1、BSI Standards Publication PD ISO/IEC TS 17021-6:2014 Conformity assessment Requirements for bodies providing audit and certification of management systems Part 6: Competence requirements for auditing and certification of business continuity management systemsPD ISO/IEC TS 17021-6:2014 PUBLISHED DOCU
2、MENT National foreword This Published Document is the UK implementation of ISO/IEC TS 17021-6:2014. The UK participation in its preparation was entrusted to Technical Committee BCM/1/-/12, Development of ISO/IEC TS 17021-6. A list of organizations represented on this committee can be obtained on req
3、uest to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2014. Published by BSI Standards Limited 2014 ISBN 978 0 580 86360 8 ICS 03.100.01; 03.120.20 Complianc
4、e with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standards Policy and Strategy Committee on 31 December 2014. Amendments issued since publication Date Text affectedPD ISO/IEC TS 17021-6:2014 Conformity assessmen
5、t Requirements for bodies providing audit and certification of management systems Part 6: Competence requirements for auditing and certification of business continuity management systems valuation de la conformit Exigences pour les organismes procdant laudit et la certification des systmes de manage
6、ment Partie 6: Exigences de comptence pour laudit et la certification des systmes de management de la continuit dactivit ISO 2014 TECHNICAL SPECIFICATION ISO/IEC TS 17021-6 First edition 2014-12-01 Reference number ISO/IEC TS 17021-6:2014(E)PD ISO/IEC TS 17021-6:2014ISO/IEC TS 17021-6:2014(E)ii ISO
7、2014 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO 2014 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet
8、, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Publis
9、hed in SwitzerlandPD ISO/IEC TS 17021-6:2014ISO/IEC TS 17021-6:2014(E) ISO 2014 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 Terms and definitions . 1 4 Generic competence requirements . 1 5 Competence requirements for BCMS auditors and pers
10、onnel reviewing audit reports and making certification decisions . 2 5.1 General . 2 5.2 Business continuity management (BCM) terminology 2 5.3 Context of an organization 2 5.4 Applicable laws, regulations and other requirements 2 5.5 Relationships within the business continuity management process .
11、 2 5.6 Business impact analysis and risk assessment . 2 5.7 Business continuity strategies . 3 5.8 Incident management . 3 5.9 Business continuity plans 3 5.10 Business continuity exercises 3 5.11 BCMS performance evaluation 3 6 Competence requirements for personnel conducting the application review
12、 to determine audit team competence required, to select the audit team members, and to determine the audit time . 4 6.1 General . 4 6.2 BCM terminology 4 6.3 Context of an organization 4 6.4 Relationships within the business continuity management process . 4 Annex A (informative) Knowledge for BCMS
13、auditing and certification . 5 Bibliography 6PD ISO/IEC TS 17021-6:2014ISO/IEC TS 17021-6:2014(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that
14、are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other internati
15、onal organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of conformity assessment, the ISO Committee on conformity assessment (CASCO) is responsible for the development of International Standards and Guides. International Standards
16、are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. Draft International Standards are circulated to the national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. In other circumstances,
17、 particularly when there is an urgent market requirement for such documents, a technical committee may decide to publish other types of document: an ISO/IEC Publicly Available Specification (ISO/IEC PAS) represents an agreement between technical experts in an ISO working group and is accepted for pu
18、blication if it is approved by more than 50 % of the members of the parent committee casting a vote; an ISO/IEC Technical Specification (ISO/IEC TS) represents an agreement between the members of a technical committee and is accepted for publication if it is approved by 2/3 of the members of the com
19、mittee casting a vote. An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is confirmed, it is reviewed again after a further three years, at
20、which time it must either be transformed into an International Standard or be withdrawn. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/IEC/TS 1
21、7021-6 was prepared by the ISO Committee on conformity assessment (CASCO). ISO/IEC 17021 consists of the following parts, under the general title Conformity assessment Requirements for bodies providing audit and certification of management systems: Part 2: Competence requirements for auditing and ce
22、rtification of environmental management systems Technical Specification Part 3: Competence requirements for auditing and certification of quality management systems Technical Specification Part 4: Competence requirements for auditing and certification of event sustainability management systems Techn
23、ical Specification Part 5: Competence requirements for auditing and certification of asset management systems T echnical Specification Part 6: Competence requirements for auditing and certification of business continuity management systems Technical Specification Part 7: Competence requirements for
24、auditing and certification of road traffic safety management systems Technical Specification The next revision of ISO/IEC 17021:2011 will reflect the different parts and will become ISO/IEC 17021- 1.iv ISO 2014 All rights reservedPD ISO/IEC TS 17021-6:2014ISO/IEC TS 17021-6:2014(E) Introduction This
25、 Technical Specification complements ISO/IEC 17021:2011. In particular, it clarifies the requirements for the competence of personnel involved in the certification process set out in ISO/IEC 17021:2011, Annex A. The guiding principles in ISO/IEC 17021:2011, Clause 4, are the basis for the requiremen
26、ts in this Technical Specification. Certification bodies have a responsibility to interested parties, including their clients and the customers of the organizations whose management systems are certified, to ensure that business continuity management system (BCMS) certification is credible by only u
27、sing certification personnel that have demonstrated relevant competence. BCMS certification personnel need to have the generic competencies described in ISO/IEC 17021:2011, as well as the specific BCMS competencies described in this Technical Specification. Certification bodies will need to identify
28、 the specific audit team competence needed for the scope of each BCMS audit. In this Technical Specification, the following verbal forms are used: “shall” indicates a requirement; “should” indicates a recommendation; “may” indicates a permission; “can” indicates a possibility or a capability. Furthe
29、r details can be found in the ISO/IEC Directives, Part 2. For the purposes of research, users are encouraged to share their views on this Technical Specification and their priorities for changes to future editions. Click on the link below to take part in the online survey: https:/ / ISO 2014 All rig
30、hts reserved vPD ISO/IEC TS 17021-6:2014PD ISO/IEC TS 17021-6:2014Conformity assessment Requirements for bodies providing audit and certification of management systems Part 6: Competence requirements for auditing and certification of business continuity management systems 1 Scope This Technical Spec
31、ification complements the existing requirements of ISO/IEC 17021:2011. It includes specific competence requirements for personnel involved in the certification process for business continuity management systems (BCMS). 2 Normative references The following documents, in whole or in part, are normativ
32、ely referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17000, Conformity assessment Vocabulary and general princ
33、iples ISO/IEC 17021:2011, Conformity assessment Requirements for bodies providing audit and certification of management systems ISO 22301, Societal security Business continuity management systems - Requirements ISO 22300, Societal security Terminology 3 Terms and definitions For the purposes of this
34、 document, the terms and definitions given in ISO 22300, ISO 22301, ISO/IEC 17000 and ISO/IEC 17021:2011 apply. 4 Generic competence requirements The certification body shall define the competence requirements for each certification function as referenced in ISO/IEC 17021:2011, Table A.1. When defin
35、ing these competence requirements, the certification body shall take into account all the requirements specified in ISO/IEC 17021:2011, as well as those specified in Clauses 5 and 6 of this Technical Specification. NOTE 1 Annex A provides an informative summary of the competence requirements for per
36、sonnel involved in specific certification functions. NOTE 2 Information on the principles of auditing is provided in ISO 19011. TECHNICAL SPECIFICATION ISO/IEC TS 17021-6:2014(E) ISO 2014 All rights reserved 1PD ISO/IEC TS 17021-6:2014ISO/IEC TS 17021-6:2014(E) 5 Competence requirements for BCMS aud
37、itors and personnel reviewing audit reports and making certification decisions 5.1 General All personnel involved in BCMS auditing and personnel reviewing audit reports and making certification decisions shall have a level of competence that includes the generic competencies described in ISO/IEC 170
38、21:2011, as well as the BCMS knowledge described in 5.2 to 5.11. NOTE 1 It is not necessary for each auditor in the audit team to have the same competence, however, the collective competence of the audit team needs to be sufficient to achieve the audit objectives. NOTE 2 Although the elements of the
39、 knowledge requirements are the same, it is recognized that the level of detail can be different for auditors and personnel reviewing audit reports and making certification decisions. It is the responsibility of each individual certification body to define this. 5.2 Business continuity management (B
40、CM) terminology The audit team and those reviewing the audit reports and making certification decisions shall have knowledge of BCM and risk terms, definitions and concepts. 5.3 Context of an organization The audit team and those reviewing the audit reports and making certification decisions shall h
41、ave knowledge of the context in which an organization operates. 5.4 Applicable laws, regulations and other requirements The audit team and those reviewing the audit reports and making certification decisions shall have knowledge to determine whether an organization has identified and evaluated its c
42、ompliance with applicable legal and other requirements. NOTE 1 Statutory and regulatory requirements can be expressed as legal requirements. NOTE 2 Other requirements can include voluntary national, international and sector-specific protocols. 5.5 Relationships within the business continuity managem
43、ent process The audit team and those reviewing the audit reports and making certification decisions shall have knowledge of the interrelationships between BCM elements. 5.6 Business impact analysis and risk assessment The audit team and those reviewing the audit reports and making certification deci
44、sions shall have knowledge of business impact analysis (BIA), including: methodologies and techniques; identification of activities that deliver products and services; assessment of impacts over time, and identifying when these become unacceptable; setting prioritized timescales for resumption; iden
45、tifying dependencies and supporting resources. The audit team and those reviewing the audit reports and making certification decisions shall have knowledge of risk assessment and risk management, including: methodologies and techniques;2 ISO 2014 All rights reservedPD ISO/IEC TS 17021-6:2014ISO/IEC
46、TS 17021-6:2014(E) identification, analysis and evaluation of risks related to disruptive incidents; effectiveness of the existing controls; identification of appropriate risk treatments. 5.7 Business continuity strategies The audit team and those reviewing the audit reports and making certification
47、 decisions shall have knowledge of strategies and methodologies for reducing the impact and the likelihood of disruptive incidents, including: strategy development; preparedness measures; selection of alternative strategies; cost/benefit analysis of continuity strategies; coordination approaches wit
48、h external stakeholders; incident response; communications; command and control; coordination of responding organizations; recovery and restoration. 5.8 Incident management The audit team and those reviewing the audit reports and making certification decisions shall have knowledge of incident manage
49、ment measures to determine whether an organization has identified appropriate responses to disruptive incidents, including warning and communication needs. They shall have knowledge to evaluate an organizations effectiveness in testing its incident management capability. 5.9 Business continuity plans The audit team and those reviewing the audit reports and making certification decisions shall have knowledge of business
