1、TECHNICA1.SPECIFICATIONISO/IECTS27006-2editionFirst2021-02Requirementsforbodiesprovidingauditandcertificationofinformationsecuritymanagementsystems一PjjcyinformationmanagementsystemsExigencespour1.esOrganismesprocdantiKauditet1.acertificationdesSySmmeSdemanagementdesinformationsdeSdCUriM-Partie2:Syst
2、emesdemanagementdesinformationsdesecuriteReferencenumberISO/IECTS2700622021(E)CISO/IEC2021COPYRIGHTPROTECTEDDOCUMENTIS0/1EC2021M11cheivdi1.itedotherwise加jw:纱rryj可11cho。城(Xt)Iinra”;ItmI1.GPhrt1.丽IrfVIXxxPJOinR,p11WjaFtiOnPoStingontheinternetoranintineuwithoutpriorwrittenpermission.Permissioncanberequ
3、estedfromeitherISOatt1.addressbe1.oworISO,smemberbodyinthecountryofthertrwstcr.三cB1.andonnct8r,GenevaPhone:t41227490111辆jtc:用洲部砾o.orgPub1.ishedinSwitzer1.andContentsForeword7.2 Personne1.invo1.vedDeterminationcertificationcompetence7.3 Personne1.individua1.47.4 ReferenceCertificationCertincationdocu
4、ments-49.1.2App1.icationprogramme9.2 PIanningMuItip1.e79.3 Initia1.certification79.4.2IS9.4Specific7iiiIntroductionviScope1Normativereferences1Termsanddefinitions1Princip1.esGenera1.requirements5.1 1.ega1.andcontractua1.matters5.2 ManagementOfimpartia1.ityStructura1.reuirements2Resourcerequirements2
5、7.1.1PS7.1.1Genera1.considerations27.1.2PS7.1.2theactivitiescriteria7.2.1PS7.2Demonstrationofauditorknow1.edgeandexperience4722PS2.11Se1.ectingauditors.47.4USeofFecordsexterna1.auditorsandexterna1.technica1.experts7.5Outsourcing4Informationrequirements48.2Certificationdocuments48.2.1PSto8.2PIMSandus
6、eofmarks8.4Confidentia1.ity58.5Informationexchangebetweenacertificationbodyanditsc1.ients5Processrequirements59.1Pre-Ccrtif1.ca1.ionactivities59.1.1AoD1.icationS9.1.3Auditreview9.1.4Determiningaudittime69.1.5Mu1.ti-sitesamp1.ing79.1.6auditsmanagementsystems9.2.1Determiningauditobjectives,scopeandcri
7、teria79.2.2Auditteamse1.ectionandassignments79.2.3Auditp1.an9.4 Conductingaudits7941qaGPnPrA1.7*11V9.4.3Auditreporte1.ementsoftheISMSaudit56Certificationdecision7Maintainingcertification89.6.2 Genera1.activities9.6.3 Re-certification89.6.4 Specia1.audits8一8-8.89.6.5 Suspending,withdrawingorreducingt
8、hescopeofcertificationAppea1.s.ChUn1.rooIdsManagementsystemrequirementsforcertificationbodies10.1 Options10.2 OptionA:Genera1.managementsystemrequirements10.3 OptionB:ManagementsystemrequirementsinaccordancewithISO9001.,.ForewordISO(theInternationa1.OrganizationforStandardization)andIEC(theInternati
9、ona1.E1.ectrotechnica1.amunieriNF耐form1.SOth峋那加1北柳Ste1.nItftedeMd也PnientStaattMtjdbIRriC1.maINSmitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsofmutua1.interest.Otheriatparina1.cvons,Sovernmenta*dnnon-governmenta1.
10、in1.iaisonwithISOandIEC,a1.soTheproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenanceare窗nf8妙CS1.g月M野用曲帆帆版IiO1.PdpMXh小*ert三ft设帆fi!i懈崛Cdedtheeditoria1.ru1.esofthe1SOIECDirectives,Part2(seewww.iso.org/direc1.ives).HRfi8h11g用色Wn淤.法8腐Rhfayb1.ef即第几用时口卜见用1咧&低UbjCCtrights.Detai1.sof
11、anypatentrightsidentifiedduringthedeve1.opmentOf*hdo&4nkntWinbeintheIntroductionand/orontheISO1.istofpr】UMMdednrionsreceived(seewww.iso.org/patents)ortheIEC1.istofpatentdec1.arationsreceived(seepatents.iecch).Anytradenameusedinthisdocumentisinformationgivenfortheconvenienceofusersanddoesnotconstitut
12、eanendorsementE卯统SiOnSeX岬IftibQ岫EabwMt喇】entofa州曲dards,thfoewngMtoUI1.SCKPadiit三mUadWa1.dTndO呻Nzaiion(WTO)princip1.esintheTechnica1.BarrierstoTrade(TBT).seewww.iso.org/iso/foreword.htm1.yig用电的锂SC砧劭册解rf秘题哈及喇喇欧/W(R时Afi媵。/历防35。儿/“用;7。口。techno1.ogy.A1.istofa1.1.partsintheISO/IEC27006seriescanbefoundonthe
13、ISOwebsite.A周初帆4冠附由三sHHBiesthisca随ni口8眄姆丹EGWZPOf1.feiMehwithISO/iEC27701:2019,someadditiona1.requirementsandguidancetoISO/IEC27006arcnecessary.Theseareprovidedbythisdocumenti较bentstHi)tesrines.reguIatoryrequirementsdoesnotimp1.yaspecificeducationa1.degreeInh) industryprivacygoodpracticesandprivacypr
14、ocedures.7.1.2.2PS7.1.2.4CompetencerequirementsforreviewingauditreportsandmakingcertificationdecisionsThepersonne1.reviewingauditreportsandmakingcertificationdecisionssha1.1.haveknow1.edgeof:a) theprivacyframeworkpresentedinISO/IEC29100;b) ISO/IEC27701;丽or悔v)dm咖.regu1.atoryrequirementsdocsnotimp1.ya
15、specificeducationa1.degreeind)scopedefinitionformanagementsystemsaccordingtoISO/IEC27701(inparticu1.arintermsofPS慨1.erJ蚣跳?SheSSorS)tobeab1.etoverifytheappropriatenessofthescopeaswe1.1.asThepersonne1.reviewingauditreportsandmakingcertificationdecisionssha1.1.havegenera1.understandingof:a)privacyinfor
16、mationriskassessment,privacyimpactassessmentandriskmanagement;切2P所耶fife1.aM3Wg也聃他JCertifiCationactivitiesRIanCereWmentsofISO/IEC27006:2015,7.2,app1.y.Inaddition,thefo1.1.owingrequirementsand7.2.1 PS7.2Demonstrationofauditorknow1.edgeandexperienceThecertificationbodysha1.1.demonstratethattheauditorsh
17、avenecessaryknow1.edgeandexperiencethrough(whereapp1.icab1.e):a) recognizedPIMS-specifkqua1.ifications;b) participationinPIMStrainingcoursesandattainmentofre1.evantpersona1.credentia1.s;c) PIMSauditswitnessedbyanotherPIMSauditor.7.2.2 PS7.2.1.1Se1.ectingauditorsInadditionto7.1.2.1,thecriteriaforse1.
18、ectingPIMSauditorssha1.1.ensurethateachauditor:a) MaS1.CaSUtWwrsv町Mwrb语。OhWeKittwpfWA叫)ceininformationtechno1.ogy,ofwhichb) hascomp1.etedat1.eastoneonsiteauditinthefie1.dofPIMS;27db1.2015Mi1.Mb1WA痛i1.福AWtUinISMSZdfie1.ds.theymeettherequirementsofc) keepcurrentknow1.edgeandski1.1.sinprivacyinformatio
19、nmanagementuptodatethroughcontinua1.professiona1.deve1.opment.Tp1.ywitha).1.3 UseOfindividua1.externa1.auditorsandexterna1.technica1.expertsTherequirementsofISO/IEC27006:2015,7.3,app1.y.1.4 Personne1.recordsTherequirementsofISO1EC27006:2015,7.4,app1.y.1.5 OutsourcingTherequirementsofISO1EC27006:2015
20、7.5,app1.y.8 Informationrequirements8.1 Pub1.icinformationTherequirementsofISO/IEC27006:2015,8.1,app1.y.8.2 CertificationdocumentsTherequirementsofISO/IEC27006:2015,8.2,app1.y.Inaddition,thefo1.1.owingrequirementsandguidanceapp1.y.8.2.1 PS8.2PIMSCertificationdocumentsThecertificationdocumentssha1.1
21、identifythattheorganizationiseitherorbothaP1.1.contro1.1.erandaP1.1.processorwithinthescopeofthecertification.CertificationdocumentsforISO/IEC27701sha1.1.identifytheISO/IEC27001certificationonwhichtheISO/IEC27701certificationisbasedandIhattheorganizationconformstoISO/IEC27701.The1.SO/IEC27701Statem
22、entinc1.udedapp1.icabi1.itycertificationdocuments.and.ifissuedseparate1.y,theSoAWOiFEtheSoAThettoATOJE2WI11.EC27701canbeintegratedwiththeSoAfor1SO1EC27001,orproducedseparate1.yTheOfTcc1.iveda1.eofISO/IEC27701certificationsha1.1.notexceedthedateoftheISO/IEC27001certificationonwhichitisbased.Thecertif
23、icationaccordingtoISO/IEC27001mayboobtainedpriororinpara1.1.e1.totheISO/IEC27701certification.Certificationdocumentssha1.1.inc1.ude:a) thewordsprivacyinformationmanagementsystem;b) actsro1.cPIIorganizationforprocessor);productorserviceinscope(i.e.iftheorganizationK*1E1.omrtrt1.er.organizationcande1.
24、iveremai1.servicesactingasP1.1.processorandfi1.esharingservicesactingc) thefactthatthecertifiedorganizationfu1.fi1.sbothISO/IEC27001andISO/IEC27701.!1.WEi%mif1.用onf9K班旭展Med(e.峭展树曲的网称mberfo我用效例比mi押a正施WinEe.mdus1.onof8.3 ReferencetocertificationanduseofmarksTherequirementsofISO/IEC27006:2015.8.3,app1.
25、y.8.4 Confidentia1.ityTherequirementsofISO/IEC27006:2015,8.4,app1.y.8.5 Informationexchangebetureenacertificationbodyanditsc1.ientsTherequirementsofISO/IEC27006:2015,8.5,app1.y.9 Processrequirements9.1 Pre-Certificationactivities9.1.1 App1.icationTherequirementsofISO/IEC27006:2015.9.1.1,app1.y.9.1.2
26、 App1.icationreviewTherequirementsofISO/IEC27006:2015.9.1.2,app1.y.9.1.3 AuditprogrammeTherequirementsofISO/IEC27006:2015.9.1.3rapp1.y(except9.1.3.6).Inaddition,thefo1.1.owingrequirementsandguidanceapp1.y.9.1.3.1 PS9.1.3Scopeofcertification9.1.3.1.1 ScopeofcertificationThecertificationbodysha1.1.ens
27、urethatthescopeoftheISO/IEC27701certificationiswithinoridentica1.tothescopeoftheISO/IEC27001certification.Thecertificationbodysha1.1.ensurethatthescopeofcertificationtoISO/IEC27701isinc1.udedwithinboundariesoftheactivitiesofthec1.ientasdefinedinthescopeofthePIMS.9.1.3.1.2 Specifice1.ementsofthePIMSa
28、uditTheauditprogrammeforanISO/IEC27701auditsha1.1.identifythero1.eofthec1.ientwithregardtoP1.1.contro1.1.ersandP1.1.pressors.Thecertificationbodysha1.1.confirm,inthescopeofthec1.ientPIMS,thattheP1.1.processingisinthescope(seeISO/IEC27701:2019,5.2.3).d6htt!eat11)0ntb帼t&U1.械CnHa1.aCeiftUH3Ren山Honthe版处
29、H心HeSPri阶t翻kiesassessmcn1.ddhdinthescopeofthePIMS.Certificationbodiessha1.1.confirmthatthisisref1.ectedinthecHenCsscopeoftheirPIMSandstatementofapp1.icabi1.ity.9.1.3.2 PS9.1.3CertificationauditcriteriaThecriteriaagainstwhichthePIMSofac1.ientisauditedsha1.1.beISO/IEC27001extendedbyISO/IEC27701.Otherd
30、ocumentsmayberequiredforcertificationre1.evanttothefunction(三)performed.9.1.4 DeterminingaudittimeTherequirementsofISO/IEC27006:2015,9.1.4,app1.y.Inaddition,thefo1.1.owingrequirementsandguidanceapp1.y.-49PS9.1.4Audit1.imeInadditiontoISO/IEC27006:2015,9.1.4.1,thecertificationbodysha1.1.identifytheadditiona1.audittimebespent蹴僦F僻)酬翻S掣鼐野睡螂嘱爨Wtia1.certification,survei1.1.anceand30%oftheaudittime(IrIhoauditc1.ient佃aPIIptrottUr);orF购5MMMMUdZk业fSttW的曲,M睇加出曲即幽枷依丽3rt&”$C)27006:2015,9.1.4andAnnexB.Theadditiona1.daysforPIIforanini
