ISO IEC TS 27006-2-2021.docx

TECHNICA1.SPECIFICATIONISO/IECTS27006-2editionFirst2021-02Requirementsforbodiesprovidingauditandcertificationofinformationsecuritymanagementsystems一PjjcyinformationmanagementsystemsExigencespour1.esOrganismesprocdantiKauditet1.acertificationdesSySmmeSdemanagementdesinformationsdeSdCUriM-Partie2:SystemesdemanagementdesinformationsdesecuriteReferencenumberISO/IECTS2700622021(E)CISO/IEC2021COPYRIGHTPROTECTEDDOCUMENT©IS0/1EC2021M11c<he<ivdi1.itedotherwise加<j<¼w:纱rryj可11cho。城(Xt)Iinra”;ItmI1.GPhrt1.丽IrfVIXxxPJOinR,p11WjaFtiOnPoStingontheinternetoranintineuwithoutpriorwrittenpermission.PermissioncanberequestedfromeitherISOatt1.½addressbe1.oworISO,smemberbodyinthecountryofthertr<wstcr.三cB1.andonnct8r,GenevaPhone:t41227490111辆jtc:用洲部砾o.orgPub1.ishedinSwitzer1.andContentsForeword7.2 Personne1.invo1.vedDeterminationcertificationcompetence7.3 Personne1.individua1.47.4 ReferenceCertificationCertincationdocuments-49.1.2App1.icationprogramme9.2 PIanningMuItip1.e79.3 Initia1.certification79.4.2IS9.4Specific7iiiIntroductionviScope1Normativereferences1Termsanddefinitions1Princip1.esGenera1.requirements5.1 1.ega1.andcontractua1.matters5.2 ManagementOfimpartia1.ityStructura1.reuirements2Resourcerequirements27.1.1PS7.1.1Genera1.considerations27.1.2PS7.1.2theactivitiescriteria7.2.1PS7.2Demonstrationofauditorknow1.edgeandexperience4722PS2.11Se1.ectingauditors.47.4USeofFecordsexterna1.auditorsandexterna1.technica1.experts7.5Outsourcing4Informationrequirements48.2Certificationdocuments48.2.1PSto8.2PIMSanduseofmarks8.4Confidentia1.ity58.5Informationexchangebetweenacertificationbodyanditsc1.ients5Processrequirements59.1Pre-Ccrtif1.ca1.ionactivities59.1.1AoD1.icationS9.1.3Auditreview9.1.4Determiningaudittime69.1.5Mu1.ti-sitesamp1.ing79.1.6auditsmanagementsystems9.2.1Determiningauditobjectives,scopeandcriteria79.2.2Auditteamse1.ectionandassignments79.2.3Auditp1.an9.4 Conductingaudits7941qaGPnPrA1.7*11V9.4.3Auditreporte1.ementsoftheISMSaudit56Certificationdecision7Maintainingcertification89.6.2 Genera1.activities9.6.3 Re-certification89.6.4 Specia1.audits8一8-8.89.6.5 Suspending,withdrawingorreducingthescopeofcertificationAppea1.s.ChUn1.rooIdsManagementsystemrequirementsforcertificationbodies10.1 Options10.2 OptionA:Genera1.managementsystemrequirements10.3 OptionB:ManagementsystemrequirementsinaccordancewithISO9001.,.ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.amunieriNF耐form1.SOth峋那加1北柳Ste1.nItftedeMd也PnientStaattMtjdbIRriC1.maINSmitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interest.Otheriatpari°na1.cvons,Sovernmenta*dn<non-governmenta1.,in1.iaisonwithISOandIEC,a1.soTheproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenanceare窗nf8妙CS1.g月M野用曲帆帆版IiO1.PdpMXh小*ert三ft设帆fi!i懈崛Cdedtheeditoria1.ru1.esofthe1SOIECDirectives,Part2(seewww.iso.org/direc1.ives).HR¾fi8h11g用色Wn淤.法8腐"R®hfa¾yb1.ef即第几用时口卜见»用1咧&低UbjCCtrights.Detai1.sofanypatentrightsidentifiedduringthedeve1.opmentOf*hdo&4nkntWinbeintheIntroductionand/orontheISO1.istofpr】UMMdednrionsreceived(seewww.iso.org/patents)ortheIEC1.istofpatentdec1.arationsreceived(seepatents.iecch).AnytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstituteanendorsementE卯统SiOnSeX岬IftibQ岫EabwMt喇】entofa州曲dards,thfoewngMtoUI1.SCKPadiit三mUadWa1.dTndO呻Nzaiion(WTO)princip1.esintheTechnica1.BarrierstoTrade(TBT).seewww.iso.org/iso/foreword.htm1.yig用电的锂SC砧劭册解rf秘题哈及喇喇欧"/W(R时Afi媵。/历防35。儿/“用;7»。口。techno1.ogy.A1.istofa1.1.partsintheISO/IEC27006seriescanbefoundontheISOwebsite.A周初£帆4冠附由三sHHBiesthisca随<feHHR1.s1.三Www5t三三beFWW论nationa1.standardsbody.AIntroductionISO/IEC27006setsoutcriteriaforbodiesprovidingauditandcertificationofinformationsecuritythenrigemtvtf寸&Udto*sod】Cdmifa11rH8gyintaraatht>ni口8眄姆丹EGWZPOf1.feiMehwithISO/iEC27701:2019,someadditiona1.requirementsandguidancetoISO/IEC27006arcnecessary.Theseareprovidedbythisdocumenti较bentstH<观)咻联翩4依舟M田加机酒§0/正：邮曲27(MMsIfWM啾外酗削MPeCifiCthe1.etters"PS".S1.iRPSB即国ionp0&MKtandar4朝啦158呐tb!ea(，圈Qatio用说愉di国25FtificaU(fi枢Mvc1.yharmonizeRequirementsforbodiesprovidingauditandcertificationofinformationsecuritymanagementsystems一Privacyinformationmanagementsystems1 ScopecombinationwithISO/IECinformationmanagementrequirement5(PIMSJcontainedwithinISO/IEC27006andFequirementsanybodycontainedinthiscertification,toanddemonstratedContainedofincompetenceandprocesses.Thisdocumentcanbeusedasacriteriadocumentforaccreditation,peerassessmentorotheraudit2 NormativereferencesconstitutesrequirementS1.ateStCditiondocurncntxcfcrencedrefercnces,(inc1.udingamendments)app1.ies.app1.ies.managementsystemsPartI:RequirementssystemsOverviewandvocabu1.arysystemsRequirementsauditandcertificationofinformationsecuritymanagementsystemsinformationmanagementRequirementsandguide1.ines3 TermsanddefinitionsISOOn1.inebrowsingp1.atform:avai1.ab1.eat4ttpf/11=gobpPart2:Thisdocumentspecifiesrequirementsandprovidesguidanceforbodiesprovidingauditandcertificationofaprivacy27001,additiontothesystemaccordingto27701inISO1EC27701.Itisprimari1.yintendedtosupporttheaccreditationofcertificationbodiesprovidingPIMScertification.There1.iabi1.itybyprovidingPIMSdocunientneedbetheguidancetermsthisdocumenprovidesadditiona1.interpretationoftheserequirementsforanybodyprovidingP1.MScertification.NOTEThefo1.1.owingdocumentsarereferredtointhetextinsuchawaythatsomeora1.1.oftheircontentundatedreferences,theofthisoftheFordateddocumenton1.ytheanyeditioncitedForISO/IEC17021-1,ConformityassessmentRequirementsforbodiesprovidingauditandcertificationofISO/IEC27000,Informationtechno1.ogy-SecuritytechniquesInformationsecuritymanagementISO/IEC27001,Informationtechno1.ogySecuritytechniquesInformationsecuritymanagementISO/IEC27006:2015.Informationtechno1.ogySecuritytechniquesRequirementsforbodiesprovidingISO/IEC27701,SecuritytechniquesExtensiontoISO/IEC27001andISO/IEC27002forprivacyISO/IEC29100,Informationtechno1.ogySecuritytechniquesPrivacyframeworkForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC17021-1.rISO/IEC27000.ISOandIECmain1.aintermino1.ogica1.databasesforuseinstandardizationatthefo1.1.owingaddresses:IECE1.ectropedia:avai1.ab1.eathttp:/www.e1.ectropedia.org/4 Princip1.es5 Genera1.requirements5.1 1.ega1.andcontractua1.mattersguidanceapp1.y.-49PS5.1Normativebasisforthisdocument5.2 ManagementOfimpartia1.ityguidanceapp1.y.-49PS5.2Conf1.ictsofinterestasexterna1.dataprotectionofficer,processreviewsordataprotectionreviews).thatprovisionsOrtInanCing27006:2015,5.2.1a),areapp1.ied.Therequirementsrequirenients27006:2015,5.3,app1.y.Therequirementsrequirements270062015,C1.ause6,app1.y.7.1 Competenceofpersonne1.7.1.1 PS7.1.1Genera1.considerations7.1.2 PS7.1.2Determinationofcompetencecriteriaguidanceapp1.y.7.1.2.1CompetencerequirementsforPIMSauditingTheprincip1.esfromISO/IEC27006:2015,C1.ause4,app1.y.TherequirementsofISO/IEC27006:2015,5.1app1.y.Inaddition,thefo1.1.owingrequirementsandA1.1.requirementsfromISO/IEC27006app1.yun1.essOtherWiSespecifiedinthisdocument.TherequirementsofISO/IEC27006:2015,5.2,app1.y.Inaddition,thefo1.1.owingrequirementsandThecertificationbodysha1.1.notprovidemanagementsystemconsu1.tancyre1.atedtoPIMS(e.g.servicesArrangingandparticipatingasIecturerintrainingcoursesre1.atedtopersona1.informationsecuritymanagementsystemsisnotconsideredconsu1.tancyorhavingapotentia1.conf1.ictofinterest,provided5.3the1.iabi1.ityandISO/IEC6Structura1.ofISOZIEC7ResourceofISO/IECTherequirementsofISO/IEC27006:2015,7.1.1,app1.y.TherequirementsofISO/IEC27006:2015,7.1.2,app1.y.Inaddition,thefo1.1.owingrequirementsand7.1.2.1PSTheauditorssha1.1.haveknow1.edgeof：a) privacyinformationmanagementinc1.udingISO/IEC27701;b) identificationandhand1.ingofpersona1.1.yidentifiab1.einformation(PII);c) privacybydesignandbydefau1.t;d) PIMSmonitoring,measurement,ana1.ysisandeva1.uation;e) informationsecurityrisksre1.atedtoprivacyinformationmanagementandprocessingofPU;f) po1.iciesandbusinessrequirementsforprivacyinformationmanagement.7.1.2.1.2Co1.1.ective1.y,themembersoftheauditteamsha1.1.haveknow1.edgeof：app1.ication；b) tracingprivacyincidents;privacyc) ITianagementjinformationriskassessment,privacyimpactassessmentandthere1.atedmethodsandriskd) processesapp1.icab1.etoPIMS;e) thecurrenttechno1.ogywhereprivacymaybere1.evantoranissue;f) a1.1.contro1.scontainedinISO1EC27701andtheirimp1.ementation;g) requirementsprivacyinformationmanagementand/orprocessingofP1.1.(e.gector陷SfcVorKmtaftat>i)tesrines.reguIatoryrequirementsdoesnotimp1.yaspecificeducationa1.degreeInh) industryprivacygoodpracticesandprivacyprocedures.7.1.2.2PS7.1.2.4CompetencerequirementsforreviewingauditreportsandmakingcertificationdecisionsThepersonne1.reviewingauditreportsandmakingcertificationdecisionssha1.1.haveknow1.edgeof:a) theprivacyframeworkpresentedinISO/IEC29100；b) ISO/IEC27701;丽or悔v)dm咖.regu1.atoryrequirementsdocsnotimp1.yaspecificeducationa1.degreeind)scopedefinitionformanagementsystemsaccordingtoISO/IEC27701(inparticu1.arintermsofP"S慨1.erJ蚣跳?SheSSorS)tobeab1.etoverifytheappropriatenessofthescopeaswe1.1.asThepersonne1.reviewingauditreportsandmakingcertificationdecisionssha1.1.havegenera1.understandingof：a)privacyinformationriskassessment,privacyimpactassessmentandriskmanagement;切2P所耶fife1.aM3Wg也聃他JCertifiCationactivitiesRIanCereWmentsofISO/IEC27006:2015,7.2,app1.y.Inaddition,thefo1.1.owingrequirementsand7.2.1 PS7.2Demonstrationofauditorknow1.edgeandexperienceThecertificationbodysha1.1.demonstratethattheauditorshavenecessaryknow1.edgeandexperiencethrough(whereapp1.icab1.e):a) recognizedPIMS-specifkqua1.ifications；b) participationinPIMStrainingcoursesandattainmentofre1.evantpersona1.credentia1.s；c) PIMSauditswitnessedbyanotherPIMSauditor.7.2.2 PS7.2.1.1Se1.ectingauditorsInadditionto7.1.2.1,thecriteriaforse1.ectingPIMSauditorssha1.1.ensurethateachauditor:a) MaS1.CaSUtWwrsv町Mwrb语。OhWeKittwpfWA叫)ceininformationtechno1.ogy,ofwhichb) hascomp1.etedat1.eastoneonsiteauditinthefie1.dofPIMS;27db1.2015Mi1.Mb1WA痛i1.福AWtUinISMSZdfie1.ds.theymeettherequirementsofc) keepcurrentknow1.edgeandski1.1.sinprivacyinformationmanagementuptodatethroughcontinua1.professiona1.deve1.opment.Tp1.ywitha).1.3 UseOfindividua1.externa1.auditorsandexterna1.technica1.expertsTherequirementsofISO/IEC27006:2015,7.3,app1.y.1.4 Personne1.recordsTherequirementsofISO1EC27006:2015,7.4,app1.y.1.5 OutsourcingTherequirementsofISO1EC27006:2015,7.5,app1.y.8 Informationrequirements8.1 Pub1.icinformationTherequirementsofISO/IEC27006:2015,8.1,app1.y.8.2 CertificationdocumentsTherequirementsofISO/IEC27006:2015,8.2,app1.y.Inaddition,thefo1.1.owingrequirementsandguidanceapp1.y.8.2.1 PS8.2PIMSCertificationdocumentsThecertificationdocumentssha1.1.identifythattheorganizationiseitherorbothaP1.1.contro1.1.erandaP1.1.processorwithinthescopeofthecertification.CertificationdocumentsforISO/IEC27701sha1.1.identifytheISO/IEC27001certificationonwhichtheISO/IEC27701certificationisbasedandIhattheorganizationconformstoISO/IEC27701.The1.SO/IEC27701Statementinc1.udedapp1.icabi1.itycertificationdocuments.and.ifissuedseparate1.y,theSoAWOiFEtheSoAThettoATOJE2WI<11.EC27701canbeintegratedwiththeSoAfor1SO1EC27001,orproducedseparate1.yTheOfTcc1.iveda1.eofISO/IEC27701certificationsha1.1.notexceedthedateoftheISO/IEC27001certificationonwhichitisbased.ThecertificationaccordingtoISO/IEC27001mayboobtainedpriororinpara1.1.e1.totheISO/IEC27701certification.Certificationdocumentssha1.1.inc1.ude:a) thewordsprivacyinformationmanagementsystem;b) actsro1.cPIIorganizationforprocessor);productorserviceinscope(i.e.iftheorganizationK*1E1.omrtrt1.er.organizationcande1.iveremai1.servicesactingasP1.1.processorandfi1.esharingservicesactingc) thefactthatthecertifiedorganizationfu1.fi1.sbothISO/IEC27001andISO/IEC27701.!1.WEi%mif1.用onf9K班旭展Med(e.峭展树曲的网称mberfo我用效例比mi押a正施WinEe.mdus1.onof8.3 ReferencetocertificationanduseofmarksTherequirementsofISO/IEC27006:2015.8.3,app1.y.8.4 Confidentia1.ityTherequirementsofISO/IEC27006:2015,8.4,app1.y.8.5 Informationexchangebetureenacertificationbodyanditsc1.ientsTherequirementsofISO/IEC27006:2015,8.5,app1.y.9 Processrequirements9.1 Pre-Certificationactivities9.1.1 App1.icationTherequirementsofISO/IEC27006:2015.9.1.1,app1.y.9.1.2 App1.icationreviewTherequirementsofISO/IEC27006:2015.9.1.2,app1.y.9.1.3 AuditprogrammeTherequirementsofISO/IEC27006:2015.9.1.3rapp1.y(except9.1.3.6).Inaddition,thefo1.1.owingrequirementsandguidanceapp1.y.9.1.3.1 PS9.1.3Scopeofcertification9.1.3.1.1 ScopeofcertificationThecertificationbodysha1.1.ensurethatthescopeoftheISO/IEC27701certificationiswithinoridentica1.tothescopeoftheISO/IEC27001certification.Thecertificationbodysha1.1.ensurethatthescopeofcertificationtoISO/IEC27701isinc1.udedwithinboundariesoftheactivitiesofthec1.ientasdefinedinthescopeofthePIMS.9.1.3.1.2 Specifice1.ementsofthePIMSauditTheauditprogrammeforanISO/IEC27701auditsha1.1.identifythero1.eofthec1.ientwithregardtoP1.1.contro1.1.ersandP1.1.pr<essors.Thecertificationbodysha1.1.confirm,inthescopeofthec1.ientPIMS,thattheP1.1.processingisinthescope(seeISO/IEC27701:2019,5.2.3).d6htt!eat11)0ntb帼t&U1.械CnHa1.aCeiftUH3R½en山Honthe版处H心HeSPri阶t翻kiesassessmcn1.ddhdinthescopeofthePIMS.Certificationbodiessha1.1.confirmthatthisisref1.ectedinthecHenCsscopeoftheirPIMSandstatementofapp1.icabi1.ity.9.1.3.2 PS9.1.3CertificationauditcriteriaThecriteriaagainstwhichthePIMSofac1.ientisauditedsha1.1.beISO/IEC27001extendedbyISO/IEC27701.Otherdocumentsmayberequiredforcertificationre1.evanttothefunction(三)performed.9.1.4 DeterminingaudittimeTherequirementsofISO/IEC27006:2015,9.1.4,app1.y.Inaddition,thefo1.1.owingrequirementsandguidanceapp1.y.-49PS9.1.4Audit1.imeInadditiontoISO/IEC27006:2015,9.1.4.1,thecertificationbodysha1.1.identifytheadditiona1.audittimebespent蹴僦F僻)酬翻S掣鼐野睡螂¾嘱爨Wtia1.certification,survei1.1.anceand30%oftheaudittime(IrIhoauditc1.ient佃aPIIptrottUr);orF购5MMMMUdZk业fSttW的曲,M睇加出曲即幽枷依丽3rt&”$C)27006:2015,9.1.4andAnnexB.Theadditiona1.daysforPIIforanini