ISO/IEC 27006, part of a growing family of ISO/IEC Information Security Management System (ISMS) standards, the 'ISO/IEC 27000 series', is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is entitled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.
ISO/IEC 27006 lays out formal requirements for accredited organizations which certify other organizations compliant with ISO/IEC 27001.
It effectively replaces EA 7/03 (Guidelines for the Accreditation of bodies operating certification/ registration of. Information Security Management Systems).
The standard helps ensure that ISO/IEC 27001 certificates issued by accredited organizations are meaningful and trustworthy, in other words it is a matter of assurance.
Outline of the Standard
The standard contains the following ten sections:
- 1: Scope;
- 2: Normative references;
- 3: Terms and definitions;
- 4: Principles;
- 5: General requirements;
- 6: Structural requirements;
- 7: Resource requirements;
- 8: Information requirements;
- 9: Process requirements;
- 10: Management system requirements for certification bodies.