ISO/IEC 27006 2015 Released – Security Management Systems Certifiers

ISO/IEC 27006, “Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems,” 2015 Edition has just been released.  The new Edition 3.0 is a technical revision of the 2nd Edition from 2011.  As such, it cancels and replaces the previous edition.  You can get your copy now from Document Center Inc.

The ISO/IEC 27006 is used by both certification bodies (CB’s) and those organizations who are registered for ISO/IEC 27001, “Information technology – Security techniques – Information security management systems – Requirements.”  It contains the criteria for those CB’s that provide auditing and certification services for security management systems, known as ISMS’s.  If you’re a CB, of course you need to meet the requirements of ISO/IEC 27006.  But if you’re registered, the standard will help you understand what to expect of your auditor.

While the sections of the standard remain constant from Edition 2 to Edition 3, you’ll notice that the organization of the information within those sections has been changed.  Nowhere is this more noticable than in Section 9 on process requirements.  Here’s how Section 9 on Process requirements in the 2nd Edition was organized:

  • 9.1 General requirements
  • 9.2 Initial audit and certification
  • 9.3 Surveillance activities
  • 9.4 Recertification
  • 9.5 Special audits
  • 9.6 Suspending, withdrawing or reducing scope of certification
  • 9.7 Appeals
  • 9.8 Complaints
  • 9.9 Records of applicants and clients

Now compare and contrast that with the organization of the same Section 9 in the new ISO/IEC 27006 Edition 3.0:

  • 9.1 Pre-certification activities
  • 9.2 Planning audits
  • 9.3 Initial certification
  • 9.4 Conducting audits
  • 9.5 Certification decision
  • 9.6 Maintaining certification
  • 9.7 Appeals
  • 9.8 Complaints
  • 9.9 Client records

As you can see, the same material is addressed but from a new perspective.

I also want to bring another major change to your attention.  There are still 4 Annexes in the new 2015 Edition for ISO/IEC 27006.  However, they now cover different material.  Annex A is informative and is on knowledge and skills for ISMS auditing and certification.  Annex B is normative (must be obeyed!) and is on Audit Time.  Annex C is on methods for audit time calculations.  Annex D is still the guidance for review of implemented ISO/IEC 27001:2013 (instead of 2005), with the Annex A controls.  And the document now has a three item Bibliography, which the previous edition did not have.

Now to get yourself a copy.  Search for and order any ISO, IEC and ISO/IEC standards at the Document Center website,  Here is a direct link for the ISO/IEC 27006.  You’ll have the option to order your documents in paper format or for pdf download.  Want multi-user access?  Ask about our enterprise solution, Standards Online.  Our staff is available for you by phone (650-591-7600) and email (  We’ve been working with standards since 1982 and have the knowledge to help you with your compliance documentation requirements.  Make us your Standards Experts!

Published by

Claudia Bach

Claudia Bach is the President of Document Center Inc. and a world-wide recognized expert on Standards and Standards Distribution. You can connect with her on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *