ISO/IEC 27006, “Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems,” 2015 Edition has just been released. The new Edition 3.0 is a technical revision of the 2nd Edition from 2011. As such, it cancels and replaces the previous edition. You can get your copy now from Document Center Inc.
The ISO/IEC 27006 is used by both certification bodies (CB’s) and those organizations who are registered for ISO/IEC 27001, “Information technology – Security techniques – Information security management systems – Requirements.” It contains the criteria for those CB’s that provide auditing and certification services for security management systems, known as ISMS’s. If you’re a CB, of course you need to meet the requirements of ISO/IEC 27006. But if you’re registered, the standard will help you understand what to expect of your auditor.
While the sections of the standard remain constant from Edition 2 to Edition 3, you’ll notice that the organization of the information within those sections has been changed. Nowhere is this more noticable than in Section 9 on process requirements. Here’s how Section 9 on Process requirements in the 2nd Edition was organized:
- 9.1 General requirements
- 9.2 Initial audit and certification
- 9.3 Surveillance activities
- 9.4 Recertification
- 9.5 Special audits
- 9.6 Suspending, withdrawing or reducing scope of certification
- 9.7 Appeals
- 9.8 Complaints
- 9.9 Records of applicants and clients
Now compare and contrast that with the organization of the same Section 9 in the new ISO/IEC 27006 Edition 3.0:
- 9.1 Pre-certification activities
- 9.2 Planning audits
- 9.3 Initial certification
- 9.4 Conducting audits
- 9.5 Certification decision
- 9.6 Maintaining certification
- 9.7 Appeals
- 9.8 Complaints
- 9.9 Client records
As you can see, the same material is addressed but from a new perspective.
I also want to bring another major change to your attention. There are still 4 Annexes in the new 2015 Edition for ISO/IEC 27006. However, they now cover different material. Annex A is informative and is on knowledge and skills for ISMS auditing and certification. Annex B is normative (must be obeyed!) and is on Audit Time. Annex C is on methods for audit time calculations. Annex D is still the guidance for review of implemented ISO/IEC 27001:2013 (instead of 2005), with the Annex A controls. And the document now has a three item Bibliography, which the previous edition did not have.
Now to get yourself a copy. Search for and order any ISO, IEC and ISO/IEC standards at the Document Center website, www.document-center.com. Here is a direct link for the ISO/IEC 27006. You’ll have the option to order your documents in paper format or for pdf download. Want multi-user access? Ask about our enterprise solution, Standards Online. Our staff is available for you by phone (650-591-7600) and email (info@document-center.com). We’ve been working with standards since 1982 and have the knowledge to help you with your compliance documentation requirements. Make us your Standards Experts!