mandatory requirements of ISO/IEC 27701.

< Previous standard      ^ Up a level ^      Next standard >