ISO/IEC 27006:2015 – Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems (3rd edition)
Certification bodies must follow ISO/IEC 27006 when certifying or registering their clients’ Information Security Management Systems against ISO/IEC 27001 to be accredited as compliant. It is guaranteed that ISO/IEC 27001 certificates from accredited organizations will be valid and meaningful because the accreditation process outlined in the standard ensures that.
Scope and objectives
The aim of ISO/IEC 27006 is to set forth standards for those bodies tasked with auditing and certifying information security management systems (ISMS), in addition to those specified by ISO/IEC 17021 and ISO/IEC 27001. Specifically, it is intended to provide accreditation for companies that provide ISMS certification.
To provide ISO/IEC 27001 compliance certificates, any properly accredited body has to meet the requirements in ISO/IEC 27006, ISO/IEC 17021-1, and ISO 19011 regarding their competence, suitability, and reliability to meet the requirements of their work. The purpose of this is to ensure that compliance certificates issued under ISO/IEC 27001 are meaningful and that the organization has truly met all of the requirements of ISO/IEC 27001. By allowing anyone to issue ISMS certifications without necessary following the certification process this standard specifies, even non-compliant organizations would be able to purchase their certificates or simply self-certify (assert rather than demonstrate compliance), scuppering the entire certification process.
In addition to the general accreditation requirements laid out in ISO/IEC 17021-1 and ISO 19011, ISO/IEC 27006 specifies requirements and gives guidance for compliance auditing specific to ISMSs.
Audits are to be conducted to ensure that the management system complies with ISO/IEC 27001 standard. In auditing the management system, certification auditors are only remotely interested in the actual information risks and control measures that are being implemented. An organization that has a compliant ISMS is assumed to manage its information risks diligently.
The standard’s status
Originally published in 2007, ISO/IEC 27006 incorporates and replaces the EA7/03 guidance on accredited certification processes.
The second edition of ISO 17021, which reflects changes to the standard, was published in 2011.
In 2015, the current third edition was substantially revised based on revisions to ISO/IEC 27001, ISO 19011 and ISO/IEC 17021-1.
The amendment in 2020 contains minor wording changes.
The fourth edition will start working on revisions at the end of 2020. With the new version, part 2 and possibly certification of other ‘sectors specific information risk management and security systems will be referenced. This should resolve the problem by mixing up the ‘should’ and ‘shall’ verb forms in the text and resolve other inconsistencies/errors. Approximately two years will be needed to complete the revision.
The revised title is: “Requirements for bodies providing audit and certification of information security management systems – Part 1: General”, presumably prepended with “Information security, cybersecurity and privacy protection —”.
A problem with the current third edition of 27006 is the recommendation to base the number of audit days required on the number of employees in the organization – a rather odd recommendation. It could be interesting to know how many employees are included within the ISMS scope, but surely auditors should have some knowledge of similar organizations with similar maturity in similar industries when deciding how many audit days to schedule? In general, audit planning consists of determining specific audit risks, a particular subset of information risks. If auditors cannot be trusted to work this out on their own, discussing it with their clients and approving it, then there are bigger problems at stake than how many audit days will be planned!
In the ISO/IEC 27001 standard, organizations have a wide range of choices when designing and documenting their ISMS, so that certification auditors must have a more in-depth understanding of management systems and security issues as well. From my perspective, it’s a good thing!
If you are concerned enough about someone else’s compliance with ISO/IEC 27001 to ask to see their certificate, you should make sure that the certificate:
– Is legitimate and current (verify with the certification body);
– Belonged to the organization you are seeking information on (certain subsidiaries or legal/paper entities are not included);
– Approved by a certification body that is thoroughly accredited to issue ISO/IEC 27001 certifications (which indicates they have certified auditors and follow the certification process) – yes, this can be verified by an accreditation website;
– Includes the appropriate ISMS (make sure to verify the formal Scope and SOAs, as well!).
Otherwise, what’s the point of asking? It might as well be taken at face value. “Oh yea, we are secure, certified, compliant, etc.”
Note: You, as a professional, are personally responsible for your decision to rely on their certificate and any additional assurance checks you conduct.
Having to specify the scope of an ISMS on ISO/IEC 27001 compliance certificates has the unfortunate effect of impeding updating or maintaining an ISMS where this would result in changing the scope of the ISMS, e.g. to incorporate newly-identified information risks. The fact that that hinders a fundamental principle or purpose of having a management system constitutes a substantial flaw in the ISO/IEC 27006 standard and possibly other ISO27k standards as well.
ISO/IEC TS 27006-2:2021
Information security, cybersecurity and privacy protection – Standards for certification and auditing information security management systems
Part 2: Privacy information management systems
This accreditation standard outlines the formal processes that certification bodies must follow to audit their clients’ Privacy Information Management Systems against ISO/IEC 27701 and ISO/IEC 27001 before they can certify and register them as compliant. By requiring accredited organizations to adhere to the accreditation process, ISO/IEC 27701 certificates issued by accredited organizations are legitimate, comparable and trustworthy.
Scope and objectives
As stated in the ISO/IEC TS 27006-2, the standard aims to:
“Establish requirements and guide bodies responsible for assessing and certifying privacy information management system (PIMS) using ISO/IEC 27701 and ISO/IEC 27001, as well as the standards ISO/IEC 27006 and ISO/IEC 27701. It is geared toward supporting certification body accreditations for PIMS.”
Peer assessments and other PIMS audit processes, such as internal auditing, can be conducted using this standard.
In addition to completing the requirements in this standard, all accredited bodies that issue ISO/IEC 27701 conformity certificates must also satisfy the following normative requirements:
– ISO/IEC 17021-1:2015 Conformity assessment – Requirements for bodies offering auditing, certification, and assessment of management systems – Part 1: Requirements
– ISO/IEC 27006:2015 Information technology – Security techniques – Requirements for bodies offering auditing, certification, and assessment of management systems
– ISO/IEC 27000 Information technology – Security techniques – Information security management systems – Terminology and overview
– ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements
– ISO/IEC 27701:2019 Information technology – Security techniques – Information security enhancements to ISO/IEC 27001 and ISO/IEC 27002 – Guidelines and Requirements
– ISO/IEC 29100:2011 Information technology – Security techniques – Privacy guidelines
These organizations must be competent, reliable, and capable of performing their tasks in a way that ensures ISO/IEC 27701- accredited certificates are meaningful: if just anyone is capable of issuing PIMS certificates without necessarily following this standard’s certification process, even substantially non-compliant organizations can purchase their compliance certificates (claiming compliance rather than demonstrating it). The accreditation process is a control to ensure quality.
Besides the general accreditation requirements laid down by ISO/IEC 17021-1, and the other normative standards, this standard specifies formal requirements and guides auditing compliance specifically concerning PIMSs.
Part 2 follows the same structure as part 1, with statements such as, “The specifications of ISO/IEC 27006, [section number] are applicable.” plus, “In addition, the following guidelines and specifications apply.” Following this is a formal statement of requirements. A PIMS certification auditor needs to be familiar with ISO/IEC 27701, whereas an ISMS certification auditor does not.
Similarly to part 1, the management system must be assessed for conformance to ISO/IEC 27001, in particular. Certification auditors are only marginally interested in the details of how privacy concerns are managed. In general, organizations with compliant PIMSs are assumed to have implemented adequate privacy controls.
The standard’s status
SC 27 commenced work in 2019, initially deriving ISO/IEC 27558 and then becoming ISO/IEC TS 27006-2. Due to market pressure for PIMS certification, the project moved at lightning speed (for SC27!).
Part 2 was released in February 2021.
In the same vein as ISMS certification ‘270001, part 2 of ‘27006 focuses on the management system. To obtain certification, an organization must comply with all of the requirements of ‘27701’, a directive that differs slightly from the actual implementation of privacy arrangements. The challenge compliance auditors face is that the definition of ‘appropriate’ does not appear in ‘27701, but is determined by the organization.
The time anticipated to be required for PIMS auditing is specified as a proportion of the time that will be needed for ISMS certification audits, allowing PIMS and ISMS certification to be dual certified. But I am dubious about the necessity of defining audit time in the standards. I feel more comfortable if the compliance auditors of accredited certification bodies would determine it together with them, after discussing the most relevant factors with them, such as the size, complexity, and scope of the PIMS, as well as the level of assurance required by third parties. Maybe I am naive to assume that the auditors will plan and carry out their assignments without undue commercial pressures from management.