Comparison with the document for ISO 27006, "Requirements for bodies providing audit and certification of information security management systems"

Like ISO 27006, we intend to follow the structure of ISO 17021 with additional requirements and guidance on their application.

The following summarises the structure and identifies some issues, particularly where the ISO 27006 document goes beyond ISO 17021, as it is prima facie likely that we will wish to do the same. Sections without any annotations are those where ISO 27006 does not add anything to ISO 17021.

Foreword

Introduction

1 Scope

2 Normative references

3 Terms and definitions

4 Principles

5 General requirements

5.1 Legal and contractual matters

5.2 Management of impartiality

Additional text on conflicts of interest.

5.3 Liability and financing

6 Structural requirements

6.1 Organizational structure and top management

6.2 Committee for safeguarding impartiality

7 Resource requirements

7.1 Competence of management and personnel

Additional text on establishing the certification body's own competence in information security management, particularly with respect to the area of operation of the client organisation, and the competence of individual auditors.

7.2 Personnel involved in the certification activities

Additional text on selection and training of audit teams, handling certifications, appeals and complaints. It also specifies the level of education, training and experience of auditors.

7.3 Use of individual external auditors and external technical experts

Additional text on use of external auditors and technical experts.

7.4 Personnel records

7.5 Outsourcing

8 Information requirements

8.1 Publicly accessible information

Additional text on what documents the client must have (in broad terms), and that the certification body must have documented procedures for the initial certification audit and surveillance and recertification audits (see section 9).

8.2 Certification documents

Additional text that certifiaction documents will be provided to the client.

8.3 Directory of certified clients

8.4 Reference to certification and use of marks

Additional text about the certification body retaining control of its certification mark.

8.5 Confidentiality

Additional text about the case of records not available because they contain confidential or sensitive information.

8.6 Information exchange between a certification body and its clients

9 Process requirements

9.1 General requirements

Additional text referring to the ISO 27006 standard for criteria of audit. Also policies and proceduresa and formalities about the audit team. Suitable time must be allocated. Handling of multiple sites could use a sample-based approach. Reporting to the client.

9.2 Initial audit and certification

9.2.1 IS 9.2.1 Audit team competence

Additional text about audit team leadership and demonstration of competence. Initial audit comprises Stage 1 to provide a focus for planning the Stage 2 audit, then the Stage 2 audit. The client organisation is to have procedures for assessing the significance of risks. Legal and regulatory compliance is the responsibility of the client. Certification decision: "Those who make the certification decision shall not have participated in the audit."

9.3 Surveillance activities

Additional text about surveillance audits. "The purpose of surveillance is to verify that the approved ISMS continues to be implemented, to consider the implications of changes to that system initiated as a result of changes in the client organization’s operation and to confirm continued compliance with certification requirements."

9.4 Recertification

Additional text about correction of non-conformities.

9.5 Special audits

Additional text for the case that the client makes a major change to the systems.

9.6 Suspending, withdrawing or reducing scope of certification

9.7 Appeals

9.8 Complaints

Additional text for the case that the client receives a complaint.

9.9 Records of applicants and clients

10 Management system requirements for certification bodies

10.1 Options

10.2 Option 1 – Management system requirements in accordance with ISO 9001

10.3 Option 2 – General management system requirements

Additional text "It is recommended that certification bodies implement an ISMS in accordance with ISO/IEC 27001." - needs following up.

Annex A (informative) Analysis of a client organization’s complexity and sector-specific aspects

Possible factors to be considered when determining an ISMS scope and complexity.

Annex B (informative) Example areas of auditor competence

Knowledge of other relevant standards and typical knowledge expected.

Annex C (informative) Audit time

Guide to estimating time required.

Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls

"The audit evidence that the certification body collects needs to be sufficient to draw a conclusion as to whether the controls are effective." Includes specific guidance on what to check .

-- SimonLambert - 10 Nov 2008