ISO/IEC 27006:2011

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo presoje in certificiranje sistemov upravljanja informacijske varnostiTechnologies de l'information -- Techniques de sécurité -- Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'informationInformation technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems35.040Nabori znakov in kodiranje informacijCharacter sets and information coding03.120.20Certificiranje proizvodov in podjetij. Ugotavljanje skladnostiProduct and company certification. Conformity assessmentICS:Ta slovenski standard je istoveten z:ISO/IEC 27006:2011oSIST ISO/IEC 27006:2012en,fr,de01-februar-2012oSIST ISO/IEC 27006:2012SLOVENSKI
STANDARD
oSIST ISO/IEC 27006:2012
Reference numberISO/IEC 27006:2011(E)© ISO/IEC 2011
INTERNATIONAL STANDARD ISO/IEC27006Second edition2011-12-01 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems Technologies de l'information — Techniques de sécurité — Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'information
oSIST ISO/IEC 27006:2012
©
ISO/IEC 2011 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56  CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii
© ISO/IEC 2011 – All rights reserved
oSIST ISO/IEC 27006:2012
iii Contents Page Foreword . iv Introduction . v 1 Scope . 1 2 Normative references . 1 3 Terms and definitions . 1 4 Principles . 2 5 General requirements . 2 5.1 Legal and contractual matter . 2 5.2 Management of impartiality . 2 5.3 Liability and financing . 3 6 Structural requirements . 3 6.1 Organizational structure and top management . 3 6.2 Committee for safeguarding impartiality . 3 7 Resource requirements . 3 7.1 Competence of management and personnel . 3 7.2 Personnel involved in the certification activities . 4 7.3 Use of individual external auditors and external technical experts . 6 7.4 Personnel records . 6 7.5 Outsourcing . 6 8 Information requirements . 6 8.1 Publicly accessible information . 6 8.2 Certification documents . 7 8.3 Directory of certified clients . 7 8.4 Reference to certification and use of marks. 7 8.5 Confidentiality . 7 8.6 Information exchange between a certification body and its clients . 7 9 Process requirements . 8 9.1 General requirements . 8 9.2 Initial audit and certification . 11 9.3 Surveillance activities . 15 9.4 Recertification . 16 9.5 Special audits . 16 9.6 Suspending, withdrawing or reducing scope of certification . 16 9.7 Appeals . 17 9.8 Complaints . 17 9.9 Records of applicants and clients . 17 10 Management system requirements for certification bodies . 17 10.1 Options . 17 10.2 Option 1 – Management system requirements in accordance with ISO 9001 . 17 10.3 Option 2 – General management system requirements . 17 Annex A (informative)
Analysis of a client organization’s complexity and
sector-specific aspects . 19 Annex B (informative)
Example areas of auditor competence . 22 Annex C (informative)
Audit time . 24 Annex D (informative)
Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls . 30
oSIST ISO/IEC 27006:2012
© ISO/IEC 2011 – All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 27006:2007), which has been technically revised. oSIST ISO/IEC 27006:2012

v Introduction ISO/IEC 17021 sets out criteria for bodies operating audit and certification of organizations' management systems. If such bodies are to be accredited as complying with ISO/IEC 17021 with the objective of auditing and certifying information security management systems (ISMS) in accordance with ISO/IEC 27001:2005, some additional requirements and guidance to ISO/IEC 17021 are necessary. These are provided by this International Standard. The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the letters “IS”. The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate recommendation. One aim of this International Standard is to enable accreditation bodies to more effectively harmonize their application of the standards against which they are bound to assess certification bodies. NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably. The definition of a management system can be found in ISO 9000:2005. The management system as used in this International Standard is not to be confused with other types of system, such as IT systems. oSIST ISO/IEC 27006:2012

oSIST ISO/IEC 27006:2012
INTERNATIONAL STANDARD ISO/IEC 27006:2011(E) © ISO/IEC 2011 – All rights reserved 1 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems 1 Scope This International Standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification. The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification. NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of management systems ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements ISO 19011, Guidelines for auditing management systems 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the following apply. 3.1 certificate certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an accreditation symbol or statement 3.2 certification body third party that assesses and certifies the ISMS of a client organization with respect to published ISMS standards, and any supplementary documentation required under the system oSIST ISO/IEC 27006:2012

© ISO/IEC 2011 – All rights reserved 3.3 certification document document indicating that a client organization's ISMS conforms to specified ISMS standards and any supplementary documentation required under the system 3.4 mark legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation body or of a certification body, indicating that adequate confidence in the systems operated by a body has been demonstrated or that relevant products or individuals conform to the requirements of a specified standard 3.5 organization company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether incorporated or not, public or private, that has its own functions and administration and is able to ensure that information security is exercised 4 Principles The principles from ISO/IEC 17021:2011, Clause 4 apply. 5 General requirements 5.1 Legal and contractual matter The requirements from ISO/IEC 17021:2011, Clause 5.1 apply. 5.2 Management of impartiality The requirements from ISO/IEC 17021:2011, Clause 5.2 apply. In addition, the following ISMS-specific requirements and guidance apply. 5.2.1 IS 5.2 Conflicts of interest Certification bodies can carry out the following duties without them being considered as consultancy or having a potential conflict of interest: a) certification, including information meetings, planning meetings, examination of documents, auditing (not internal ISMS auditing or internal security reviews) and follow up of non-conformities; b) arranging and participating as a lecturer in training courses, provided that, where these courses relate to information security management, related management systems or auditing, certification bodies shall confine themselves to the provision of generic information and advice which is freely available in the public domain, i.e. they shall not provide company-specific advice which contravenes the requirements of c) below; c) making available or publishing on request information describing the certification body’s interpretation of the requirements of the certification audit standards (see 9.1.1.1); d) activities prior to audit, solely aimed at determining readiness for certification audit; however, such activities shall not result in the provision of recommendations or advice that would contravene this clause and the certification body shall be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certification audit duration; oSIST ISO/IEC 27006:2012

© ISO/IEC 2011 – All rights reserved b) define the competencies needed in the certification body to certify in relation to the identified activities, and information security related threats to assets, vulnerabilities and impacts on the client organization; c) confirm the availability of the required competencies. 7.1.1.2 Resources The management of the certification body shall have the necessary processes and resources to enable it to determine whether or not individual auditors are competent for the tasks they are required to perform within the scope of certification in which they are operating. The competence of auditors may be established by verified background experience and specific training or briefing (see also Annex B). The certification body shall be able to communicate effectively with all those clients it provides services to. 7.1.2 IS 7.1.2 Determination of Competence Criteria Additional information on knowledge and skills is provided in Annex B to support the competence criteria of ISO/IEC 17021. 7.2 Personnel involved in the certification activities The requirements from ISO/IEC 17021:2011, Clause 7.2 apply. In addition, the following ISMS-specific requirements and guidance apply. 7.2.1 IS 7.2 Competence of certification body personnel Certification bodies shall have personnel competent to a) select and verify the competence of ISMS auditors for audit teams appropriate for the audit; b) brief ISMS auditors and arrange any necessary training; c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications; d) set up and operate an appeals and complaints process. 7.2.1.1 Training of audit teams The certification body shall have criteria for the training of audit teams that ensures a) knowledge of the ISMS standard and other relevant normative documents; b) understanding of information security; c) understanding of risk assessment and risk management from the business perspective; d) technical knowledge of the activity to be audited; e) general knowledge of regulatory requirements relevant to ISMSs; f) knowledge of management systems; g) understanding of the principles of auditing based on ISO 19011; h) knowledge of ISMS effectiveness review and measurement of control effectiveness. These training requirements apply to all members of the audit team, with the exception of d), which can be shared among members of the audit team. oSIST ISO/IEC 27006:2012

© ISO/IEC 2011 – All rights reserved 7.2.1.3.2 In addition to the requirements in 7.2.1.3.1, audit team leaders shall fulfil the following requirements, which shall be demonstrated in audits under guidance and supervision: a) have knowledge and skills to manage the certification audit process; b) have been an auditor in at least three complete ISMS audits; c) have demonstrated the capability to communicate effectively, both orally and in writing. 7.3 Use of individual external auditors and external technical experts The requirements from ISO/IEC 17021:2011, Clause 7.3 apply. In addition, the following ISMS-specific requirements and guidance applies. 7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team When using individual external auditors or external technical experts as part of the audit team, the certification body shall ensure that they are competent and comply with the applicable provisions of this publication and are not involved, either directly or through its employer with the design, implementation or maintenance of an ISMS or related management system(s) in such a way that impartiality could be compromised. 7.3.1.1 Use of technical experts Technical experts with specific knowledge regarding the process and information security issues and legislation affecting the client organization, but who do not satisfy all of the criteria in 7.2, may be part of the audit team. Technical experts shall work under the supervision of an auditor. 7.4 Personnel records The requirements from ISO/IEC 17021:2011, Clause 7.4 apply. 7.5 Outsourcing The requirements from ISO/IEC 17021:2011, Clause 7.5 apply. 8 Information requirements 8.1 Publicly accessible information The requirements from ISO/IEC 17021:2011, Clause 8.1 apply. In addition, the following ISMS-specific requirements and guidance apply. 8.1.1 IS 8.1 Procedures for granting, maintaining, extending, reducing, suspending and withdrawing certification The certification body shall require the client organization to have a documented and implemented ISMS which conforms to ISO/IEC 27001 and other documents required for certification. The certification body shall have documented procedures for a) the initial certification audit of a client organization's ISMS, in accordance with the provisions of ISO/IEC 17021 and other relevant documents; b) surveillance and recertification audits of a client organization's ISMS in accordance with ISO/IEC 17021 on a periodic basis for continuing conformity with relevant requirements and for verifying and recording that a client organization takes corrective action on a timely basis to correct all nonconformities. oSIST ISO/IEC 27006:2012

© ISO/IEC 2011 – All rights reserved 9 Process requirements 9.1 General requirements The requirements from ISO/IEC 17021:2011, Clause 9.1 apply. In addition, the following ISMS-specific requirements and guidance apply. 9.1.1 IS 9.1.1 General ISMS audit requirements 9.1.1.1 Certification audit criteria The criteria against which the ISMS of a client are audited shall be those outlined in the ISMS standard ISO/IEC 27001 and other documents required for certification relevant to the function performed. If an explanation is required as to the application of these documents to a specific certification programme, then such an explanation shall be given by a relevant and impartial committee or persons possessing the necessary technical competence and published by the certification body. 9.1.1.2 Policies and procedures The documentation of the certification body shall include the policy and procedures for implementing the certification process, including checks of the use and application of documents used in certification of ISMSs and the procedures for auditing and certifying the client organization’s ISMS. 9.1.1.3 Audit team The audit team shall be formally appointed and provided with the appropriate working documents. The plan for and the date of the audit shall be agreed to with the client organization. The mandate given to the audit team shall be clearly defined and made known to the client organization, and shall require the audit team to examine the structure, policies and procedures of the client organization, and confirm that these meet all the requirements relevant to the scope of certification and that the procedures are implemented and are such as to give confidence in the ISMS of the client organization. 9.1.2 IS 9.1.2 Scope of certification The audit team shall audit the ISMS of the client organization covered by the defined scope against all applicable certification requirements. The certification body shall ensure that the scope and boundaries of the ISMS of the client organization are clearly defined in terms of the characteristics of the business, the organization, its location, assets and technology. The certification body shall confirm, in the scope of their ISMS, that client organizations address the requirements stated in Clause 1.2 of ISO/IEC 27001:2005. Certification bodies shall ensure that the client organization’s information security risk assessment and risk treatment properly reflects its activities and extends to the boundaries of its activities as defined in the ISMS standard ISO/IEC 27001. Certification bodies shall confirm that this is reflected in the client organization’s scope of their ISMS and Statement of Applicability. Certification bodies shall ensure that interfaces with services or activities that are not completely within the scope of the ISMS are addressed within the ISMS subject to certification and are included in the client organization's information security risk assessment. An example of such a situation is the sharing of facilities (e.g. IT systems, databases and telecommunication systems) with other organizations. 9.1.3 IS 9.1.3 Audit time Certification bodies shall allow auditors sufficient time to undertake all activities relating to an initial audit, surveillance audit or recertification audit. The time allocated shall consider the following on factors: a) the size of the ISMS scope (e.g. number of information systems used, number of employees); oSIST ISO/IEC 27006:2012

© ISO/IEC 2011 – All rights reserved c) A representative sample is selected from all sites within the scope of the client organization’s ISMS; this selection shall be based upon judgmental choice to reflect the factors presented in item b) above as well as a random element. d) Every site included in the ISMS which is subject to significant risks is audited by the certification body prior to certification. e) The audit programme has been designed in the light of the above requirements and covers representative samples of the scope of the ISMS certification within the three years period. f) In the case of a nonconformity being observed, either at the head office or at a single site, the corrective action procedure applies to the head office and all sites covered by the certificate. The audit described in IS 9.1.5 below shall address the client organization's head office activities to ensure that a single ISMS applies to all sites and delivers central management at the operational level. The audit shall address all the issues outlined above. 9.1.5 IS 9.1.5 Audit Methodology The certification body shall have procedures, which require the client organization to be able to demonstrate that the internal ISMS audits are scheduled, and the programme and procedures are operational and can be shown to be operational. The certification body’s procedures shall not presuppose a particular manner of implementation of an ISMS or a particular format for documentation and records. Certification procedures shall focus on establishing that a client organization’s ISMS meets the requirements of ISO/IEC 27001 and the policies and objectives of the client organization. The audit plan shall identify the network-assisted auditing techniques that will be utilized during the audit, as appropriate. NOTE Network assisted auditing techniques may include, for example, teleconferencing, web meeting, interactive web-based communications and remote electronic access to the ISMS documentation and/or ISMS processes. The focus of such techniques should be to enhance audit effectiveness and efficiency, and should support the integrity of the audit process. 9.1.6 IS 9.1.6 Certification Audit Report 9.1.6.1 The certification body's reporting procedures shall ensure that a) a meeting takes place between the audit team and the client organization's management prior to leaving the client organization's premises at which the audit team provides 1) a written or oral indication regarding the conformity of the client organization's ISMS with the particular certification requirements, 2) an opportunity for the client organization to ask questions about the findings and their basis; b) the audit team provides the certification body with an audit report of its findings as to the conformity of the client organization's ISMS with all of the certification requirements. 9.1.6.2 The audit report shall provide the following information or a reference to it: a) an account of the audit including a summary of the document review; b) an account of the certification audit of the client organization's information security risk analysis; c) total audit time used and detailed specification of time spent on document review, assessment of risk analysis, on-site audit, and audit reporting; d) audit enquiries which have been followed, rationale for their selection, and the methodology employed. oSIST ISO/IEC 27006:2012

© ISO/IEC 2011 – All rights reserved 5) identifying the vulnerabilities of the client organization and understanding the likelihood of their exploitation, their impact and their mitigation and control, 6) knowledge of ISMS controls and their implementation, 7) knowledge of ISMS effectiveness review and measurement of controls, 8) related and/or relevant ISMS standards, industry best practices, security policies and procedures, 9) knowledge of incident handling methods and business continuity, 10) knowledge about tangible and intangible information assets and impact analysis, 11) knowledge of the current technology where security might be relevant or an issue, 12) knowledge of risk management processes and methods. b) The audit team shall be competent to trace indications of security incidents in the client organization's ISMS back to the appropriate elements of the ISMS. c) The audit team shall have appropriate work experience and practical application of the items above (this does not mean that an auditor needs a complete range of experience of all areas of information security, but the audit team as whole shall have enough appreciation and experience to cover the ISMS scope being audited). An audit team may consist of one person provided that the person meets all the criteria set out in a) above. 9.2.1.1 IS 9.2.1.1 Demonstration of auditor competence Auditors shall be able to demonstrate their knowledge and experience, as outlined above, for example through a) recognised ISMS-specific qualifications; b) registration as auditor; c) approved ISMS training courses; d) up to date continuous professional development records; e) practical demonstration through witnessing auditors going though the ISMS audit process on real client systems. 9.2.2 IS 9.2.2 General preparations for the initial audit The certification body shall require that a client organization makes all necessary arrangements for the conduct of the certification audit, including provision for examining documentation
...

SLOVENSKI STANDARD
01-november-2012
1DGRPHãþD
SIST ISO/IEC 27006:2011
Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo
presojanje in certificiranje sistemov upravljanja informacijske varnosti
Information technology -- Security techniques -- Requirements for bodies providing audit
and certification of information security management systems
Technologies de l'information -- Techniques de sécurité -- Exigences pour les
organismes procédant à l'audit et à la certification des systèmes de management de la
sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27006:2011
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO/IEC
STANDARD 27006
Second edition
2011-12-01
Information technology — Security
techniques — Requirements for bodies
providing audit and certification of
information security management
systems
Technologies de l'information — Techniques de sécurité — Exigences
pour les organismes procédant à l'audit et à la certification des
systèmes de management de la sécurité de l'information

Reference number
©
ISO/IEC 2011
©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved

Contents Page
Foreword . iv
Introduction . v
1  Scope . 1
2  Normative references . 1
3  Terms and definitions . 1
4  Principles . 2
5  General requirements . 2
5.1  Legal and contractual matter . 2
5.2  Management of impartiality . 2
5.3  Liability and financing . 3
6  Structural requirements . 3
6.1  Organizational structure and top management . 3
6.2  Committee for safeguarding impartiality . 3
7  Resource requirements . 3
7.1  Competence of management and personnel . 3
7.2  Personnel involved in the certification activities . 4
7.3  Use of individual external auditors and external technical experts . 6
7.4  Personnel records . 6
7.5  Outsourcing . 6
8  Information requirements . 6
8.1  Publicly accessible information . 6
8.2  Certification documents . 7
8.3  Directory of certified clients . 7
8.4  Reference to certification and use of marks. 7
8.5  Confidentiality . 7
8.6  Information exchange between a certification body and its clients . 7
9  Process requirements . 8
9.1  General requirements . 8
9.2  Initial audit and certification . 11
9.3  Surveillance activities . 15
9.4  Recertification . 16
9.5  Special audits . 16
9.6  Suspending, withdrawing or reducing scope of certification . 16
9.7  Appeals . 17
9.8  Complaints . 17
9.9  Records of applicants and clients . 17
10  Management system requirements for certification bodies . 17
10.1  Options . 17
10.2  Option 1 – Management system requirements in accordance with ISO 9001 . 17
10.3  Option 2 – General management system requirements . 17
Annex A (informative) Analysis of a client organization’s complexity and sector-specific aspects . 19
Annex B (informative) Example areas of auditor competence . 22
Annex C (informative) Audit time . 24
Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls . 30

© ISO/IEC 2011 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 27006:2007), which has been technically
revised.
iv © ISO/IEC 2011 – All rights reserved

Introduction
ISO/IEC 17021 sets out criteria for bodies operating audit and certification of organizations' management
systems. If such bodies are to be accredited as complying with ISO/IEC 17021 with the objective of auditing
and certifying information security management systems (ISMS) in accordance with ISO/IEC 27001:2005,
some additional requirements and guidance to ISO/IEC 17021 are necessary. These are provided by this
International Standard.
The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific
requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the
letters “IS”.
The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting
the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate
recommendation.
One aim of this International Standard is to enable accreditation bodies to more effectively harmonize their
application of the standards against which they are bound to assess certification bodies.
NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably.
The definition of a management system can be found in ISO 9000:2005. The management system as used in this
International Standard is not to be confused with other types of system, such as IT systems.
© ISO/IEC 2011 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 27006:2011(E)

Information technology — Security techniques — Requirements
for bodies providing audit and certification of information
security management systems
1 Scope
This International Standard specifies requirements and provides guidance for bodies providing audit and
certification of an information security management system (ISMS), in addition to the requirements contained
within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification
bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence
and reliability by any body providing ISMS certification, and the guidance contained in this International
Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other
audit processes.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of
management systems
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO 19011, Guidelines for auditing management systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the
following apply.
3.1
certificate
certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an
accreditation symbol or statement
3.2
certification body
third party that assesses and certifies the ISMS of a client organization with respect to published ISMS
standards, and any supplementary documentation required under the system
© ISO/IEC 2011 – All rights reserved 1

3.3
certification document
document indicating that a client organization's ISMS conforms to specified ISMS standards and any
supplementary documentation required under the system
3.4
mark
legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation
body or of a certification body, indicating that adequate confidence in the systems operated by a body has
been demonstrated or that relevant products or individuals conform to the requirements of a specified
standard
3.5
organization
company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether
incorporated or not, public or private, that has its own functions and administration and is able to ensure that
information security is exercised
4 Principles
The principles from ISO/IEC 17021:2011, Clause 4 apply.
5 General requirements
5.1 Legal and contractual matter
The requirements from ISO/IEC 17021:2011, Clause 5.1 apply.
5.2 Management of impartiality
The requirements from ISO/IEC 17021:2011, Clause 5.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
5.2.1 IS 5.2 Conflicts of interest
Certification bodies can carry out the following duties without them being considered as consultancy or having
a potential conflict of interest:
a) certification, including information meetings, planning meetings, examination of documents, auditing (not
internal ISMS auditing or internal security reviews) and follow up of non-conformities;
b) arranging and participating as a lecturer in training courses, provided that, where these courses relate to
information security management, related management systems or auditing, certification bodies shall
confine themselves to the provision of generic information and advice which is freely available in the
public domain, i.e. they shall not provide company-specific advice which contravenes the requirements of
c) below;
c) making available or publishing on request information describing the certification body’s interpretation of
the requirements of the certification audit standards (see 9.1.1.1);
d) activities prior to audit, solely aimed at determining readiness for certification audit; however, such
activities shall not result in the provision of recommendations or advice that would contravene this clause
and the certification body shall be able to confirm that such activities do not contravene these
requirements and that they are not used to justify a reduction in the eventual certification audit duration;
2 © ISO/IEC 2011 – All rights reserved

e) performing second and third party audits according to standards or regulations other than those being
part of the scope of accreditation;
f) adding value during certification audits and surveillance visits, e.g., by identifying opportunities for
improvement, as they become evident during the audit, without recommending specific solutions.
The certification body shall be independent from the body or bodies (including any individuals) which provide
the internal ISMS audit of the client organization’s ISMS subject to certification.
5.3 Liability and financing
The requirements from ISO/IEC 17021:2011, Clause 5.3 apply.
6 Structural requirements
6.1 Organizational structure and top management
The requirements from ISO/IEC 17021:2011, Clause 6.1 apply.
6.2 Committee for safeguarding impartiality
The requirements from ISO/IEC 17021:2011, Clause 6.2 apply.
7 Resource requirements
7.1 Competence of management and personnel
The requirements from ISO/IEC 17021:2011, Clause 7.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.1.1 IS 7.1.1 General considerations
The essential elements of competence required to perform ISMS certification are to select, provide and
manage those individuals whose skills and collective competence is appropriate to the activities to be audited
and the related information security issues.
7.1.1.1 Competence analysis and contract review
The certification body shall ensure that it has knowledge of the technological and legal developments relevant
to the ISMS of the client organization, which it assesses.
The certification body shall have an effective system for the analysis of the competencies in information
security management which it needs to have available, with respect to all the technical areas in which it
operates.
For each client, the certification body shall be able to demonstrate that it has performed a competence
analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector
prior to undertaking the contract review. The certification body shall then review the contract with the client
organization, based on the results of this competence analysis. In particular, the certification body shall be
able to demonstrate that it has the competence to complete the following activities:
a) understand the areas of activity of the client organization and the associated business risks;
© ISO/IEC 2011 – All rights reserved 3

b) define the competencies needed in the certification body to certify in relation to the identified activities,
and information security related threats to assets, vulnerabilities and impacts on the client organization;
c) confirm the availability of the required competencies.
7.1.1.2 Resources
The management of the certification body shall have the necessary processes and resources to enable it to
determine whether or not individual auditors are competent for the tasks they are required to perform within
the scope of certification in which they are operating. The competence of auditors may be established by
verified background experience and specific training or briefing (see also Annex B). The certification body
shall be able to communicate effectively with all those clients it provides services to.
7.1.2 IS 7.1.2 Determination of Competence Criteria
Additional information on knowledge and skills is provided in Annex B to support the competence criteria of
ISO/IEC 17021.
7.2 Personnel involved in the certification activities
The requirements from ISO/IEC 17021:2011, Clause 7.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
7.2.1 IS 7.2 Competence of certification body personnel
Certification bodies shall have personnel competent to
a) select and verify the competence of ISMS auditors for audit teams appropriate for the audit;
b) brief ISMS auditors and arrange any necessary training;
c) decide on the granting, maintaining, withdrawing, suspending, extending, or reducing of certifications;
d) set up and operate an appeals and complaints process.
7.2.1.1 Training of audit teams
The certification body shall have criteria for the training of audit teams that ensures
a) knowledge of the ISMS standard and other relevant normative documents;
b) understanding of information security;
c) understanding of risk assessment and risk management from the business perspective;
d) technical knowledge of the activity to be audited;
e) general knowledge of regulatory requirements relevant to ISMSs;
f) knowledge of management systems;
g) understanding of the principles of auditing based on ISO 19011;
h) knowledge of ISMS effectiveness review and measurement of control effectiveness.
These training requirements apply to all members of the audit team, with the exception of d), which can be
shared among members of the audit team.
4 © ISO/IEC 2011 – All rights reserved

7.2.1.1.1 When selecting the audit team to be appointed for a specific certification audit the certification
body shall ensure that the skills brought to each assignment are appropriate. The team shall
a) have appropriate technical knowledge of the specific activities within the scope of the ISMS for which
certification is sought and, where relevant, with associated procedures and their potential information
security risks (technical experts who are not auditors may fulfil this function);
b) have a sufficient degree of understanding of the client organization to conduct a reliable certification audit
of its ISMS in managing the information security aspects of its activities, products and services;
c) have appropriate understanding of the regulatory requirements applicable to the client organization’s
ISMS.
7.2.1.1.2 When required, the audit team may be complemented by technical experts who can demonstrate
specific competence in a field of technology appropriate to the audit. Note should be taken that technical
experts cannot be used in place of ISMS auditors but could advise auditors on matters of technical adequacy
in the context of the management system being subjected to audit. The certification body shall have a
procedure for
a) selecting auditors and technical experts on the basis of their competence, training, qualifications and
experience;
b) initially assessing the conduct of auditors and technical experts during certification audits and
subsequently monitoring the performance of auditors and technical experts.
7.2.1.2 Management of the decision taking process
The management function shall have the technical competence and ability in place to manage the process of
decision-making regarding the granting, maintaining, extending, reducing, suspending and withdrawing of
ISMS certification to the requirements of ISO/IEC 27001.
7.2.1.3 Pre-requisite levels of education, work experience, auditor training and audit experience for
auditors conducting ISMS audits
7.2.1.3.1 The following criteria shall be applied for each auditor in the ISMS audit team. The auditor shall
a) have an education at secondary level;
b) have at least four years full time practical workplace experience in information technology, of which at
least two years are in a role or function relating to information security;
c) have successfully completed five days of training, the scope of which covers ISMS audits and audit
management shall be considered appropriate;
d) have gained experience in the entire process of assessing information security prior to assuming
responsibility for performing as an auditor. This experience should have been gained by participation in a
minimum of four certification audits for a total of at least 20 days, including review of documentation and
risk analysis, implementation assessment and audit reporting;
e) have experience which is reasonably current;
f) be able to put complex operations in a broad perspective and to understand the role of individual units in
larger client organizations;
g) keep their knowledge and skills in information security and auditing up to date through continual
professional development.
Technical experts shall comply with criteria a), b), e) and f).
© ISO/IEC 2011 – All rights reserved 5

7.2.1.3.2 In addition to the requirements in 7.2.1.3.1, audit team leaders shall fulfil the following
requirements, which shall be demonstrated in audits under guidance and supervision:
a) have knowledge and skills to manage the certification audit process;
b) have been an auditor in at least three complete ISMS audits;
c) have demonstrated the capability to communicate effectively, both orally and in writing.
7.3 Use of individual external auditors and external technical experts
The requirements from ISO/IEC 17021:2011, Clause 7.3 apply. In addition, the following ISMS-specific
requirements and guidance applies.
7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team
When using individual external auditors or external technical experts as part of the audit team, the certification
body shall ensure that they are competent and comply with the applicable provisions of this publication and
are not involved, either directly or through its employer with the design, implementation or maintenance of an
ISMS or related management system(s) in such a way that impartiality could be compromised.
7.3.1.1 Use of technical experts
Technical experts with specific knowledge regarding the process and information security issues and
legislation affecting the client organization, but who do not satisfy all of the criteria in 7.2, may be part of the
audit team. Technical experts shall work under the supervision of an auditor.
7.4 Personnel records
The requirements from ISO/IEC 17021:2011, Clause 7.4 apply.
7.5 Outsourcing
The requirements from ISO/IEC 17021:2011, Clause 7.5 apply.
8 Information requirements
8.1 Publicly accessible information
The requirements from ISO/IEC 17021:2011, Clause 8.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
8.1.1 IS 8.1 Procedures for granting, maintaining, extending, reducing, suspending and withdrawing
certification
The certification body shall require the client organization to have a documented and implemented ISMS
which conforms to ISO/IEC 27001 and other documents required for certification.
The certification body shall have documented procedures for
a) the initial certification audit of a client organization's ISMS, in accordance with the provisions of
ISO/IEC 17021 and other relevant documents;
b) surveillance and recertification audits of a client organization's ISMS in accordance with ISO/IEC 17021
on a periodic basis for continuing conformity with relevant requirements and for verifying and recording
that a client organization takes corrective action on a timely basis to correct all nonconformities.
6 © ISO/IEC 2011 – All rights reserved

8.2 Certification documents
The requirements from ISO/IEC 17021:2011, Clause 8.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
8.2.1 IS 8.2 ISMS Certification documents
The certification body shall provide to each of its client organizations whose ISMS is certified, certification
documents such as a letter or a certificate signed by an officer who has been assigned such responsibility. For
the client organization and each of its information systems covered by the certification, these documents shall
identify the scope of the certification granted and the ISMS standard ISO/IEC 27001 to which the ISMS is
certified. In addition, the certificate shall include a reference to the specific version of the Statement of
Applicability.
NOTE A change to the Statement of Applicability which does not change the coverage of the controls of the scope of
certification need not require an update of the certificate.
8.3 Directory of certified clients
The requirements from ISO/IEC 17021:2011, Clause 8.3 apply.
8.4 Reference to certification and use of marks
The requirements from ISO/IEC 17021:2011, Clause 8.4 apply. In addition, the following ISMS-specific
requirements and guidance applies.
8.4.1 IS 8.4 Control of certification marks
The certification body shall exercise proper control over ownership, use and display of its ISMS certification
marks. If the certification body confers the right to use a mark to indicate certification of an ISMS, the
certification body shall ensure that the client organization uses the specified mark only as authorised in writing
by the certification body. The certification body shall not entitle the client organization to use this mark on a
product, or in a way that may be interpreted as denoting product conformity.
8.5 Confidentiality
The requirements from ISO/IEC 17021:2011, Clause 8.5 apply. In addition, the following ISMS-specific
requirements and guidance applies.
8.5.1 IS 8.5 Access to organizational records
Before the certification audit, the certification body shall ask the client organization to report if any ISMS
records cannot be made available for review by the audit team because they contain confidential or sensitive
information. The certification body shall determine whether the ISMS can be adequately audited in the
absence of these records. If the certification body concludes that it is not possible to adequately audit the
ISMS without reviewing the identified confidential or sensitive records, it shall advise the client organization
that the certification audit cannot take place until appropriate access arrangements are granted.
8.6 Information exchange between a certification body and its clients
The requirements from ISO/IEC 17021:2011, Clause 8.6 apply.
© ISO/IEC 2011 – All rights reserved 7

9 Process requirements
9.1 General requirements
The requirements from ISO/IEC 17021:2011, Clause 9.1 apply. In addition, the following ISMS-specific
requirements and guidance apply.
9.1.1 IS 9.1.1 General ISMS audit requirements
9.1.1.1 Certification audit criteria
The criteria against which the ISMS of a client are audited shall be those outlined in the ISMS standard
ISO/IEC 27001 and other documents required for certification relevant to the function performed. If an
explanation is required as to the application of these documents to a specific certification programme, then
such an explanation shall be given by a relevant and impartial committee or persons possessing the
necessary technical competence and published by the certification body.
9.1.1.2 Policies and procedures
The documentation of the certification body shall include the policy and procedures for implementing the
certification process, including checks of the use and application of documents used in certification of ISMSs
and the procedures for auditing and certifying the client organization’s ISMS.
9.1.1.3 Audit team
The audit team shall be formally appointed and provided with the appropriate working documents. The plan for
and the date of the audit shall be agreed to with the client organization. The mandate given to the audit team
shall be clearly defined and made known to the client organization, and shall require the audit team to
examine the structure, policies and procedures of the client organization, and confirm that these meet all the
requirements relevant to the scope of certification and that the procedures are implemented and are such as
to give confidence in the ISMS of the client organization.
9.1.2 IS 9.1.2 Scope of certification
The audit team shall audit the ISMS of the client organization covered by the defined scope against all
applicable certification requirements. The certification body shall ensure that the scope and boundaries of the
ISMS of the client organization are clearly defined in terms of the characteristics of the business, the
organization, its location, assets and technology. The certification body shall confirm, in the scope of their
ISMS, that client organizations address the requirements stated in Clause 1.2 of ISO/IEC 27001:2005.
Certification bodies shall ensure that the client organization’s information security risk assessment and risk
treatment properly reflects its activities and extends to the boundaries of its activities as defined in the ISMS
standard ISO/IEC 27001. Certification bodies shall confirm that this is reflected in the client organization’s
scope of their ISMS and Statement of Applicability.
Certification bodies shall ensure that interfaces with services or activities that are not completely within the
scope of the ISMS are addressed within the ISMS subject to certification and are included in the client
organization's information security risk assessment. An example of such a situation is the sharing of facilities
(e.g. IT systems, databases and telecommunication systems) with other organizations.
9.1.3 IS 9.1.3 Audit time
Certification bodies shall allow auditors sufficient time to undertake all activities relating to an initial audit,
surveillance audit or recertification audit. The time allocated shall consider the following on factors:
a) the size of the ISMS scope (e.g. number of information systems used, number of employees);
8 © ISO/IEC 2011 – All rights reserved

b) complexity of the ISMS (e.g. criticality of information systems, risk situation of the ISMS), see also
Annex A;
c) the type(s) of business performed within scope of the ISMS;
d) extent and diversity of technology utilized in the implementation of the various components of the ISMS
(such as the implemented controls, documentation and/or process control, corrective/preventive action,
etc);
e) number of sites;
f) previously demonstrated performance of the ISMS;
g) extent of outsourcing and third party arrangements used within the scope of the ISMS;
h) the standards and regulations which apply to the certification.
Annex C provides guidance on audit time. The certification body shall be prepared to substantiate or justify the
amount of time used in any initial audit, surveillance audits and recertification audit.
9.1.4 IS 9.1.4 Multiple sites
9.1.4.1 Multiple site sampling decisions in the area of ISMS certification are more complex than the same
decisions are for quality management systems. Where a client organization has a number of sites meeting the
criteria from a) to c) below, certification bodies may consider using a sample-based approach to multiple-site
certification audit:
a) all sites are operating under the same ISMS, which is centrally administered and audited and subject to
central management review;
b) all sites are included within the client organization’s internal ISMS audit programme;
c) all sites are included within the client organisation’s ISMS management review programme.
9.1.4.2 The certification body wishing to use a sample-based approach shall have procedures in place to
ensure the following.
a) The initial contract review identifies, to the greatest extent possible, the difference between sites such that
an adequate level of sampling is determined.
b) A representative number of sites have been sampled by the certification body, taking into account
1) the results of internal audits of head office and the sites,
2) the results of management review,
3) variations in the size of the sites,
4) variations in the business purpose of the sites,
5) complexity of the ISMS,
6) complexity of the information systems at the different sites,
7) variations in working practices,
8) variations in activities undertaken,
9) potential interaction with critical information systems or information systems processing sensitive
information,
10) any differing legal requirements.
© ISO/IEC 2011 – All rights reserved 9

c) A representative sample is selected from all sites within the scope of the client organization’s ISMS; this
selection shall be based upon judgmental choice to reflect the factors presented in item b) above as well
as a random element.
d) Every site included in the ISMS which is subject to significant risks is audited by the certification body
prior to certification.
e) The audit programme has been designed in the light of the above requirements and covers
representative samples of the scope of the ISMS certification within the three years period.
f) In the case of a nonconformity being observed, either at the head office or at a single site, the corrective
action procedure applies to the head office and all sites covered by the certificate.
The audit described in IS 9.1.5 below shall address the client organization's head office activities to ensure
that a single ISMS applies to all sites and delivers central management at the operational level. The audit shall
address all the issues outlined above.
9.1.5 IS 9.1.5 Audit Methodology
The certification body shall have procedures, which require the client organization to be able to demonstrate
that the internal ISMS audits are scheduled, and the programme and procedures are operational and can be
shown to be operational.
The certification body’s procedures shall not presuppose a particular manner of implementation of an ISMS or
a particular format for documentation and records. Certification procedures shall focus on establishing that a
client organization’s ISMS meets the requirements of ISO/IEC 27001 and the policies and objectives of the
client organization.
The audit plan shall identify the network-assisted auditing techniques that will be utilized during the audit, as
appropriate.
NOTE Network assisted auditing techniques may include, for example, teleconferencing, web meeting, interactive
web-based communications and remote electronic access to the ISMS documentation and/or ISMS processes. The focus
of such techniques should be to enhance audit effectiveness and efficiency, and should support the integrity of the audit
process.
9.1.6 IS 9.1.6 Certification Audit Report
9.1.6.1 The certification body's reporting procedures shall ensure that
a) a meeting takes place between the audit team and the client organization's management prior to leaving
the client organization's premises at which the audit team provides
1) a written or oral indication regarding the conformity of the client organization's ISMS with the
particular certification requirements,
2) an opportunity for the client organization to ask questions about the findings and their basis;
b) the audit team provides the certification body with an audit report of its findings as to the conformity of the
client organization's ISMS with all of the certification requirements.
9.1.6.2 The audit report shall provide the following information or a reference to it:
a) an account of the audit including a summary of the document review;
b) an account of the certification audit of the client organization's information security risk analysis;
c) total audit time used and detailed specification of time spent on document review, assessment of risk
analysis, on-site audit, and audit reporting;
d) audit enquiries which have been followed, rationale for their selection, and the methodology employed.
10 © ISO/IEC 2011 – All rights reserved

9.1.6.3 The audit report shall be of sufficient detail to facilitate and support the certification decision. It shall
contain
a) areas covered by the audit (e.g. the certification requirements and the sites that were audited), including
significant audit trails followed and audit methodologies utilized (see IS 9.1.5);
b) observations made, both positive (e.g. noteworthy features) and negative (e.g. potential nonconformities);
c) details of any nonconformities identified, supported by objective evidence and a reference of these
nonconformities to the requirements of ISO/IEC 27001 or other documents required for certification;
d) comments on the conformity of the client organization's ISMS with the certification requirements with a
clear statement of nonconformity, a reference to the version of the Statement of Applicability, and, where
applicable, any useful comparison with the results of previous certification audits of the client organization.
Completed questionnaires, checklists, observations, logs, or auditor notes might form an integral part of the
audit report. If these methods are used, these documents shall be submitted to the certification body as
evidence to support the certification decision. Information about the samples evaluated during the audit shall
be included in the audit report, or in other certification documentation.
The report shall consider the adequacy of the internal organization and procedures adopted by the client
organization to give confidence in the ISMS.
In addition to the requirements for reporting in ISO/IEC 17021:2011, Clause 9.1.10, the report shall cover
 the degree of reliance that can be placed on the internal ISMS audits and management reviews;
 a summary of the most important observations, positive as well as negative, regarding the implementation
and effectiveness of the ISMS;
 the audit team’s recommendation as to whether the client organization’s ISMS should be certified or not,
with information to substantiate this recommendation.
9.2 Initial audit and certification
The requirements from ISO/IEC 17021:2011, Clause 9.2 apply. In addition, the following ISMS-specific
requirements and guidance apply.
9.2.1 IS 9.2.1 Audit team competence
The following requirements apply to certification assessment, in addition to the requirements that are listed in
Clause 7.2. For surveillance activities only those requirements which are relevant to the scheduled
surveillance activity apply.
The following requirements apply to the audit team as a whole.
a) In each of the following areas at least one audit team member shall satisfy the certification body's criteria
for taking responsibility within the team:
1) managing the team,
2) management systems and process applicable to ISMS,
3) knowledge of the legislative and regulatory requirements in the particular information security field,
4) identifying information security related threats and incident trends,
© ISO/IEC 2011 – All rights reserved 11

5) identifying the vulnerabilities of the client organization and understanding the likelihood of their
exploitation, their impact and their mitigation and control,
6) knowledge of ISMS controls and their implementation,
7) knowledge of ISMS e
...

S L O V E N S K I SIST ISO/IEC 27006

STANDARD
november 2012
Informacijska tehnologija – Varnostne tehnike – Zahteve za organe, ki

izvajajo presojanje in certificiranje sistemov upravljanja informacijske

varnosti
Information technology – Security techniques – Requirements for bodies
providing audit and certification of information security management systems

Technologies de l'information – Techniques de sécurité – Exigences pour les
organismes procédant à l'audit et à la certification des systèmes de management
de la sécurité de l'information

Referenčna oznaka
ICS 03.120.20; 35.040 SIST ISO/IEC 27006:2012 (sl)

Nadaljevanje na straneh 2 do 40

© 2015-07. Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.

SIST ISO/IEC 27006 : 2012
NACIONALNI PREDGOVOR
Standard SIST ISO/IEC 27006 (sl), Informacijska tehnologija – Varnostne tehnike – Zahteve za
organe, ki izvajajo presojanje in certificiranje sistemov upravljanja informacijske varnosti, 2012, ima
status slovenskega standarda in je istoveten mednarodnemu standardu ISO/IEC 27006 (en),
Information technology – Security techniques – Requirements for bodies providing audit and
certification of information security management systems, 2011-12.

NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27006:2011 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.

Slovenski standard SIST ISO/IEC 27006:2012 je prevod mednarodnega standarda ISO/IEC
27006:2011. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni mednarodni
standard v angleškem jeziku. Slovenski standard SIST ISO/IEC 27006:2012 je pripravil tehnični odbor
SIST/TC ITC Informacijska tehnologija.

Odločitev za izdajo tega standarda je dne 26. septembra 2012 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI

S privzemom tega evropskega standarda veljajo za omejeni namen referenčnih standardov vsi
standardi, navedeni v izvirniku, razen tistih, ki so že sprejeti v nacionalno standardizacijo:
SIST ISO/IEC 17021:2011 Ugotavljanje skladnosti – Zahteve za organe, ki presojajo in certificirajo
sisteme vodenja (ISO/IEC 17021:2011)
SIST ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (zamenjan s SIST ISO/IEC 27001:2013)
SIST ISO 19011 Smernice za presojanje sistemov vodenja (ISO 19011:2011)

OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27006:2011

OPOMBI
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27006:2012 to pomeni “slovenski standard”.

– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
SIST ISO/IEC 27006 : 2012
VSEBINA Stran
Predgovor . 5
Uvod . 6
1 Področje uporabe . 7
2 Zveza s standardi . 7
3 Izrazi in definicije . 7
4 Načela. 8
5 Splošne zahteve . 8
5.1 Pravne in pogodbene zahteve . 8
5.2 Obvladovanje nepristranskosti . 8
5.3 Obveznosti in financiranje . 8
6 Strukturne zahteve . 9
6.1 Organizacijska struktura in najvišje vodstvo . 9
6.2 Odbor za varovanje nepristranskosti . 9
7 Zahteve glede virov . 9
7.1 Kompetentnost vodstva in osebja . 9
7.2 Osebje, vključeno v aktivnosti certificiranja . 10
7.3 Uporaba posameznih zunanjih presojevalcev in zunanjih tehničnih strokovnjakov . 11
7.4 Zapisi o osebju . 12
7.5 Oddajanje del zunanjim izvajalcem . 12
8 Zahteve glede informacij . 12
8.1 Javno dostopne informacije . 12
8.2 Certifikacijski dokumenti . 12
8.3 Register certificiranih strank . 12
8.4 Sklicevanje na certifikacijo in uporaba znakov . 12
8.5 Zaupnost . 13
8.6 Izmenjava informacij med certifikacijskim organom in njihovimi strankami . 13
9 Zahteve glede procesov . 13
9.1 Splošne zahteve . 13
9.2 Začetna presoja in certifikacija . 16
9.3 Nadzorne aktivnosti . 20
9.4 Obnovitev certifikacije . 21
9.5 Posebne presoje . 21
9.6 Začasni odvzem, preklic ali krčenje obsega certifikata . 21
9.7 Prizivi . 21
9.8 Pritožbe . 21
9.9 Zapisi o vložnikih in strankah . 22
10 Zahteve za sistem vodenja certifikacijskih organov . 22
10.1 Možnosti . 22
10.2 Možnost št. 1 – Zahteve za sistem vodenja v skladu z ISO 9001 . 22
SIST ISO/IEC 27006 : 2012
10.3 Možnost št. 2 – Splošne zahteve za sistem vodenja . 22
Dodatek A (informativni): Analiza kompleksnosti organizacije stranke in specifičnih sektorskih
vidikov . 23
Dodatek B (informativni): Primer področij kompetentnosti presojevalca . 26
Dodatek C (informativni): Čas presoje . 28
Dodatek D (informativni): Navodila za pregled uvedenih kontrol po ISO/IEC 27001:2005,
dodatek A . 33
SIST ISO/IEC 27006 : 2012
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili iz 2. dela Direktiv ISO/IEC.
Glavna naloga združenega tehničnega odbora je priprava mednarodnih standardov. Osnutki
mednarodnih standardov, ki jih sprejme združeni tehnični odbor, se pošljejo nacionalnim organom v
glasovanje. Za objavo kot mednarodni standard je treba pridobiti soglasje najmanj 75 % glasov
glasujočih nacionalnih organov.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega dokumenta predmet patentnih pravic.
ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih patentnih pravic.
ISO/IEC 27006 je pripravil združeni tehnični odbor ISO/IEC JTC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
Ta druga izdaja razveljavlja in nadomešča prvo izdajo (ISO/IEC 27005:2008), ki je bila tehnično
revidirana.
SIST ISO/IEC 27006 : 2012
Uvod
Standard ISO/IEC 17021 določa kriterije za organe, ki presojajo in certificirajo sisteme vodenja
organizacij. Če so ti organi akreditirani v skladu z ISO/IEC 17021 ter nameravajo presojati in
certificirati sisteme upravljanja informacijske varnosti (SUIV) v skladu z ISO/IEC 27001:2005,
potrebujejo nekatere dodatne zahteve in navodila k ISO/IEC 17021. Ti so na voljo v tem
mednarodnem standardu.
Besedilo v tem mednarodnem standardu sledi strukturi ISO/IEC 17021 in zato so dodatne zahteve,
specifične za SUIV, in navodila o uporabi ISO/IEC 17021 za certificiranje SUIV označeni s črkama
"IV".
V celotnem mednarodnem standardu je modalni glagol "morati" uporabljen za označevanje tistih
določil, ki odražajo zahteve ISO/IEC 17021 in ISO/IEC 27001 ter so obvezne. Izraz "naj" se uporablja
za izražanje priporočil.
Eden od ciljev tega mednarodnega standarda je omogočiti akreditacijskim organom, da uspešneje
uskladijo svojo uporabo standardov s tistimi, katerim so zavezani pri ocenjevanju certifikacijskih
organov.
OPOMBA: V tem mednarodnem standardu se izraza "sistem upravljanja" in "sistem" uporabljata izmenično. Definicijo
sistema upravljanja (vodenja) je mogoče najti v ISO 9000:2005. Sistem upravljanja, kot se uporablja v tem
mednarodnem standardu, se ne sme zamenjati z drugimi vrstami sistemov, kot so sistemi IT.
SIST ISO/IEC 27006 : 2012
Informacijska tehnologija – Varnostne tehnike – Zahteve za organe, ki izvajajo
presojanje in certificiranje sistemov upravljanja informacijske varnosti
1 Področje uporabe
Ta mednarodni standard določa zahteve in daje navodila organom, ki presojajo in certificirajo sistem
upravljanja informacijske varnosti (SUIV), kot dodatek k zahtevam, ki jih vsebujeta ISO/IEC 17021 in
ISO/IEC 27001. Namenjen je predvsem v podporo akreditiranju certifikacijskih organov, ki nudijo
certificiranje SUIV.
Izpolnjevanje zahtev iz tega mednarodnega standarda mora vsak organ, ki nudi certificiranje SUIV,
dokazati z vidika kompetentnosti in zanesljivosti, navodila iz tega mednarodnega standarda pa
vsakemu organ, ki nudi certificiranje SUIV, zagotavljajo dodatno razlago teh zahtev.

OPOMBA: Ta mednarodni standard se lahko uporablja kot dokument kriterijev za akreditacijo, medsebojno ocenjevanje ali
druge procese presoje.
2 Zveza s standardi
Za uporabo tega standarda so nujno potrebni naslednji navedeni dokumenti. Pri datiranih sklicevanjih
se uporablja zgolj navedena izdaja. Pri nedatiranih sklicevanjih se uporablja zadnja izdaja
navedenega dokumenta (vključno z dopolnili).

ISO/IEC 17021:2006 Ugotavljanje skladnosti – Zahteve za organe, ki presojajo in certificirajo
sisteme vodenja
ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve

ISO/IEC 19011 Smernice za presojanje sistemov vodenja

3 Izrazi in definicije
V tem dokumentu se uporabljajo izrazi in definicije, podani v ISO/IEC 17021, ISO/IEC 27001 in v
nadaljevanju.
3.1
certifikat
certifikat, ki ga izda certifikacijski organ v skladu s pogoji svoje akreditacije in ima znak akreditacije ali
izjavo
3.2
certifikacijski organ
tretja stranka, ki ocenjuje in certificira SUIV organizacije stranke glede na objavljene standarde SUIV
in vso dodatno dokumentacijo, ki se potrebuje v sistemu

3.3
certifikacijski dokument
dokument, ki dokazuje, da je SUIV organizacije stranke v skladu z določenimi standardi SUIV in vso
dodatno dokumentacijo, ki se potrebuje v sistemu

3.4
znak
zakonito registrirana blagovna znamka ali drugačen zaščiten simbol, ki je izdan v skladu s pravili
akreditacijskega ali certifikacijskega organa in kaže, da so ti organi dokazali ustrezno zaupanje v
delovanje sistemov in da ustrezni proizvodi oziroma posamezniki ustrezajo zahtevam določenega
standarda
SIST ISO/IEC 27006 : 2012
3.5
organizacija
družba, korporacija, podjetje, organ ali institucija ali kombinacija vseh teh, ki je bodisi združena ali ne,
javna ali zasebna, ima lastne naloge in upravo ter je sposobna zagotoviti izvajanje informacijske
varnosti
4 Načela
Veljajo načela iz ISO/IEC 17021:2011, točka 4.

5 Splošne zahteve
5.1 Pravne in pogodbene zadeve

Veljajo zahteve iz ISO/IEC 17021:2011, točka 5.1.

5.2 Obvladovanje nepristranskosti

Veljajo zahteve iz ISO/IEC 17021:2011, točka 5.2. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
5.2.1 IV 5.2 Nasprotje interesov

Certifikacijski organi lahko opravljajo naslednje naloge, ne da bi bile obravnavane kot svetovanje ali da
bi vsebovale morebitno nasprotje interesov:
a) certificiranje, vključno z informativnimi srečanji, srečanji načrtovanj, pregledi dokumentov,
presojanjem (ki ni notranje presojanje SUIV ali notranje ocenjevanje varnosti) in spremljanjem
neskladnosti,
b) urejanje in sodelovanje kot predavatelj v programih usposabljanja, pri čemer se morajo
certifikacijski organi, kadar se ti programi nanašajo na upravljanje informacijske varnosti in z njimi
povezanih sistemov upravljanja ali presojanja, omejiti le na zagotavljanje splošnih informacij in
nasvetov, ki so brezplačno na voljo v javnem interesu, kar pomeni, da ne smejo dajati specifičnih
nasvetov posameznim podjetjem, ki so v nasprotju z zahtevami iz c) spodaj,
c) omogočanje dostopa do informacij ali objavljanje informacij na zahtevo, v katerih certifikacijski
organ razlaga zahteve standardov o certifikacijski presoji (glej 9.1.1.1),
d) aktivnosti pred presojo, namenjene zgolj ugotavljanju pripravljenosti na certifikacijsko presojo,
vendar pa takšne aktivnosti ne smejo voditi v dajanje priporočil ali nasvetov, ki bi bili lahko v
nasprotju s to točko, certifikacijski organ pa mora biti sposoben potrditi, da te aktivnosti niso v
nasprotju s temi zahtevami ter da se ne uporabljajo za utemeljitev skrajšanja trajanja morebitne
certifikacijske presoje,
e) izvajanje presoj v vlogi druge in tretje stranke, v skladu s standardi ali predpisi, razen tistih, ki so
del obsega akreditacije,
f) dodajanje vrednosti med certifikacijskimi presojami in rednimi obiski, na primer, s
prepoznavanjem možnosti za izboljšave, ko te postanejo očitne med presojanjem, brez priporočil
posebnih rešitev.
Certifikacijski organ mora biti neodvisen od organa ali organov (vključno z vsemi posamezniki), ki
izvajajo notranjo presojo SUIV organizacije stranke, ki je predmet certificiranja.

5.3 Obveznosti in financiranje

Veljajo zahteve iz ISO/IEC 17021:2011, točka 5.3.

SIST ISO/IEC 27006 : 2012
6 Strukturne zahteve
6.1 Organizacijska struktura in najvišje vodstvo

Veljajo zahteve iz ISO/IEC 17021:2011, točka 6.1.

6.2 Odbor za varovanje nepristranskosti

Veljajo zahteve iz ISO/IEC 17021:2011, točka 6.2.

7 Zahteve glede virov
7.1 Kompetentnost vodstva in osebja

Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.1. Poleg tega pa veljajo naslednje zahteve in
navodila, specifični za SUIV.
7.1.1 IV 7.1.1 Splošno
Bistveni elementi kompetentnosti, potrebni za izvajanje certificiranja SUIV, so izbiranje, zagotavljanje
in vodenje tistih posameznikov, katerih veščine in kolektivna kompetentnost so primerne za presojane
aktivnosti in za povezana vprašanja informacijske varnosti.

7.1.1.1 Analiza kompetentnosti in pregled pogodb

Certifikacijski organ mora zagotoviti, da ima znanje o tehnološkem in pravnem razvoju, pomembnem
za SUIV organizacije stranke, katerega ocenjuje.

Certifikacijski organ mora imeti uspešen sistem za analiziranje kompetentnosti pri upravljanju
informacijske varnosti, ki jih mora imeti na voljo, glede na vsa strokovna področja, na katerih deluje.

Za vsako stranko mora biti certifikacijski organ sposoben dokazati, da je pred pregledom pogodbe
izvedel analizo kompetentnosti (ocenjevanje veščin kot odgovor na ovrednotene potrebe) za zahteve
vsakega pomembnega sektorja. Certifikacijski organ mora nato na podlagi rezultatov te analize
pregledati pogodbo z organizacijo stranke. Še posebej mora biti certifikacijski organ sposoben
dokazati, da je kompetenten za dokončanje naslednjih aktivnosti:
a) da razume področja dejavnosti organizacije stranke in s tem povezana poslovna tveganja,
b) da opredeli kompetence, potrebne certifikacijskemu organu za certificiranje v zvezi s
prepoznanimi aktivnostmi in informacijsko varnostjo glede na grožnje dobrinam, ranljivosti in
vplive na organizacijo stranke,
c) da potrdi razpoložljivost potrebnih kompetenc.

7.1.1.2 Viri
Vodstvo certifikacijskega organa mora imeti potrebne procese in vire, da je sposobno ugotoviti, ali so
posamezni presojevalci kompetentni za naloge, ki jih morajo opravljati v obsegu certifikacije, v
katerem delujejo. Kompetentnost presojevalcev se lahko ugotavlja s preverjanjem osnovnih veščin in
posebnim usposabljanjem ali kratkimi napotki (glej tudi dodatek B). Certifikacijski organ mora biti
sposoben učinkovito komunicirati z vsemi tistimi strankami, ki jim zagotavlja storitve.

7.1.2 IV Določanje kriterijev kompetentnosti

V dodatku B so navedene dodatne informacije o znanju in veščinah, ki podpirajo kriterije
kompetentnosti iz ISO/IEC 17021.

SIST ISO/IEC 27006 : 2012
7.2 Osebje, vključeno v aktivnosti certificiranja

Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.2. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
7.2.1 IV 7.2 Kompetentnost osebja certifikacijskega organa

Certifikacijski organi morajo imeti osebje, kompetentno, da:
a) izbere in preveri kompetentnost presojevalcev SUIV za presojevalske skupine, primerne za
presojo,
b) da napotke presojevalcem SUIV in uredi vsako potrebno usposabljanje,
c) odloča o podelitvi, vzdrževanju, preklicu, začasnem odvzemu, razširitvi ali krčenju obsega
certifikacije,
d) vzpostavi in vodi proces pritožb in prizivov.

7.2.1.1 Usposabljanje presojevalskih skupin

Certifikacijski organ mora imeti kriterije za usposabljanje presojevalskih skupin tako, da zagotovijo:
a) znanje o standardih za SUIV in o drugih ustreznih normativnih dokumentih,
b) razumevanje informacijske varnosti,
c) razumevanje ocenjevanja tveganja in obvladovanja tveganja z vidika poslovanja,
d) tehnično znanje o presojani aktivnosti,
e) splošno znanje o regulativnih zahtevah, pomembnih za SUIV,
f) znanje o sistemih vodenja,
g) razumevanje načel presojanja, ki temeljijo na ISO 19011,
h) znanje o uspešnosti pregleda SUIV in merjenju uspešnosti nadzora.

Te zahteve za usposabljanje veljajo za vse člane presojevalske skupine, razen d), ki se lahko razdeli
med člani presojevalske skupine.

7.2.1.1.1 Pri izbiri presojevalske skupine, ki bo imenovana za posebno certifikacijsko presojo, mora
certifikacijski organ zagotoviti, da so veščine, ki jih prinese vsak imenovani, ustrezne. Skupina mora:
a) imeti ustrezno tehnično znanje o posebnih aktivnostih v obsegu SUIV, za katerega se zahteva
certificiranje, in kjer je to primerno, z njimi povezanih postopkih in njihovih morebitnih
informacijskih varnostnih tveganjih (tehnični strokovnjaki, ki niso presojevalci, lahko opravljajo to
funkcijo),
b) imeti zadostno stopnjo razumevanja organizacije stranke, da izvede zanesljivo certifikacijsko
presojo njenega SUIV pri upravljanju vidikov informacijske varnosti pri njenih aktivnostih,
proizvodih in storitvah,
c) imeti ustrezno razumevanje regulativnih zahtev glede SUIV organizacije stranke.

7.2.1.1.2 Kadar je potrebno, se presojevalska skupina lahko dopolni s tehničnimi strokovnjaki, ki
lahko dokažejo posebne kompetence na področju tehnike, primerne za presojo. Pri tem naj se
opomni, da tehničnih strokovnjakov ni mogoče uporabiti namesto presojevalcev SUIV, lahko pa
svetujejo presojevalcem o zadevah tehnične ustreznosti v okviru presojanega sistema upravljanja.
Certifikacijski organ mora imeti postopek za:
a) izbiro presojevalcev in tehničnih strokovnjakov na podlagi njihove kompetentnosti,
usposobljenosti, kvalifikacij in izkušenj,
b) začetno ocenjevanje ravnanja presojevalcev in tehničnih strokovnjakov med certifikacijskimi
SIST ISO/IEC 27006 : 2012
presojami in nato spremljanje dela presojevalcev in tehničnih strokovnjakov.

7.2.1.2 Vodenje procesa sprejemanja odločitev

Vodstvena funkcija mora biti tehnično kompetentna in sposobna voditi proces sprejemanja odločitev v
zvezi s podelitvijo, vzdrževanjem, razširitvijo in krčenjem obsega, začasnim odvzemom in preklicem
certifikacije SUIV na podlagi zahtev ISO/IEC 27001.

7.2.1.3 Zahtevane stopnje izobrazbe, delovne izkušnje, usposobljenost in izkušnje za
presojevalce, ki izvajajo presoje SUIV

7.2.1.3.1 Vsak presojevalec v presojevalski skupini za SUIV mora izpolnjevati naslednje kriterije.
Presojevalec mora:
a) imeti srednješolsko izobrazbo,
b) imeti najmanj štiri leta praktičnih izkušenj s polnim delovnim časom na delovnem mestu s
področja informacijske tehnologije, od katerih je bil vsaj dve leti v vlogi ali funkciji, povezani z
informacijsko varnostjo,
c) uspešno zaključiti pet dni usposabljanja s področja, ki zajema presoje SUIV, in ga mora vodstvo
presoje šteti za ustreznega,
d) pridobiti izkušnje v celotnem procesu ocenjevanja informacijske varnosti, preden prevzame
odgovornost za izvajanje kot presojevalec. Te izkušnje naj pridobi s sodelovanjem v najmanj štirih
certifikacijskih presojah v skupnem trajanju najmanj 20 dni, vključno s pregledom dokumentacije
in analizami tveganja, izvajanjem ocenjevanja in poročanjem o presoji,
e) imeti izkušnje, ki so razumno posodobljene,
f) biti sposoben postaviti zapletene postopke v širše perspektive in razumeti vlogo posameznih enot
v večjih organizacijah stranke,
g) ohranjati na tekočem svoje znanje in veščine na področju informacijske varnosti in presojanja z
nenehnim strokovnim razvojem.
Tehnični strokovnjaki morajo izpolnjevati kriterije a), b), e) in f).

7.2.1.3.2 Dodatno k zahtevam iz 7.2.1.3.1 morajo vodje presojevalske skupine izpolnjevati naslednje
zahteve, ki jih morajo pokazati pri vodeni in nadzorovani presoji:
a) imeti znanje in veščine za vodenje procesa certifikacijske presoje,
b) so bili presojevalci v vsaj treh celotnih presojah SUIV,
c) so pokazali sposobnost uspešnega komuniciranja, tako ustnega kot pisnega.

7.3 Uporaba posameznih zunanjih presojevalcev in zunanjih tehničnih strokovnjakov

Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.3. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
7.3.1 IV 7.3 Uporaba zunanjih presojevalcev ali zunanjih tehničnih strokovnjakov kot del
presojevalske skupine
Kadar so del presojevalske skupine tudi posamezni zunanji presojevalci ali zunanji tehnični strokovnjaki,
mora certifikacijski organ zagotoviti, da so usposobljeni in v skladu z veljavnimi določili te publikacije ter
da niso, bodisi neposredno ali prek svojega delodajalca, vključeni v snovanje, izvajanje ali vzdrževanje
SUIV ali podobnega(-ih) sistema(-v) za upravljanje tako, da bi bila lahko ogrožena nepristranskost.

7.3.1.1 Uporaba tehničnih strokovnjakov

Tehnični strokovnjaki s posebnim znanjem v zvezi s procesom ter vprašanji informacijske varnosti in
SIST ISO/IEC 27006 : 2012
zakonodaje, ki vplivajo na organizacijo stranke, ki pa ne izpolnjujejo vseh kriterijev iz 7.2, so lahko del
presojevalske skupine. Tehnični strokovnjaki morajo delovati pod nadzorom presojevalca.

7.4 Zapisi o osebju
Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.4.

7.5 Oddajanje del zunanjim izvajalcem

Veljajo zahteve iz ISO/IEC 17021:2011, točka 7.5.

8 Zahteve glede informacij
8.1 Javno dostopne informacije

Veljajo zahteve iz ISO/IEC 17021:2011, točka 8,1. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
8.1.1 IV 8.1 Postopki za podelitev, vzdrževanje, razširitev ali krčenje obsega, začasni
odvzem ali preklic certifikacije

Certifikacijski organ mora zahtevati od organizacije stranke, da ima dokumentiran in izveden SUIV, ki
je skladen z ISO/IEC 27001 in drugimi dokumenti, zahtevanimi za certifikacijo.
Certifikacijski organ mora imeti dokumentirane postopke za:
a) začetno certifikacijsko presojo SUIV organizacije stranke v skladu z določili ISO/IEC 17021 in
drugimi ustreznimi dokumenti,
b) redne in obnovitvene certifikacijske presoje SUIV organizacije stranke v skladu z ISO/IEC 17021
v rednih časovnih presledkih za nadaljnjo skladnost z ustreznimi zahtevami ter za preverjanje in
poročanje, da organizacija stranke izvaja popravne ukrepe pravočasno za popravilo vseh
neskladnosti.
8.2 Certifikacijski dokumenti

Veljajo zahteve iz ISO/IEC 17021:2011, točka 8.2. Poleg tega veljajo naslednje zahteve in navodila,
specifični za SUIV.
8.2.1 IV 8.2 Certifikacijski dokumenti SUIV

Certifikacijski organ mora vsaki svoji stranki, katere SUIV je certificiran, zagotoviti certifikacijske
dokumente, kot so pismo ali certifikat, ki ga je podpisala uradna oseba, imenovana za podpisovanje.
Za stranko organizacije in vsak njen informacijski sistem, ki ga certifikacija zajema, morajo ti
dokumenti določiti obseg, za katerega je certifikacija dodeljena, in navesti standard ISO/IEC 27001 o
sistemih upravljanja informacijske varnosti, po katerem je bil SUIV certificiran. Poleg tega se mora
certifikacija sklicevati na posebno različico izjave o uporabnosti.

8.3 Register certificiranih strank

Veljajo zahteve iz ISO/IEC 17021:2011, točka 8.3.

8.4 Sklicevanje na certifikacijo in uporaba znakov

Veljajo zahteve iz ISO/IEC 17021:2011, točka 8.4. Poleg tega veljajo še naslednje zahteve in
navodila, specifični za SUIV.
SIST ISO/IEC 27006 : 2012
8.4.1 IV 8.4 Nadzor nad certifikacijskimi znaki

Certifikacijski organ mora izvajati ustrezen nadzor nad lastništvom, uporabo in prikazom svojih
certifikacijskih znakov za SUIV. Če certifikacijski organ podeli pravico do uporabe znaka za prikaz
certifikacije SUIV, mora zagotoviti, da organizacija stranke uporablja poseben znak le na način, kot jo
je pisno pooblastil certifikacijski organ. Certifikacijski organ ne sme dati pravice organizaciji stranki za
uporabo tega znaka na izdelku ali na način, ki bi se lahko razlagal, kot da označuje skladnost
proizvoda.
8.5 Zaupnost
Veljajo zahteve iz ISO/IEC 17021:2011, točka 8.5. Poleg tega veljajo še naslednje zahteve in
navodila, specifični za SUIV.
8.5.1 IV 8.5 Dostop do zapisov organizacije

Pred certifikacijsko presojo mora certifikacijski organ zaprositi organizacijo stranke za poročilo, ali
kateri od zapisov o SUIV ni na voljo za pregled presojevalski skupini, ker vsebuje zaupne ali občutljive
informacije. Certifikacijski organ mora ugotoviti, ali je mogoče SUIV ustrezno presoditi brez teh
zapisov. Če certifikacijski organ ugotovi, da SUIV ni mogoče ustrezno presoditi brez pregleda
prepoznanih zaupnih ali občutljivih zapisov, mora o tem obvestiti organizacijo stranke, da
certifikacijske presoje ni mogoče opraviti, dokler se ne odobri ustrezen način dostopa.

8.6 Izmenjava informacij med certifikacijskim organom in njegovimi strankami

Veljajo zahteve iz ISO/IEC 17021:2011, točka 8.6.

9 Zahteve glede procesov
9.1 Splošne zahteve
Veljajo zahteve iz ISO/IEC 17021:2011, točka 9.1. Poleg tega veljajo še naslednje zahteve in
navodila, specifični za SUIV.
9.1.1 IV 9.1.1 Splošne zahteve za presojo SUIV

9.1.1.1 Kriteriji certifikacijske presoje

Kriteriji, po katerih se presojajo SUIV strank, morajo biti enaki opisanim v standardu za ISO/IEC 27001 o
SUIV in v drugih dokumentih, ki se zahtevajo za certificiranje in se nanašajo na izvajano funkcijo. Če je v
zvezi z uporabo teh dokumentov za poseben program certificiranja potrebno pojasnilo, potem mora tako
pojasnilo podati ustrezen in nepristranski odbor ali osebe s potrebnim tehničnim znanjem, katerih imena
je objavil certifikacijski organ.

9.1.1.2 Politike in postopki
Dokumentacija certifikacijskega organa mora vključevati politiko in postopke za izvajanje procesa
certificiranja, vključno s preverjanji njihove uporabe in uporabe dokumentov pri certificiranju SUIV ter
postopkov za presojanje in certificiranje SUIV organizacije stranke.

9.1.1.3 Presojevalska skupina

Presojevalska skupina mora biti formalno imenovana in opremljena z ustreznimi delovnimi dokumenti.
O načrtu in datumu pregleda se je treba dogovoriti z organizacijo stranke. Naročilo, dano presojevalski
skupini, mora biti jasno opredeljeno in biti znano organizaciji stranke ter mora od presojevalske
skupine zahtevati, da preuči strukturo, politike in postopke organizacije stranke ter potrdi, da ti
izpolnjujejo vse zahteve, pomembne za obseg certifikacije, in da se postopki izvajajo in so taki, da
dajejo zaupanje v SUIV organizacije stranke.
SIST ISO/IEC 27006 : 2012
9.1.2 IV 9.1.2 Obseg certifikacije

Presojevalska skupina mora presojati SUIV organizacije stranke, ki je zajet v določenem obsegu, po
vseh uporabnih certifikacijskih zahtevah. Certifikacijski organ mora zagotoviti, da so obseg in meje
SUIV organizacije stranke jasno opredeljeni z vidika značilnosti poslovanja, organizacije, njene
lokacije, dobrin in tehnologije. Certifikacijski organ mora potrditi, da so organizacije stranke v obsegu
svojih SUIV upoštevale zahteve, postavljene v točki 1.2 standarda ISO/IEC 27001:2005.

Certifikacijski organi morajo zagotoviti, da ocenjevanje informacijskih varnostnih tveganj in
obravnavanje tveganj v organizaciji stranke ustrezno odražata njene aktivnosti in segata do meja
njenih aktivnosti, kot je določeno v ISO/IEC 27001 o SUIV. Certifikacijski organi morajo potrditi, da se
to odraža v obsegu SUIV organizacije stranke in izjavi o uporabnosti.

Certifikacijski organi morajo zagotoviti, da so medsebojne povezave s storitvami ali aktivnostmi, ki niso v
celoti v obsegu SUIV, obravnavane znotraj obsega certifikacije SUIV in so vključene v ocenjevanje
informacijskih varnostnih tveganj organizacije stranke. Primer take situacije je delitev opreme (npr.
sistemov IT, podatkovnih baz in telekomunikacijskih sistemov) z drugimi organizacijami.

9.1.3 IV 9.1.3 Čas presoje
Certifikacijski organi morajo presojevalcem dopustiti dovolj časa, da izvedejo vse aktivnosti v zvezi z
začetno presojo, redno presojo ali obnovitveno certifikacijsko presojo. Dodeljen čas naj temelji na
dejavnikih, kot so:
a) velikost obsega SUIV (npr. število uporabljenih informacijskih sistemov, število zaposlenih),
b) kompleksnost SUIV (npr. kritičnost informacijskih sistemov, stanje tveganja SUIV), glej tudi
dodatek A,
c) vrsta(-e) aktivnosti, ki se izvaja(-jo) v obsegu SUIV,
d) razsežnost in raznolikost tehnologije, uporabljene pri izvajanju različnih delov SUIV (npr. izvajanje
kontrol, nadzor dokumentacije in/ali procesov, popravni/preventivni ukrepi itd.),
e) število lokacij,
f) predhodno dokazano delovanje SUIV,
g) razsežnost zunanjega izvajanja in dogovorov s tretjimi strankami v obsegu SUIV,
h) standardi in predpisi, ki veljajo pri certificiranju.

Dodatek C vsebuje navodila o času presoje. Certifikacijski organ mora biti pripravljen utemeljiti ali
upravičiti čas, porabljen pri kateri koli začetni, redni in obnovitveni presoji.

9.1.4 IV 9.1.4 Več lokacij
9.1.4.1 Odločitve o vzorčenju več lokacij na področju certificiranja SUIV so kompleksnejše od enakih
odločitev za sisteme vodenja kakovosti. Če ima organizacija stranke več lokacij, ki izpolnjujejo kriterije od
a) do c) spodaj, lahko certifikacijski organi pri certifikacijski presoji več lokacij razmislijo o uporabi
pristopa, zasnovanega na vzorcu:
a) vse lokacije delujejo pod istim SUIV, ki se centralno administrira in presoja ter centralizirano
vodstveno pregleduje;
b) vse lokacije so vključene v program notranje presoje SUIV organizacije stranke;
c) vse lokacije so vključene v program vodstvenega pregleda SUIV organizacije stranke.

9.1.4.2 Certifikacijski organ, ki želi uporabiti pristop, zasnovan na vzorcu, mora imeti zastavljene
postopke, ki zagotavljajo naslednje:
a) Začetni pregled pogodbe v največji možni meri prepozna razlike med lokacijami, tako da se
postavi ustrezna raven vzorčenja.
SIST ISO/IEC 27006 : 2012
b) Pri določanju reprezentativnega števila lokacij, ki jih vzorči certifikacijski organ, se upoštevajo:
1) rezultati notranjih presoj sedeža organizacije in lokacij,
2) rezultati vodstvenega pregleda,
3) razlike v velikosti območij,
4) razlike v poslovnem namenu lokacij,
5) kompleksnost SUIV,
6) kompleksnost informacijskih sistemov na različnih lokacijah,
7) razlike v delovnih praksah,
8) razlike v izvajalskih aktivnostih,
9) morebitne interakcije s kritičnimi informacijskimi sistemi ali informacijskimi sistemi, ki
obdelujejo občutljive podatke,
10) katere koli različne pravne zahteve.
c) Reprezentativni vzorec je izbran z vseh lokacij v obsegu SUIV organizacije stranke; ta izbira mora
temeljiti na presoji izbire, ki odraža dejavnike, predstavljene v točki b) zgoraj, in tudi naključnost.
d) Vsako lokacijo, vključeno v SUIV, ki je predmet pomembnega tveganja, certifikacijski organ
presoja pred certificiranjem.
e) Program presoj je zasnovan v luči zgoraj navedenih zahtev in zajema reprezentativne vzorce v
obsegu certifikacije SUIV v triletnem obdobju.
f) V primeru opažene neskladnosti bodisi na sedežu organizacije ali na eni lokaciji, postopek
popravnega ukrepa velja tako za sedež organizacije kot tudi za vse lokacije, zajete s certifikatom.

Presoja, kot je opisana spodaj v IV 9.1.5, mora obravnavati aktivnosti na sedežu organizacije, da
zagotovi, da en SUIV velja za vse lokacije in da prinaša centralno upravljanje na operativno raven.
Presoja mora obravnavati vse zgoraj omenjene zadeve.

9.1.5 IV 9.1.5 Metodologija presoje

Certifikacijski organ mora imeti postopke, ki zahtevajo, da organizacija stranke lahko dokaže, da so
notranje presoje SUIV načrtovane ter da so program in postopki delujoči in da so lahko prikazani kot
delujoči.
Postopki certifikacijskega organa ne smejo predpostavljati posebnega načina izvajanja SUIV ali
posebne oblike za dokumentacijo in zapise. Postopki certificiranja se morajo osredotočati na
ugotovitev, da SUIV organizacije stranke izpolnjuje zahteve standarda ISO/IEC 27001 ter politike in
cilje organizacije stranke.
Načrt presoje mora prepoznati mrežno podprte presojevalske tehnike, ki bodo med presojo
uporabljene kot primerne.
OPOMBA: Mrežno podprte presojevalske tehnike lahko vključujejo, na primer, telekonference, spletna srečanja,
interaktivne spletne komunikacije in oddaljeni elektronski dostop do dokumentacije SUIV in/ali procesov SUIV.
Poudarek pri teh tehnikah naj bo na izboljšanju uspešnosti in učinkovitosti ter naj podpira celovitost procesa
presoje.
9.1.6 IV 9.1.6 Poročilo o certifikacijski presoji

9.1.6.1 Postopki certifikacijskega organa o poročanju morajo zagotavljati, da:
a) se pred odhodom iz prostorov organizacije stranke sestaneta presojevalska skupina in vodstvo
organizacije stranke, kjer presojevalska skupina posreduje:
1) pisne ali ustne podatke o skladnosti SUIV organizacije stranke s posebnimi zahtevami za
SIST ISO/IEC 27006 : 2012
certificiranje,
2) priložnost za organizacijo stranke, da postavlja vprašanja v zvezi z ugotovitvami in njihovo
podlago,
b) presojevalska skupina priskrbi certifikacijskemu organu poročilo o presoji s svojimi ugotovitvami o
skladnosti SUIV organizacije stranke z vsemi certifikacijskimi zahtevami.
9.1.6.2 Poročilo o presoji mora vsebovati naslednje podatke ali se sklicevati nanje:
a) mnenje o presoji, vključno s povzetkom pregleda dokumenta,
b) mnenje certifikacijske presoje o analizah informacijskih varnostnih tveganj organizacije stranke,
c) celotno porabljen čas presoje in podrobno specifikacijo časa, porabljenega za pregled
dokumentov, ocenjevanje analiz tveganja, presojanje na lokaciji in poročanje o presoji,
d) poizvedbe presoje, ki so sledile, utemeljitev za njihovo izbiro in metodologijo, ki je bila uporabljena.

9.1.6.3 Poročilo o presoji mora biti dovolj podrobno, da pospeši in podpre odločitev glede certifikacije.
Vsebovati mora:
a) področja, zajeta s presojo (npr. certifikacijske zahteve in presojane lokacije), vključno s
pomembnimi sledmi presoje in uporabljenimi metodologijami presoje (glej IV 9.1.5),
b) ugotovitve, tako pozitivne (npr. pomembne značilnosti) kot negativne (npr. morebitne

neskladnosti),
c) podrobnosti o vseh prepoznanih neskladnostih, ki jih podpirajo objektivni dokazi, in sklicevanje
teh neskladnosti na zahteve ISO/IEC 27001 o SUIV ali drugih dokumentov, potrebnih za
certificiranje,
d) pripombe na skladnost SUIV organizacije stranke z zahtevami za certificiranje z jasno izjavo o
neskladnostih, sklicevanjem na verzijo izjave o uporabnosti, in kjer je to primerno, kakršno koli
koristno primerjavo z rezultati prejšnjih certifikacijskih presoj organizacije stranke.

Izpolnjeni vprašalniki, kontrolni seznami, opažanja, dnevniki ali zapiski presojevalca so lahko sestavni
del poročila o presoji. Če so uporabljene te metode, je treba te dokumente predložiti certifikacijskemu
organu kot dokaz v podporo odločanju glede certifikacije. Informacije o vzorcih, ovrednotenih v presoji, je
treba vključiti v poročilo o presoji ali v drugo certifikacijsko dokumentacijo.

Poročilo mora obravnavati primernost notranje organiziranosti in postopkov, ki jih je sprejela
organizacija stranke, da bi se podalo zaupanje v SUIV.

Poleg zahtev za poročanje iz ISO/IEC 17021:2011, točka 9.1.10, mora poročilo zajemati:
– stopnjo zaupanja v notranje presoje SUIV in vodstvene preglede SUIV,
– povzetek najpomembnejših ugotovitev, tako pozitivnih kot negativnih, o izvajanju in uspešnosti
SUIV,
– priporočilo presojevalske skupine, ali naj se SUIV organizacije stranke certificira ali ne, z
informacijami za utemeljitev tega priporočila.

9.2 Začetna presoja in certifikacija

Veljajo zahteve iz ISO/IEC 17021:2011, točka 9.2. Poleg tega se uporabljajo naslednje zahteve in
navodila, specifični za SUIV.
9.2.1 IV 9.2.1 Kompetentnost presojevalske skupine

Poleg zahtev iz točke 7.2 veljajo za certifikacijsko ocenjevanje naslednje zahteve. Za nadzorne
aktivnosti se uporabljajo le tiste zahteve, ki so pomembne za načrtovane nadzorne aktivnosti.

SIST ISO/IEC 27006 : 2012
Naslednje zahteve veljajo za presojevalsko skupino kot celoto.
a) Na vsakem od naslednjih področij mora vsaj en član presojevalske skupine izpolnjevati kriterije
certifikacijskega organa za prevzem odgovornosti v skupini:
1) vodenje skupine,
2) upravljanje sistemov in procesov, ki se uporabljajo pri SUIV,
3) poznavanje zakonodajnih in regulativnih zahtev na določenem področju informacijske
varnosti,
4) prepoznavanje groženj v zvezi z informacijsko varnostjo in trendov incidentov,
5) prepoznavanje ranljivosti organizacije stranke in razumevanje verjetnosti njihovega
izkoriščanja, njihovega vpliva ter njihove ublažitve in nadzora,
6) poznavanje kontrol SUIV in njihovega izvajanja,
7) poznavanje pregleda uspešnosti SUIV in merjenja kontrol,
8) povezani in/ali ustrezni standardi o SUIV, najboljše industrijske prakse, varnostne politike in
postopki,
9) poznavanje metod ravnanja z incidenti in neprekinjenega poslovanja,
10) poznavanje materialnih in nematerialnih informacijskih dobrin in analize vpliva,
11) poznavanje trenutne tehnologije, kjer bi lahko bila varnost pomembna ali vprašljiva,
12) poznavanje procesov in metod obvladovanja tveganj.
b) Presojevalska skupina mora biti kompetentna za sledenje navedbam varnostnih incidentov v
SUIV organizacije stranke do ustreznih elementov SUIV.
c) Presojevalska skupina mora imeti ustrezne delovne izkušnje in praktično znanje o zgoraj naštetih
elementih (to ne pomeni, da mora imeti presojevalec vrsto izkušenj z vseh področij informacijske
varnosti, vendar pa naj ima presojevalska skupina kot celota dovolj priznanj in izkušenj, da v
celoti zajame področje SUIV, ki ga presoja).

Presojevalsko skupino lahko sestavlja ena oseba, če izpolnjuje vse kriterije iz točke a) zgoraj.

9.2.1.1 IV 9.2.1.1 Dokazovanje kompetentnosti presojevalca

Presojevalec mora biti sposoben dokazati svoje znanje in izkušnje, kot je opisano zgoraj, na primer s:
a) priznano kvalifikacijo, specifično za SUIV,
b) registracijo kot presojevalec,
c) odobrenimi tečaji usposabljanja o SUIV,
d) ažurnimi zapisi o stalnem strokovnem razvoju,
e) praktičnim prikazovanjem prehoda skozi postopke presoje SUIV na realnih sistemih stranke pred
pričujočimi presojevalci.
9.2.2 IV 9.2.2 Splošne priprave za začetno presojo

Certifikacijski organ mora zahtevati, da organizacija stranke pripravi vse potrebno
...