ISO/IEC 27006, ISMS certification guide

What is the purpose of ISO/IEC 27006?

The main goal of ISO 27006 is to make it easier for third parties to certify information security management systems.

To ensure that ISMS certifications are valid, any certified third-party auditing and verifying compliance with ISO 27001 must meet the criteria of this standard.

ISO 27006 establishes criteria for demonstrating the expertise of ISMS auditors. As a Certification Body audits an ISMS, it must make sure that each auditor on the auditing team is familiar with:

• Monitoring, assessment, interpretation and review of the ISMS
• Information security
• Management processes
• Auditing standards
• Technical knowledge of the audited systems

The team’s auditors must all be familiar with information systems management concepts, standards, and techniques. They must be familiar with all ISO 27001 standards, as well as all ISO 27002 controls. Auditors must also be familiar with business management standards as well as legal and regulatory criteria in a specific information systems field.

Personnel reviewing audits and making qualification assessments must also show competence. They must have adequate experience to validate the certification scope’s accuracy. They must also be familiar with control systems, audit processes, standards, and techniques.

ISO27006 further specifies the appropriate level of education, professional training and relevant experience needed for ISMS audits.

How to show compliance with ISO 27006

Any organisation pursuing ISO 27001 certification must retain the services of an approved certification authority to conduct an ISMS certification audit.

The organisation should do due diligence to ensure that the auditing company hired is ISO27006:2015 compliant. Throughout the audit, the organisation must guarantee that all paperwork needed to finish the audit is available, as well as furnish the auditing team with ISMS records, including but not limited to information regarding the ISMS’s design and control efficacy.

ISO 27006 can be used as a reference standard for accreditation, peer review, and other auditing procedures. Its major objective, however, is to assist in the accreditation of certifying bodies that provide ISMS certification.

Why the relationship between ISO 27006, ISO 27001, ISO 27021 and ISO 19011?

Any appropriately authorised entity that issues ISO 27001 compliance certifications must meet the standards of ISO 27006, ISO 17021, and ISO 19011 on their competence, appropriateness, and reliability to execute their task effectively.

This is important to guarantee that issued ISO 27001 compliance certifications are meaningful and accurately reflect that the company has complied with all of ISO 27001’s requirements.

If anyone could issue certificates without adhering to the certification processes covered in this standard, non-compliant organisations could theoretically purchase their ISMS certificates or simply certify themselves rather than demonstrate compliance. This happening can effectively discredit the entire certification system.

How ISMS.online can make implementing ISO 27006 easy

At ISMS.online, we make it easy for you to document your Information Security Governanace so that it is in line with the ISO 27006 standard. We provide you with a logical, usable, cloud-based information management interface that will help your organisation check its infosec governance processes and progress against the ISO 27006 standard.

Our cloud-based platform allows you to access all your ISMS resources in one place. We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27006 implementation so that you can demonstrate your dedication to information security governance best practices. Call ISMS.online on +44 (0)1273 041140 to find out more about how we can help you get certified to ISO 27001.