1、BSI Standards PublicationPD ISO/IEC TS 17021-6:2014Conformity assessment Requirements forbodies providing audit andcertification of managementsystemsPart 6: Competence requirements forauditing and certification of businesscontinuity management systemsPD ISO/IEC TS 17021-6:2014 PUBLISHED DOCUMENTNati
2、onal forewordThis Published Document is the UK implementation of ISO/IEC TS17021-6:2014.The UK participation in its preparation was entrusted to TechnicalCommittee BCM/1/-/12, Development of ISO/IEC TS 17021-6.A list of organizations represented on this committee can beobtained on request to its sec
3、retary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 86360 8ICS 03.100.01; 03.120.20Compliance with a British Stand
4、ard cannot confer immunity fromlegal obligations.This Published Document was published under the authority of theStandards Policy and Strategy Committee on 31 December 2014.Amendments issued since publicationDate Text affectedPD ISO/IEC TS 17021-6:2014Conformity assessment Requirements for bodies pr
5、oviding audit and certification of management systems Part 6: Competence requirements for auditing and certification of business continuity management systemsvaluation de la conformit Exigences pour les organismes procdant laudit et la certification des systmes de management Partie 6: Exigences de c
6、omptence pour laudit et la certification des systmes de management de la continuit dactivit ISO 2014TECHNICAL SPECIFICATIONISO/IECTS17021-6First edition2014-12-01Reference numberISO/IEC TS 17021-6:2014(E)PD ISO/IEC TS 17021-6:2014ISO/IEC TS 17021-6:2014(E)ii ISO 2014 All rights reservedCOPYRIGHT PRO
7、TECTED DOCUMENT ISO 2014All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Per
8、mission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandPD ISO/IEC TS 17021-6:2014IS
9、O/IEC TS 17021-6:2014(E) ISO 2014 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Generic competence requirements . 15 Competence requirements for BCMS auditors and personnel reviewing audit reports and making certification
10、 decisions . 25.1 General . 25.2 Business continuity management (BCM) terminology 25.3 Context of an organization 25.4 Applicable laws, regulations and other requirements 25.5 Relationships within the business continuity management process . 25.6 Business impact analysis and risk assessment . 25.7 B
11、usiness continuity strategies . 35.8 Incident management . 35.9 Business continuity plans 35.10 Business continuity exercises 35.11 BCMS performance evaluation 36 Competence requirements for personnel conducting the application review to determine audit team competence required, to select the audit
12、team members, and to determine the audit time . 46.1 General . 46.2 BCM terminology 46.3 Context of an organization 46.4 Relationships within the business continuity management process . 4Annex A (informative) Knowledge for BCMS auditing and certification . 5Bibliography 6PD ISO/IEC TS 17021-6:2014I
13、SO/IEC TS 17021-6:2014(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International
14、Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO
15、 and IEC, also take part in the work. In the field of conformity assessment, the ISO Committee on conformity assessment (CASCO) is responsible for the development of International Standards and Guides.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, P
16、art 2.Draft International Standards are circulated to the national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.In other circumstances, particularly when there is an urgent market requirement for such documents,
17、a technical committee may decide to publish other types of document: an ISO/IEC Publicly Available Specification (ISO/IEC PAS) represents an agreement between technical experts in an ISO working group and is accepted for publication if it is approved by more than 50 % of the members of the parent co
18、mmittee casting a vote; an ISO/IEC Technical Specification (ISO/IEC TS) represents an agreement between the members of a technical committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting a vote.An ISO/PAS or ISO/TS is reviewed after three years in o
19、rder to decide whether it will be confirmed for a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an International Standard or be
20、withdrawn.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights.ISO/IEC/TS 17021-6 was prepared by the ISO Committee on conformity assessment (CASCO).ISO/IE
21、C 17021 consists of the following parts, under the general title Conformity assessment Requirements for bodies providing audit and certification of management systems: Part 2: Competence requirements for auditing and certification of environmental management systems Technical Specification Part 3: C
22、ompetence requirements for auditing and certification of quality management systems Technical Specification Part 4: Competence requirements for auditing and certification of event sustainability management systems Technical Specification Part 5: Competence requirements for auditing and certification
23、 of asset management systems Technical Specification Part 6: Competence requirements for auditing and certification of business continuity management systems Technical Specification Part 7: Competence requirements for auditing and certification of road traffic safety management systems Technical Spe
24、cificationThe next revision of ISO/IEC 17021:2011 will reflect the different parts and will become ISO/IEC 17021-1.iv ISO 2014 All rights reservedPD ISO/IEC TS 17021-6:2014ISO/IEC TS 17021-6:2014(E)IntroductionThis Technical Specification complements ISO/IEC 17021:2011. In particular, it clarifies t
25、he requirements for the competence of personnel involved in the certification process set out in ISO/IEC 17021:2011, Annex A.The guiding principles in ISO/IEC 17021:2011, Clause 4, are the basis for the requirements in this Technical Specification.Certification bodies have a responsibility to intere
26、sted parties, including their clients and the customers of the organizations whose management systems are certified, to ensure that business continuity management system (BCMS) certification is credible by only using certification personnel that have demonstrated relevant competence.BCMS certificati
27、on personnel need to have the generic competencies described in ISO/IEC 17021:2011, as well as the specific BCMS competencies described in this Technical Specification.Certification bodies will need to identify the specific audit team competence needed for the scope of each BCMS audit.In this Techni
28、cal Specification, the following verbal forms are used: “shall” indicates a requirement; “should” indicates a recommendation; “may” indicates a permission; “can” indicates a possibility or a capability.Further details can be found in the ISO/IEC Directives, Part 2.For the purposes of research, users
29、 are encouraged to share their views on this Technical Specification and their priorities for changes to future editions. Click on the link below to take part in the online survey:https:/ ISO 2014 All rights reserved vPD ISO/IEC TS 17021-6:2014PD ISO/IEC TS 17021-6:2014Conformity assessment Requirem
30、ents for bodies providing audit and certification of management systems Part 6: Competence requirements for auditing and certification of business continuity management systems1 ScopeThis Technical Specification complements the existing requirements of ISO/IEC 17021:2011. It includes specific compet
31、ence requirements for personnel involved in the certification process for business continuity management systems (BCMS).2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, onl
32、y the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/IEC 17000, Conformity assessment Vocabulary and general principlesISO/IEC 17021:2011, Conformity assessment Requirements for bodies providing audit and certificat
33、ion of management systemsISO 22301, Societal security Business continuity management systems - RequirementsISO 22300, Societal security Terminology3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO 22300, ISO 22301, ISO/IEC 17000 and ISO/IEC 17021:2011 a
34、pply.4 Generic competence requirementsThe certification body shall define the competence requirements for each certification function as referenced in ISO/IEC 17021:2011, Table A.1. When defining these competence requirements, the certification body shall take into account all the requirements speci
35、fied in ISO/IEC 17021:2011, as well as those specified in Clauses 5 and 6 of this Technical Specification.NOTE 1 Annex A provides an informative summary of the competence requirements for personnel involved in specific certification functions.NOTE 2 Information on the principles of auditing is provi
36、ded in ISO 19011.TECHNICAL SPECIFICATION ISO/IEC TS 17021-6:2014(E) ISO 2014 All rights reserved 1PD ISO/IEC TS 17021-6:2014ISO/IEC TS 17021-6:2014(E)5 Competence requirements for BCMS auditors and personnel reviewing audit reports and making certification decisions5.1 GeneralAll personnel involved
37、in BCMS auditing and personnel reviewing audit reports and making certification decisions shall have a level of competence that includes the generic competencies described in ISO/IEC 17021:2011, as well as the BCMS knowledge described in 5.2 to 5.11.NOTE 1 It is not necessary for each auditor in the
38、 audit team to have the same competence, however, the collective competence of the audit team needs to be sufficient to achieve the audit objectives.NOTE 2 Although the elements of the knowledge requirements are the same, it is recognized that the level of detail can be different for auditors and pe
39、rsonnel reviewing audit reports and making certification decisions. It is the responsibility of each individual certification body to define this.5.2 Business continuity management (BCM) terminologyThe audit team and those reviewing the audit reports and making certification decisions shall have kno
40、wledge of BCM and risk terms, definitions and concepts.5.3 Context of an organizationThe audit team and those reviewing the audit reports and making certification decisions shall have knowledge of the context in which an organization operates.5.4 Applicable laws, regulations and other requirementsTh
41、e audit team and those reviewing the audit reports and making certification decisions shall have knowledge to determine whether an organization has identified and evaluated its compliance with applicable legal and other requirements.NOTE 1 Statutory and regulatory requirements can be expressed as le
42、gal requirements.NOTE 2 Other requirements can include voluntary national, international and sector-specific protocols.5.5 Relationships within the business continuity management processThe audit team and those reviewing the audit reports and making certification decisions shall have knowledge of th
43、e interrelationships between BCM elements.5.6 Business impact analysis and risk assessmentThe audit team and those reviewing the audit reports and making certification decisions shall have knowledge of business impact analysis (BIA), including: methodologies and techniques; identification of activit
44、ies that deliver products and services; assessment of impacts over time, and identifying when these become unacceptable; setting prioritized timescales for resumption; identifying dependencies and supporting resources.The audit team and those reviewing the audit reports and making certification deci
45、sions shall have knowledge of risk assessment and risk management, including: methodologies and techniques;2 ISO 2014 All rights reservedPD ISO/IEC TS 17021-6:2014ISO/IEC TS 17021-6:2014(E) identification, analysis and evaluation of risks related to disruptive incidents; effectiveness of the existin
46、g controls; identification of appropriate risk treatments.5.7 Business continuity strategiesThe audit team and those reviewing the audit reports and making certification decisions shall have knowledge of strategies and methodologies for reducing the impact and the likelihood of disruptive incidents,
47、 including: strategy development; preparedness measures; selection of alternative strategies; cost/benefit analysis of continuity strategies; coordination approaches with external stakeholders; incident response; communications; command and control; coordination of responding organizations; recovery
48、 and restoration.5.8 Incident managementThe audit team and those reviewing the audit reports and making certification decisions shall have knowledge of incident management measures to determine whether an organization has identified appropriate responses to disruptive incidents, including warning an
49、d communication needs.They shall have knowledge to evaluate an organizations effectiveness in testing its incident management capability.5.9 Business continuity plansThe audit team and those reviewing the audit reports and making certification decisions shall have knowledge of business continuity plans, their establishment, development, maintenance, purpose, formats, structure and procedural detail.5.10 Business continuity exercisesThe audit team and those
