INFORMATION TECHNOLOGY - SECURITY TECHNIQUES - REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION OF INFORMATION SECURITY MANAGEMENT SYSTEMS

Available format(s)

Hardcopy , PDF

Superseded date

19-04-2024

Superseded by

INCITS/ISO/IEC 27006:2015(R2022)

Language(s)

English

Published date

01-01-2012

Publisher

Information Technology Industry Council

$98.22

Including GST where applicable

Product format

I agree to the DRM document license rules apply against the PDF selection made.

Please confirm that you agree to the document license rules for this document.

I agree to the document license rules .

Please confirm that you agree to the document license rules for this document.

Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles
5 General requirements
   5.1 Legal and contractual matter
   5.2 Management of impartiality
   5.3 Liability and financing
6 Structural requirements
   6.1 Organizational structure and top management
   6.2 Committee for safeguarding impartiality
7 Resource requirements
   7.1 Competence of management and personnel
   7.2 Personnel involved in the certification activities
   7.3 Use of individual external auditors and external
        technical experts
   7.4 Personnel records
   7.5 Outsourcing
8 Information requirements
   8.1 Publicly accessible information
   8.2 Certification documents
   8.3 Directory of certified clients
   8.4 Reference to certification and use of marks
   8.5 Confidentiality
   8.6 Information exchange between a certification body
        and its clients
9 Process requirements
   9.1 General requirements
   9.2 Initial audit and certification
   9.3 Surveillance activities
   9.4 Recertification
   9.5 Special audits
   9.6 Suspending, withdrawing or reducing scope of
        certification
   9.7 Appeals
   9.8 Complaints
   9.9 Records of applicants and clients
10 Management system requirements for certification bodies
   10.1 Options
   10.2 Option 1 - Management system requirements in
        accordance with ISO 9001
   10.3 Option 2 - General management system requirements
Annex A (informative) Analysis of a client organization's
        complexity and sector-specific aspects
      A.1 Organization's risk potential
      A.2 Sector-specific categories of information security
          risk
Annex B (informative) Example areas of auditor competence
      B.1 General competence considerations
      B.2 Specific competence considerations
Annex C (informative) Audit time
Annex D (informative) Guidance for review of implemented
        ISO/IEC 27001: 2005, Annex A controls

Describes requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001.

Committee	CS1
DocumentType	Standard
Pages	44
PublisherName	Information Technology Industry Council
Status	Superseded
SupersededBy	INCITS/ISO/IEC 27006:2015(R2022)
Supersedes	INCITS/ISO/IEC 27006 : 2008

ISO 19011:2011	Guidelines for auditing management systems
ISO/IEC 27001:2013	Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 17021:2011	Conformity assessment Requirements for bodies providing audit and certification of management systems

Access your standards online with a subscription

Features

Simple online access to standards, technical information and regulations.
Critical updates of standards and customisable alerts and notifications.
Multi-user online standards collection: secure, flexible and cost effective.

Learn more on subscription solutions

Get in touch with us

INCITS/ISO/IEC 27006 : 2012

INFORMATION TECHNOLOGY - SECURITY TECHNIQUES - REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION OF INFORMATION SECURITY MANAGEMENT SYSTEMS

Table of Contents

Abstract

General Product Information

Standards Referencing This Book

Category

Subcategory