Search Results

Up Up Up ISO/IEC 27041 ISO/IEC 27041:2015 — Information technology — Security techniques — Guidance on assuring suitability and adequacy of incident investigative method (first edition) Up Abstract “ISO/IEC 27041:2015 provides guidance on mechanisms for ensuring that methods and processes used in the investigation of information security incidents are "fit for purpose". ...” [Source: ISO/IEC 27041:2015] Introduction The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organisations and jurisdictions may well retain certain methods, processes and controls, it is hoped that standardization will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organisations and potentially across different jurisdictions. Scope The primary focus of this standard is on assurance for the forensics processes and tools used in the investigation of digital evidence. Credibility, trustworthiness and integrity are fundamental requirements for all forensics methods: this standard promotes the assurance aspects of investigating digital evidence. The standard offers guidance on assuring the suitability and adequacy of the forensic methods used to investigate digital evidence, describing methods through which all stages of the investigation process can be shown to be appropriate (proper and suitable in themselves, and correctly performed). Structure Main sections: 5: Method development and assurance 6: Assurance Models 7: Production of evidence for assurance Annex A: Examples Status The current first edition was published in 2015 and confirmed unchanged in 2021. Commentary I am puzzled why SC 27 publishes and maintains several distinct forensics standards covering different aspects of forensics, when they are in reality complementary parts of the same process. ISO/IEC 27037 concerns the initial capturing of digital evidence. This standard offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly. ISO/IEC 27042 covers what happens after digital evidence has been collected i.e. its analysis and interpretation. ISO/IEC 27043 covers the broader incident investigation activities, within which forensics usually occur. ISO/IEC 27050 (in 4 parts) concerns electronic discovery ... which is pretty much what the other standards cover. British Standard BS 10008 “Evidential weight and legal admissibility of electronically stored information (ESI), Specification. ” may also be of interest. A multi-part standard would make more sense to me, with an overview explaining how the jigsaw pieces fit together. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27018 ISO/IEC 27018:2025 — Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors (third edition) Up Abstract ISO/IEC 27018 "establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, [ISO/IEC 27018] specifies guidelines based on ISO/IEC 27002:2022, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services ... The guidelines in [ISO/IEC 27018] can also be relevant to organizations acting as PII controllers.” [Source: ISO/IEC 27018:2025] Introduction This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing P ersonally I dentifiable I nformation entrusted to them. See also ISO/IEC 27017 covering the wider information security angles of cloud computing, aside from privacy. The standard development project had widespread support from national standards bodies plus the C loud S ecurity A lliance. Scope The standard intends to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001 , or as a guidance document for organisations for implementing commonly accepted PII protection controls”. The standard is primarily concerned with public-cloud computing service providers acting as PII processors . “A public cloud service provider is a 'PII processor' when it processes PII for and according to the instructions of a cloud service customer” [according to the DIS version]. It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls. The standard interprets rather than duplicates ISO/IEC 27002 in the context of securing personal data processed in the cloud. An annex extends 27002, for example advising cloud service providers to advise their customers if they use sub-contractors. ISO/IEC 27000 , ISO/IEC 27001 and ISO/IEC 27002 are cited as ‘normative’ (i.e. essential) standards, along with ISO/IEC 17788 “Cloud computing - overview and vocabulary” and ISO/IEC 29100 “Privacy framework” (a free download!). Structure Main sections: 6: Organizational controls 7: People controls 8: Physical controls 9: Technological controls Annex A: Public cloud PII processor extended control set for PII protection Annex B: Correspondence between this document and the first edition ISO/IEC 27018:2019 Status The first edition was published in 2014 . The second edition (a minor revision) was published in 2019 . The current third edition was published in 2025 , having been updated to reflect ISO/IEC 27002:2022 and offering an ‘extended control set’ aligned with ISO/IEC 29100:2024 Commentary The standard builds on ISO/IEC 27002 , expanding on its generic advice in a few areas, and referring to the OECD privacy principles that are enshrined in several privacy laws and regulations around the globe. In most sections, it simply says: “The objectives specified in, and the contents of, clause [whatever] of ISO/IEC 27002 apply.” The expansions or additions are straightforward - no surprises here. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27403 ISO/IEC 27403:2024 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics (first edition) Up Abstract ISO/IEC 27403 "provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.” [Source: ISO/IEC 27403:2024] Introduction “Domotics” was originally known as home automation a.k.a. “smart homes”, where domicile or home is described as “The private, hence highly customizable area where someone lives, alone or with guests or cohabitants” that “includes dedicated infrastructure aimed to support those individuals, such as healthcare and wellness systems, building control systems, smart metering and systems for entertainment or gaming.” Setting the standard for information security and privacy of IoT things intended for home use is quite a challenge given the variety of things , homes and living arrangements, security and privacy issues and controls. Rapid innovation and change in this area further complicates matters. Scope This cybersecurity standard is aimed squarely at the designers, manufacturers and security/privacy assessors of IoT domotics rather than the “users” (consumers/retail customers). It covers the information security and privacy aspects of device-device interactions (e.g. hubs and subsystems) as well as human-device plus device-sensors/actuators that physically interact with the home, and networking both within the home and beyond (e.g. via Internet gateways). Structure Main sections: 5: Overview of the stakeholders (IoT device manufacturers, service providers, regulatory authorities and users), the lifecycles for IoT domotics developers, service providers and users, an architectural reference model, and an introduction to the ‘security’ (meaning cybersecurity) and privacy aspects. 6: Risk assessment guidelines covering cybersecurity and privacy risks (referring to eight other standards!). 7:’Security’ and privacy controls. Annex A: Use cases - six examples of the principles in action. Annex B: ‘Security’ and privacy concerns of various stakeholders with differing perspectives. Annex C: Stakeholders’ security and privacy responsibilities. Annex D: ‘Security measures’ (cybersecurity and privacy controls) for various IoT domotics devices. Status The current first edition was published in 2024 . Commentary Whereas “IoT” is a common abbreviation, “domotics” is a neologism derived from domus (Latin for house) and robotics. Rather than simply recommending a bunch of controls, the standard describes typical information [security and privacy] risks relating to domotics, and recommend information security controls to mitigate them, making this a risk-based ISO27k standard. Sounds good in theory, although strictly speaking several of the ‘risks’ described in the draft are in fact weak or missing controls, not risks. Information risks provide the rationale, context or basis for the controls. Helping readers identify and consider the information risks should give them a better appreciation of what the information security controls are meant to achieve - the control objectives. The risks and the controls in the standard are examples to stimulate readers into considering the risks and control objectives in their particular contexts. Challenges (risks) in the home environment include: Limited information security awareness and competence by most people. IoT things are generally just black-boxes. Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things physically permanently installed about the home (e.g. smart heating controls, door locks and cat feeders). Things are not [always] designed for adequate security or privacy since other requirements (such as low price and ease of use) generally take precedence. Finite processing and storage capacities, plus limited user interfaces, hamper or constrain their security capabilities. Lack of processes for managing security and privacy systematically at home. Any such activities tend to be ad hoc /informal and reactive rather than proactive. Informality: the home is a relatively unstructured, unmanaged environment compared to the typical corporate situation. Few domotics users even consider designing a complete system, although certain aspects or subsystems may be intentionally designed or at least assembled for particular purposes (e.g . entertainment). Dynamics and diversity: people, devices and services plus the associated challenges and risks, are varied and changeable. The home is a fairly fluid environment. Limited ability to control who may be present in/near the home and hence may be interacting with IoT devices e.g. adult residents plus children, owners, visitors, installers, maintenance people, neighbours, intruders ... Physically securing things against accidental or malicious interaction (e.g. someone reading the label with the default password, hitting the reset button, damaging or stealing the device) is difficult. Limited ability to manage or control IoT device and service upstream supply chains, as well as the downstream installation, configuration, use, monitoring and maintenance of devices and services, with little if any coordination among the parties. Given their number, variety and significance, I believe conventional, structured and systematic information risk management is largely impracticable for domotics: there is way too much to do here! In accordance with the risk-based approach that underpins all the ISO27k standards, this standard prioritises some significant information risks, encouraging IoT device and service providers to play their parts - although even that is difficult since they are only providing parts of a complex and dynamic system. The bigger picture remains of concern. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC TR 27563 ISO/IEC TR 27563:2023 — Security and privacy in artificial intelligence use cases — Best practices (first edition) Up Abstract ISO/IEC TR 27563 "outlines best practices on assessing security and privacy in artificial intelligence use cases, covering in particular those published in ISO/IEC TR 24030. The following aspects are addressed: an overall assessment of security and privacy on the AI system of interest; security and privacy concerns; security and privacy risks; security and privacy controls; security and privacy assurance; and security and privacy plans. Security and privacy are treated separately as the analysis of security and the analysis of privacy can differ.” [Source: ISO/IEC TR 27563:2023 ] Introduction This T echnical R eport analyses and elaborates on the information security and privacy aspects of the 132 use cases for A rtificial I ntelligence/M achine L earning systems published in ISO/IEC TR 24030:2021 “Information technology - Artificial Intelligence (AI) - use cases”, and provides four additional use cases developed specifically for this TR. Scope The standard offers information security and privacy best practice guidance following analysis of ISO/IEC 24030 ’s use cases. Structure Main sections: 5: Analysis of security and privacy 6: Templates for analysis 7: Supporting information Annex A: Additional use cases The information security and privacy implications for related groups of AI/ML use cases have been systematically analysed. The results are summarised in bar charts, followed by tables elaborating on the analyses in a standard format. Status The current first edition was published in 2023 . Commentary Cue tumbleweed ... Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27799 ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002 (second edition) Up Abstract “ISO 27799:2016 gives guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation's information security risk environment(s). ...” [Source: ISO 27799:2016 ] Introduction This standard offers guidance on information security management and information security controls in the context of the healthcare industry and medical organisations of various kinds - hospitals, labs, surgeries, medical insurers etc. Scope The standard helps medical/healthcare organisations interpret and apply the ISO/IEC 27002:2013 information security controls. Structure Main sections: 5: Information security policies 6: Organization of information security 7: Human resource security 8: Asset management 9: Access control 10: Cryptography 11: Physical and environmental security 12: Operations security 13: Communications security 14: System acquisition, development and maintenance 15: Supplier relationships 16: Information security incident management 17: Information security aspects of business continuity management 18: Compliance Annex A: Threats to health information security Annex B: Practical action plan for implementing ISO/IEC 27002 in healthcare Annex C: Checklist for conformance to ISO 27799 Status The first edition was published in 2008. The second edition, updated to reflect the 2013 releases of ISO/IEC 27001 and ’27002 , was published in 2016 . The third edition is in preparation, following the release of ISO/IEC 27002:2022 . It is at F inal D raft I nternational S tandard stage and may surface later in 2025 with a new title: "Information security controls in health based on ISO/IEC 27002" Commentary This standard was developed and published by ISO technical committee TC 215 responsible for health informatics, rather than JTC 1/SC 27, the joint ISO + IEC committee responsible for ISO27k . Whether ISO 27799 is strictly a part of the ISO/IEC 27000 series standards is a moot point: it make little difference to users either way. Whereas the stated scope is health, the standard has value beyond the intended audience. For example, advice on defining the scope, analysing gaps and establishing an Information Security Management Forum would apply to many organisations from other industry sectors implementing ISO27k. The advice on risk management draws heavily on ISO/IEC TR 13335 and goes beyond that provided in ISO/IEC 27002:2013 . Even governance merits a few mentions. The standard reads like an implementation guideline/book, something an experienced consultant might espouse. It offers pragmatic advice - nuggets of wisdom. The style is quite verbose, at one point stating that implementing ISO/IEC 27002 is not simply a matter of following a checklist. How true! Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27566-1 ISO/IEC 27566-1 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 1 — Framework [DRAFT] Up Abstract ISO/IEC 27566 part 1 "establishes core principles, including privacy, for the purpose of enabling age related eligibility decisions, by setting out a framework for indicators of confidence about age or an age range of a natural person.” [Source: ISO/IEC JTC 1/SC 27 Committee Doc 11, May 2025] Introduction This standard will lay out the core principles and a framework for determining someone’s age or age-range independently of their identity, for use in age-related eligibility decisions. Scope Age assurance framework Structure Main sections (in draft): 4: Overview 5: Functional characteristics (~functional requirements) 6: Performance characteristics (~assurance and metrics) 7: Privacy characteristics (~privacy requirements) 8: Security characteristics (~cybersecurity requirements) 9: Acceptability characteristics (~nondiscrimination requirements) 10: Practice statements (~documenting the arrangements) Status The standard development project set out in 2022. Part 1 is at F inal D raft I nternational S tandard stage and may be published this year or 2026, hopefully free of charge. Commentary Whereas self-assertion (e.g. “Click here if you are an adult”) is a simple and commonplace but clearly very weak control, the standard aims to standardise and where necessary strengthen the process of determining someone’s age or age-range without (necessarily) requiring them to disclose their identity and thereby risk compromising their privacy. The cunning plan is to develop and incorporate appropriate assurance controls into the framework indicating confidence in the determined age or age-range, giving policy- and law-makers options when defining age-related criteria for various purposes. In situations where age is particularly important, additional confidence in the age determination is warranted, even if that implies completing a more involved and lengthy process of age verification, perhaps utilising a third party age-verification service or aggregating multiple age indicators taking account of any contraindications, inconsistencies or doubts. Conversely, if age verification is relatively unimportant, simpler, quicker, cruder approaches may suffice. Spoofing (e.g . where an older person pretends or claims to be, and completes the age-verification process on behalf of, a youngster, or a child simply presents a fake credential) is just one of the challenges for this project. There are also identities, credentials, tokens and age-verification subsystems and services, plus individual rights and freedoms to protect (such as privacy and inclusivity), in a framework that allows communication and collaboration between age-verifiers. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27033-4 ISO/IEC 27033-4:2014 Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways (first edition) Up Abstract ISO/IEC 27033 part 4 “gives guidance for securing communications between networks using security gateways (firewall, application firewall, Intrusion Protection System, etc.) in accordance with a documented information security policy of the security gateways, including: identifying and analysing network security threats associated with security gateways; defining network security requirements for security gateways based on threat analysis; using techniques for design and implementation to address the threats and control aspects associated with typical network scenarios; and addressing issues associated with implementing, operating, monitoring and reviewing network security gateway controls.” [Source: ISO/IEC 27033-4:2014] Introduction Part 4 gives an overview of security gateways , describing different architectures. Scope Guidance on securing communications between networks through gateways, firewalls, application firewalls, Intrusion Protection System [sic ] etc . in accordance with a policy. Includes identifying and analysing network security threats, defining security control requirements, and designing, implementing, operating, monitoring and reviewing the controls. Structure Main sections: 6: Overview 7: Security threats 8: Security requirements 9: Security controls 10: Design techniques 11: Guidelines for product selection Status The current first edition of part 4 was published in 2014 and confirmed unchanged in 2019. Commentary Outlines how security gateways analyse and control network traffic through: Packet filtering; Stateful packet inspection; Application proxy (application firewalls); N etwork A ddress T ranslation; Content analysis and filtering. Guides the selection and configuration of security gateways, choosing the right type of architecture for a security gateway which best meets the security requirements of an organisation. Refers to various kinds of firewall as examples of security gateways. [Firewall is a commonplace term of art that is curiously absent from ISO/IEC 27000 , ISO/IEC 27002 and is not defined explicitly in this standard either. Presumably some ancient ISO standard uses the term to describe a physical barrier impeding the spread of fire and smoke e.g. from the engine into the passenger compartments of a car]. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC TS 27022 ISO/IEC TS 27022:2021 — Information technology — Guidance on information security management system processes (first edition) Up Abstract ISO/IEC TS 27022 "defines a process reference model (PRM) for the domain of information security management, which is meeting the criteria defined in ISO/IEC 33004 for process reference models (see Annex A). It is intended to guide users of ISO/IEC 27001 to: incorporate the process approach as described by ISO/IEC 27000:2018, 4.3, within the ISMS; be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes; support users in the operation of an ISMS. [ISO/IEC TS 27022] is complementing the requirements-oriented perspective of ISO/IEC 27003 with an operational, process-oriented point of view.” [Source: ISO/IEC TS 27022:2021] Introduction The standard (a T echnical S pecification) “provides a process reference model (PRM) for information security management, which differentiates between ISMS processes and measures/controls initiated by them ... [and] describes the ISMS processes implied by ISO/IEC 27001.” The standard is based on a PhD thesis . Scope The standard lays out, in some detail, a P rocess R eference M odel comprising a generic suite of ISMS processes that organisations may wish to use as a basis for designing custom processes within their own ISMS. The standard “is intended to guide users of ISO/IEC 27001 to: incorporate the process approach as described by ISO/IEC 27000:2018 clause 4.3 within the ISMS be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes support users in the operation of an ISMS – the document will complement the requirements oriented perspective of ISO/IEC 27003 with an operational, process oriented point of view.” The standard does not define any new ISMS requirements, beyond those already defined in ISO/IEC 27001 . In other words, it is advisory rather than mandatory. Structure The ISMS processes described fall into 3 “categories” (types or groups) i.e. : Governance activities (confusingly titled ‘management processes’) - direction and oversight for the ISMS; Core operations e.g. information risk and security management, policy management, incident management, internal audits ...; and Support e.g. records management, communicating with interested parties about the ISMS, managing relationships with ISMS ‘customers’ ... The processes are each laid out in an Appendix, first as a table specifying: Process “category” denoting the type of process A brief description Objective/purposes Input[s] and Output[s] Activities/functions i.e. a few words for each of the main steps in the process Informative references. The table is followed by a flowchart summarising the process on one side or less. Status The current first edition was published in 2021 . An amendment updating references to ISO/IEC 27001:2022 and other ISO27k standards was in preparation in 2024 but the proposed revision of the standard was dropped due to lack of expert support. Commentary Mature organisations may already have processes for: Asset management; Audit management, both internal and external; Business continuity management (see ISO 22301); Change management plus configuration management and version control; Continuous improvement and maturity management; Database [security] management; Exemption management (management-approved nonconformity with policies); Facilities management including power and other services for the computer room; Identity, access rights and user account management; Incident management including incident investigation and forensics; Information management in general; Information [security] risk management (partly covered by ISO/IEC 27005 ); Information security management (covered by ISO/IEC 27001 , ISO/IEC 27002 , ISO/IEC 27003 and others); IT! Internal audits and certification audits; Key management, plus the rest of cryptography; Log management, plus alarms and alerts; Metrics and management information management (partly covered by ISO/IEC 27004 ); Monitoring and oversight of the risk management and security arrangements; Patching, including emergency arrangements for urgent fixes; Performance and capacity management; Personnel/HR management including “onboarding” and “offboarding” (nasty neologisms!); Preventive and corrective actions; Quality management, especially quality assurance; Service management [organisations that are heavily process-oriented may be using ITIL/ISO 20000, in which case ISO/IEC 27013 is applicable]; Supplier/vendor relationship management, including telecomms, Internet and cloud services, outsourced development, contract security guards, maintenance/servicing, professional services (consulting, contracting, accounting, tax advising) etc. ; System and network [security] management; System/software development and testing ... ... and more. Providing generally-applicable advice without imposing further constraints is challenging. The processes need to be described without losing the flexibility to cater for myriad differences between organisations. In particular, the processes need to be valuable (cost-effective) in practice to justify their existence, for instance by: Removing unnecessary bureaucracy, rationalising and justifying whatever remains; Facilitating or encouraging process automation and innovation where applicable; Facilitating or encouraging use of existing processes, adapting them where necessary; Perhaps re-using effective ISMS processes elsewhere in the organisation; Managing the processes themselves e.g. management processes for monitoring, reviewing, evaluating and maintaining the ISMS processes, responding to changes, identifying and exploiting improvement opportunities etc . It would be unfortunate if ISMS processes were perceived as distinct from normal operations, rather than being integral to the organisation’s routine activities. The process for managing an information security or privacy incident, for example, is essentially the same as that for managing any other incident, hence it is generally unnecessary to create an alternative incident management process if the existing one (perhaps with a few tweaks) is effective. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27566-3 ISO/IEC 27566-3 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 3: Approaches to analysis or comparison [DRAFT] Up Abstract ISO/IEC 27566 part 3 "establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components. The document includes metrics, elements and indicators of effectiveness for age assurance systems or components." [Source: p roject team] Introduction Part 3 concerns assurance regarding the accuracy of age verification approaches such as facial imagery, offering techniques to measure, analyse and compare approaches - for example when adult website or application designers are considering various ways to distinguish children from adults. Scope Measuring relevant characteristics and analysing them in order to assess the suitability of various age assurance approaches. Structure Main sections (in Committee Draft): 5: Approaches to analysis or comparison 6: Indicators of effectiveness 7: Analysis considerations 8: Characteristics and measurements for age assurance components 9: General reporting principles Annex A: Effectiveness analysis Annex B: Example analysis report Annex C: Document authenticity Annex D: Use case examples Annex E: Indicative effectiveness banding Annex F: Measurement of the classification accuracy for classification models using facial analysis Annex G: Sample breakdowns, liveness detection and biometric presentation attach detection for facial age estimation methods Annex H: Image quality impact for age estimation methods using facial analysis Status The standard development project set off in 2023. This was originally destined to become part 2, then shifted to part 3. Part 3 is at W orking D raft stage. Commentary Fade to black Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27706 ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems (first edition) Up Abstract ISO/IEC 27706 "specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the requirements contained within ISO/IEC 17021-1. The requirements contained in [ISO/IEC 27706] are demonstrated in terms of competence and reliability by bodies providing PIMS certification. The guidance contained in [ISO/IEC 27706] provides additional interpretation of these requirements for bodies providing PIMS certification. NOTE [ISO/IEC 27706] can be used as a criteria document for accreditation, peer assessment or other audit processes.” [Source: ISO/IEC 27706:2025] Introduction This accreditation standard guides certification bodies on the formal processes they must follow when auditing clients’ P rivacy I nformation M anagement S ystems against ISO/IEC 27701 in order to certify or register them. The accreditation processes laid out in the standard give assurance that ISO/IEC 27701 certificates issued by accredited organisations are valid, comparable, meaningful and hence commercially valuable. Scope This standard is primarily aimed at PIMS certification auditors ("conformity assessors"). It may also be used for peer assessment or other PIMS audit processes such as internal or supplier privacy audits. For consistency across the globe, any properly-accredited body providing ISO/IEC 27701 certificates must fulfill the requirements in this standard plus ISO/IEC 17021-1 . Their auditors’ competence, suitability and reliability to perform their work properly is necessary to ensure that issued ISO/IEC 27701 certificates are meaningful and valuable: if literally anyone issues PIMS certificates without necessarily following the certification processes specified by this standard, even substantially non-conformant organisations could conceivably buy their certificates or simply ‘self-certify’ (assert rather than demonstrate conformity). Accreditation of the certification bodies is an important assurance control for those who depend or rely upon the certificates - including, by the way, the certified organisations themselves. Structure The standard formally specifies requirements and offers guidance for conformity auditing specifically in the context of PIMSs, in addition to the general accreditation requirements laid down by ISO/IEC 17021-1 plus ISO/IEC 17000 and ISO/IEC 27701 . ISO/IEC 27706 is firmly based on ISO/IEC 17021-1, with the same structure: Preamble, introduction, scope, normative references, definitions ... 4: Principles 5: General requirements 6: Structural requirements 7: Resource requirements 8: Information requirements 9: Process requirement 10: Management system requirements for certification bodies Annex A: audit time Annex B: methods for audit time calculations Annex C: required knowledge and skills To avoid unnecessary duplication, each section mostly makes statements of the form “The requirements of ISO/IEC 17021-1, [section number] apply”. Status The current first edition was published in 2025 to coincide with the 2025 update to ISO/IEC 27701. This standard updated and replaced ISO/IEC TS 27006-2:2021 , replacing references in the first edition to ISO/IEC 27001 with references to ISO/IEC 17021-1. ISO/IEC 27006-2 was officially withdrawn at this time. Commentary In the same manner as ISO/IEC 27006-1 specifies requirements for certification of an ISMS against ISO/IEC 27001 , the PIMS certification process involves auditing the management system (specifically) for conformity to the mandatory requirements in ISO/IEC 27701 . Certification auditors have only a passing interest in the actual privacy arrangements that are being managed by the management system, doing sufficient checks to confirm that the PIMS is operational. It is presumed that any organisation with a PIMS that conforms to the standard probably does in fact have suitable privacy controls in place, and will ensure they remain appropriate and functional due to the operation of said PIMS. More subtly, the standard does not demand particular, detailed privacy arrangements or controls that may be inappropriate or insufficient if implemented in some situations, and hopefully reduces the possibility of assertive certification auditors seeking to second-guess or override informed management decisions about how the organisation is addressing its privacy risks. The auditors’ job is simply to provide assurance by assessing conformity of the management system with the mandatory requirements of ISO/IEC 27701 . Up Up Up This page last updated: 19 November 2025