ANSI INCITS ISO IEC 27006-2007 Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems.pdf

1、INCITS/ISO/IEC 27006:20072008 (ISO/IEC 27006:2007, IDTInformation technology Security techniques Requirements forbodies providing auditand certification of informationsecurity management systems INCITS/ISO/IEC 27006:20072008(ISO/IEC 27006:2007, IDT)INCITS/ISO/IEC 27006:20072008 ii ITIC 2008 All righ

2、ts reserved PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading

3、 this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the Genera

4、l Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given b

5、elow. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 7/1/2008 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2008 by Information Technology Industry

6、 Council (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale.

7、No part of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America INC

8、ITS/ISO/IEC 27006:20072008 ITIC 2008 All rights reserved iii Contents Foreword .5 Introduction .6 Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems .1 1 Scope 1 2 Normative references .1 3 Terms and definit

9、ions 1 4 Principles 2 5 General requirements.2 5.1 Legal and contractual matter .2 5.2 Management of impartiality2 5.3 Liability and financing 3 6 Structural requirements .3 6.1 Organizational structure and top management 3 6.2 Committee for safeguarding impartiality .3 7 Resource requirements 3 7.1

10、 Competence of management and personnel 3 7.2 Personnel involved in the certification activities 4 7.3 Use of individual external auditors and external technical experts .6 7.4 Personnel records 6 7.5 Outsourcing 6 8 Information requirements 6 8.1 Publicly accessible information.6 8.2 Certification

11、documents .6 8.3 Directory of certified clients.7 8.4 Reference to certification and use of marks .7 8.5 Confidentiality 7 8.6 Information exchange between a certification body and its clients .7 9 Process requirements 7 9.1 General requirements.7 9.2 Initial audit and certification 11 9.3 Surveilla

12、nce activities 15 9.4 Recertification 16 9.5 Special audits . 16 9.6 Suspending, withdrawing or reducing scope of certification 16 9.7 Appeals . 17 9.8 Complaints 17 9.9 Records of applicants and clients . 17 10 Management system requirements for certification bodies . 17 10.1 Options . 17 10.2 Opti

13、on 1 Management system requirements in accordance with ISO 9001 17 10.3 Option 2 General management system requirements . 17 Annex A (informative) Analysis of a client organizations complexity and sector-specific aspects 18 A.1 Organizations risk potential 18 A.2 Sector-specific categories of inform

14、ation security risk 20 Annex B (informative) Example areas of auditor competence 21 B.1 General competence considerations . 21 INCITS/ISO/IEC 27006:20072008 iv ITIC 2008 All rights reserved B.2 Specific competence considerations 21 Annex C (informative) Audit time 23 Annex D (informative) Guidance f

15、or review of implemented ISO/IEC 27001:2005, Annex A controls. 29 INCITS/ISO/IEC 27006:20072008 ITIC 2008 All rights reserved v Foreword ISO (the International Organization for Standardization) and IEC (International Electrotechnical Commission) form the specialized system for worldwide standardizat

16、ion. National bodies that are members of ISO and IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutua

17、l interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordanc

18、e with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard r

19、equires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27006 was prepared by

20、Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. INCITS/ISO/IEC 27006:20072008 vi ITIC 2008 All rights reserved Introduction ISO/IEC 17021 is an International Standard which sets out criteria for bodies operating audit and certification of

21、organizations management systems. If such bodies are to be accredited as complying with ISO/IEC 17021 with the objective of auditing and certifying Information Security Management Systems (ISMS) in accordance with ISO/IEC 27001:2005, some additional requirements and guidance to ISO/IEC 17021 are nec

22、essary. These are provided by this International Standard. The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the letters “IS”. The ter

23、m “shall” is used throughout this International Standard to indicate those provisions which, reflecting the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate those provisions which, although they constitute guidance for the application of the requi

24、rements, are expected to be adopted by a certification body. One aim of this International Standard is to enable accreditation bodies to more effectively harmonise their application of the standards against which they are bound to assess certification bodies. In this context, any variation from the

25、guidance by a certification body is an exception. Such variations will only be permitted on a case-by-case basis after the certification body has demonstrated to the accreditation body that the exception meets in some equivalent way the relevant requirements clause of ISO/IEC 17021, ISO/IEC 27001 an

26、d the intent of this International Standard. NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably. The definition of a management system can be found in ISO 9000:2005. The management system as used in this International Standard is not to b

27、e confused with other types of system, such as IT systems. AMERICAN NATIONAL STANDARD INCITS/ISO/IEC 27006:20072008 ITIC 2008 All rights reserved 1 Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems 1 Scope

28、This International Standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accredi

29、tation of certification bodies providing ISMS certification. The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additiona

30、l interpretation of these requirements for any body providing ISMS certification. NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes. 2 Normative references The following referenced documents are indispensable for the appli

31、cation of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17021:2006, Conformity assessment Requirements for bodies providing audit and certification of management s

32、ystems ISO/IEC 27001:2005, Information technology Security techniques Information security management systems Requirements ISO/IEC 19011, Guidelines for quality and/or environmental management systems auditing 3 Terms and definitions For the purposes of this document, the terms and definitions given

33、 in ISO/IEC 17021, ISO/IEC 27001 and the following apply. 3.1 certificate certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an accreditation symbol or statement 3.2 certification body third party that assesses and certifies the ISMS of a cl

34、ient organization with respect to published ISMS standards, and any supplementary documentation required under the system 3.3 certification document document indicating that a client organizations ISMS conforms to specified ISMS standards and any supplementary documentation required under the system

35、 INCITS/ISO/IEC 27006:20072008 2 ITIC 2008 All rights reserved 3.4 mark legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation body or of a certification body, indicating that adequate confidence in the systems operated by a body has been demo

36、nstrated or that relevant products or individuals conform to the requirements of a specified standard 3.5 organization company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether incorporated or not, public or private, that has its own functions and admi

37、nistration and is able to ensure that information security is exercised 4 Principles The principles from ISO/IEC 17021:2006, Clause 4 apply. 5 General requirements 5.1 Legal and contractual matter The requirements from ISO/IEC 17021:2006, Clause 5.1 apply. 5.2 Management of impartiality The requirem

38、ents from ISO/IEC 17021:2006, Clause 5.2 apply. In addition, the following ISMS-specific requirements and guidance apply. 5.2.1 IS 5.2 Conflicts of interest Certification bodies can carry out the following duties without them being considered as consultancy or having a potential conflict of interest

39、: a) certification, including information meetings, planning meetings, examination of documents, auditing (not internal ISMS auditing or internal security reviews) and follow up of non-conformities; b) arranging and participating as a lecturer in training courses, provided that, where these courses

40、relate to information security management, related management systems or auditing, certification bodies should confine themselves to the provision of generic information and advice which is freely available in the public domain, i.e. they should not provide company-specific advice which contravenes

41、the requirements of c) below; c) making available or publishing on request information describing the certification bodys interpretation of the requirements of the certification audit standards; d) activities prior to audit, solely aimed at determining readiness for certification audit; however, suc

42、h activities should not result in the provision of recommendations or advice that would contravene this clause and the certification body should be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certificatio

43、n audit duration; e) performing second and third party audits according to standards or regulations other than those being part of the scope of accreditation; f) adding value during certification audits and surveillance visits, e.g., by identifying opportunities for improvement, as they become evide

44、nt during the audit, without recommending specific solutions. The certification body shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit of the client organizations ISMS subject to certification. INCITS/ISO/IEC 27006:20072008 ITIC 2008 All r

45、ights reserved 3 5.3 Liability and financing The requirements from ISO/IEC 17021:2006, Clause 5.3 apply. 6 Structural requirements 6.1 Organizational structure and top management The requirements from ISO/IEC 17021:2006, Clause 6.1 apply. 6.2 Committee for safeguarding impartiality The requirements

46、from ISO/IEC 17021:2006, Clause 6.2 apply. 7 Resource requirements 7.1 Competence of management and personnel The requirements from ISO/IEC 17021:2006, Clause 7.1 apply. In addition, the following ISMS-specific requirements and guidance apply. 7.1.1 IS 7.1 Management competence The essential element

47、s of competence required to perform ISMS certification are to select, provide and manage those individuals whose skills and collective competence is appropriate to the activities to be audited and the related information security issues. 7.1.1.1 Competence analysis and contract review The certificat

48、ion body shall ensure that it has knowledge of the technological and legal developments relevant to the ISMS of the client organization, which it assesses. The certification body shall have an effective system for the analysis of the competencies in information security management which it needs to

49、have available, with respect to all the technical areas in which it operates. For each client, the certification body shall be able to demonstrate that it has performed a competence analysis (assessment of skills in response to evaluated needs) of the requirements of each relevant sector prior to undertaking the contract review. The certification body shall then review the contract with the client organization, based on the results of this competence analysis. In particular, the certification body shall be able