DRAFT INTERNA INTERNATIONAL TIONAL ST STANDARD ANDARD ISO/IEC DIS 27006
ISO/IEC JTC 1/SC 27 27
Secretariat: DIN
Voting begins on: 2015-01-20
Voting terminates on: 2015-04-20
Information technology — Security techniques — Requirements for bodies providing audit and certiication of information security management systems Technologies de l’information — Techniques de sécurité — Exigences pour les organismes procédant à Technologies l’audit et à la certiication des systèmes de management de la sécurité de l’information . e n i l n o n o i s r e v l l u f e h t s s e c c A . e l p m a s e g a p 7 e e r f a s i s i h T
ICS: 35.040
THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS THEREFORE SUBJECT TO CHANGE AND MAY NOT BE REFERRED TO AS AN INTERNATIONAL STANDARD STAND ARD UNTIL PUBLISHED AS SUCH. IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME STANDARDS TO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS. RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE AND TO PROVIDE S UPPORTING DOCUMENTATION. DOCUMENTATION.
Reference number ISO/IEC DIS 27006:2014(E)
© ISO/IEC 2014
ISO/IEC DIS 27006:2014(E)
. e n i l n o n o i s r e v l l u f e h t s s e c c A . e l p m a s e g a p 7 e e r f a s i s i h T
COPYRIGHT PROTECTED DOCUMENT © ISO/IEC 2014 All rights reserved. Unless otherwise speciied, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester. ISO copyright ofice Case postale 56 • CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail
[email protected] Web www.iso.org Published in Switzerland
ii
© ISO/IEC 2014 – All rights reserved
ISO/IEC DIS 27006
Contents
Page
Foreword.............................................................................................................................................................vi Introduction .......................................................................................................................................................vii
. e n i l n o n o i s r e v l l u f e h t s s e c c A . e l p m a s e g a p 7 e e r f a s i s i h T
1
Scope ......................................................................................................................................................1
2
Normative references ............................................................................................................................1
3
Terms and definitions ...........................................................................................................................1
4
Principles................................................................................................................................................2
5 5.1 5.2 5.2.1 5.3
General requirements............................................................................................................................2 Legal and contractual matters..............................................................................................................2 Management of impartiality ..................................................................................................................2 IS 5.2 Conflicts of interest.....................................................................................................................2 Liability and financing...........................................................................................................................2
6
Structural requirements ........................................................................................................................2
7 7.1 7.1.1 7.1.2 7.2 7.2.1 7.3 7.3.1 7.4 7.5
Resource requirements.........................................................................................................................3 Competence of personnel .....................................................................................................................3 IS 7.1.1 General considerations ...........................................................................................................3 IS 7.1.2 Determination of Competence Criteria ..................................................................................3 Personnel involved in the certification activities ...............................................................................7 IS 7.2 Demonstration of auditor knowledge and experience ............................................................7 Use of individual external auditors and external technical experts .................................................8 IS 7.3 Using external auditors or external technical experts as part of the audit team .................8 Personnel records .................................................................................................................................8 Outsourcing............................................................................................................................................8
8 8.1 8.2 8.2.1 8.3 8.3.1 8.4 8.4.1 8.5
Information requirements .....................................................................................................................8 Public information .................................................................................................................................8 Certification documents........................................................................................................................8 IS 8.2 ISMS Certification documents ...................................................................................................8 Reference to certification and use of marks .......................................................................................8 IS 8.3 Control of certification marks ....................................................................................................8 Confidentiality ........................................................................................................................................9 IS 8.4 Access to organizational records..............................................................................................9 Information exchange between a certification body and its clients.................................................9
9 9.1 9.1.1 9.1.2 9.1.3 9.1.4 9.1.5 9.1.6 9.2 9.2.1 9.2.2 9.2.3 9.3 9.3.1 9.4 9.4.1
Process requirements ...........................................................................................................................9 Pre-certification activities .....................................................................................................................9 Application .............................................................................................................................................9 Application review .................................................................................................................................9 Audit programme ...................................................................................................................................9 Determining audit time ........................................................................................................................11 Multi-site sampling ..............................................................................................................................11 Multiple management systems...........................................................................................................12 Planning Audits....................................................................................................................................12 Determining audit objectives, scope and criteria.............................................................................12 Audit team selection and assignments .............................................................................................12 Audit plan .............................................................................................................................................13 Initial certification ................................................................................................................................13 IS 9.3.1 Initial certification audit .........................................................................................................13 Conducting audits ...............................................................................................................................14 IS 9.4 General .......................................................................................................................................14
iv
© ISO/IEC 2014 – All rights reserv ed
ISO/IEC DIS 27006
. e n i l n o n o i s r e v l l u f e h t s s e c c A . e l p m a s e g a p 7 e e r f a s i s i h T
9.4.2 9.5 9.5.1 9.6 9.6.1 9.6.2 9.6.3 9.6.4 9.6.5 9.6.6 9.6.7 9.6.8
IS 9.4 Audit report................................................................................................................................ 14 Certification decision .......................................................................................................................... 15 IS 9.5 Certification decision ............................................................................................................... 15 Maintaining certification ..................................................................................................................... 15 General ................................................................................................................................................. 15 Surveillance activities ......................................................................................................................... 16 Recertification...................................................................................................................................... 17 Special audits ...................................................................................................................................... 17 Suspending, withdrawing or reducing the scope of certification .................................................. 17 Appeals................................................................................................................................................. 17 Complaints ........................................................................................................................................... 17 Client records ...................................................................................................................................... 17
10 10.1 10.1.1 10.2 10.3
Management system requirements for certification bodies ........................................................... 17 Options ................................................................................................................................................. 17 IS 10.1 ISMS implementation.............................................................................................................. 18 Option A: General management system requirements ................................................................... 18 Option B – Management system requirements in accordance with ISO 9001 .............................. 18
Annex A (informative) Knowledge and skills for ISMS auditing and certification ..................................... 19 A.1 Overview ............................................................................................................................................... 19 A.2 General competence considerations ................................................................................................ 20 A.3 Specific knowledge and experience considerations ....................................................................... 20 A.3.1 Typical knowledge related to ISMS ................................................................................................... 20 Annex B (normative) Audit time ...................................................................................................................... 21 B.1 Introduction.......................................................................................................................................... 21 B.2 Concepts .............................................................................................................................................. 21 B.2.1 Effective number of persons doing work under the organization’s control ................................. 21 B.2.2 Audit time ............................................................................................................................................. 22 B.2.3 Auditor day........................................................................................................................................... 22 B.2.4 Temporary site ..................................................................................................................................... 22 B.3 Procedure for determining audit time for initial audit ..................................................................... 22 B.3.1 General ................................................................................................................................................. 22 B.3.2 Remote audit ........................................................................................................................................ 22 B.3.3 Audit time calculation ......................................................................................................................... 22 B.3.4 Factors for adjustment of audit time ................................................................................................. 24 B.3.5 Limitation of deviation of audit time.................................................................................................. 25 B.4 Audit time for surveillance audit........................................................................................................ 25 B.5 Audit time for recertification audit..................................................................................................... 25 B.6 Audit time of multi-site........................................................................................................................ 25 Annex C (informative) Guidance for review of implemented ISO/IEC 27001:2013, Annex A controls ..... 27 C.1 Purpose ................................................................................................................................................ 27 C.1.1 Audit evidence ..................................................................................................................................... 27 C.2 How to use Table C.1 .......................................................................................................................... 27 C.2.1 General ................................................................................................................................................. 27 C.2.2 Columns “Organizational control” and “Technical control” .......................................................... 27 C.2.3 Column “System testing” ................................................................................................................... 28 C.2.4 Column “Visual inspection” ............................................................................................................... 28 C.2.5 Column “Audit review guidance” ...................................................................................................... 28 Annex D (informative) Methods for audit time calculations ......................................................................... 40 D.1 General ................................................................................................................................................. 40 D.2 Classification of factors for calculating audit time .......................................................................... 40 D.3 Example for audit time calculation .................................................................................................... 42 Bibliography...................................................................................................................................................... 45
© ISO/IEC 2014 – All rights reserv ed
v
ISO/IEC DIS 27006
Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. . e n i l n o n o i s r e v l l u f e h t s s e c c A . e l p m a s e g a p 7 e e r f a s i s i h T
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27006 was prepared by Technical Committee ISO/TC JTC 1, Information technology , Subcommittee SC 27, Security techniques. This third edition cancels and replaces the second edition (ISO/IEC 27006:2011), which has been technically revised.
vi
© ISO/IEC 2014 – All rights reserv ed
ISO/IEC DIS 27006
Introduction ISO/IEC 17021-1 sets out criteria for bodies operating audit and certification of management systems. If such bodies are to be accredited as complying with ISO/IEC 17021-1 with the objective of auditing and certifying information security management systems (ISMS) in accordance with ISO/IEC 27001:2013, some additional requirements and guidance to ISO/IEC 17021-1 are necessary. These are provided by this International Standard. The text in this International Standard follows the structure of ISO/IEC 17021-1and the additional ISMSspecific requirements and guidance on the application of ISO/IEC 17021-1 for ISMS certification are identified by the letters “IS”.
. e n i l n o n o i s r e v l l u f e h t s s e c c A . e l p m a s e g a p 7 e e r f a s i s i h T
The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting the requirements of ISO/IEC 17021-1 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate recommendation. One aim of this International Standard is to enable accreditation bodies to more effectively harmonize their application of the standards against which they are bound to assess certification bodies. NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably. The definition of a management system can be found in ISO 9000:2005. The management system as used in this International Standard is not to be confused with other types of system, such as IT systems.
© ISO/IEC 2014 – All rights reserv ed
vii
DRAFT INTERNATIONAL STANDARD
3
Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
4
1
5 6 7 8
This International Standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.
9 10 11
The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification.
12 13
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes.
14
2
15 16 17
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
18 19
ISO/IEC 17021-1:201X, Conformity assessment — Requirements for bodies providing audit and certification of management systems
20 21
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements
22 23
ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
24
3
25 26
For the purposes of this document, the terms and definitions given in ISO/IEC 17021-1, ISO/IEC 27000 and the following apply.
27 28 29 30
3.1 certification documents documents indicating that a client's ISMS conforms to specified ISMS standards and any supplementary documentation required under the system
31 32 33 34
3.2 mark legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation body or of a certification body, indicating that adequate confidence in the systems operated by a body has
1 2
. e n i l n o n o i s r e v l l u f e h t s s e c c A . e l p m a s e g a p 7 e e r f a s i s i h T
ISO/IEC DIS 27006
Scope
Normative references
Terms and definitions
© ISO/IEC 2014 – All rights reserv ed
1
This is a free preview. Purchase the entire publication at the link below:
ISO/IEC DIS 27006 Information technology Security techniques - Requirements for bodies providing audit and certification of information security management systems . e n i l n o n o i s r e v l l u f e h t s s e c c A . e l p m a s e g a p 7 e e r f a s i s i h T
Looking for additional Standards? Visit SAI Global Infostore Subscribe to our Free Newsletters Do you need to Manage Standards Collections Online? Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation Do you want to know when a Standard has changed? Create safe work processes for the workplace with our Safe Work Method Statements
Learn about other SAI Global Services: LOGICOM Military Parts and Supplier Database Metals Infobase Database of Metal Grades, Standards and Manufacturers Materials Infobase Database of Materials, Standards and Suppliers Database of European Law, CELEX and Court Decisions
Need to speak with a Customer Service Representative - Contact Us