ISO/IEC 27006, ISMS certification guide

ISO/IEC 27006, What Is It?

ISO/IEC 27006, is the guide for certification bodies in terms of the formal procedures that should be implemented when auditing Information Security Management Systems.

The procedures outlined within the standard ensure the credibility of the ISO 27001 certificate. ISO 27006 is specifically responsible for defining the standards and including a manual for conducting the audit and validation of the system.

This means that any organisation that is accredited to ISO 27001 must also adhere to the ISO 27006 standard’s specifications. Its primary goal, though, is to assist in the accreditation of certification bodies that provide ISMS certification.

See our simple, powerful platform in action

What is the purpose of ISO/IEC 27006?

The main goal of ISO 27006 is to make it easier for third parties to certify information security management systems.

To ensure that ISMS certifications are valid, any certified third-party auditing and verifying compliance with ISO 27001 must meet the criteria of this standard.

ISO 27006 establishes criteria for demonstrating the expertise of ISMS auditors. As a Certification Body audits an ISMS, it must make sure that each auditor on the auditing team is familiar with:

  • Monitoring, assessment, interpretation and review of the ISMS
  • Information security
  • Management processes
  • Auditing standards
  • Technical knowledge of the audited systems

The team’s auditors must all be familiar with information systems management concepts, standards, and techniques. They must be familiar with all ISO 27001 standards, as well as all ISO 27002 controls. Auditors must also be familiar with business management standards as well as legal and regulatory criteria in a specific information systems field.

Personnel reviewing audits and making qualification assessments must also show competence. They must have adequate experience to validate the certification scope’s accuracy. They must also be familiar with control systems, audit processes, standards, and techniques.

ISO27006 further specifies the appropriate level of education, professional training and relevant experience needed for ISMS audits.

See who we’ve already helped

How to show compliance with ISO 27006

Any organisation pursuing ISO 27001 certification must retain the services of an approved certification authority to conduct an ISMS certification audit.

The organisation should do due diligence to ensure that the auditing company hired is ISO27006:2015 compliant. Throughout the audit, the organisation must guarantee that all paperwork needed to finish the audit is available, as well as furnish the auditing team with ISMS records, including but not limited to information regarding the ISMS’s design and control efficacy.

ISO 27006 can be used as a reference standard for accreditation, peer review, and other auditing procedures. Its major objective, however, is to assist in the accreditation of certifying bodies that provide ISMS certification.

We needed ISO 27001 to win new corporate clients and we needed it quickly. As a small business with limited resources, we were looking for a one-stop solution to radically speed up our implementation. has done exactly that.

Evan Harris



What other standards do ISO 27006 work with?

ISO 27006 is designed to be used in combination with a variety of other standards. These include, but are not limited to, ISO 27001, ISO 17021, and ISO 19011.

  1. ISO 27001

    ISO 27001 is an international standard for information security management. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) first released the standard in 2005 and then amended it in 2013.

    It specifies the standards for creating, implementing, maintaining, and continuously developing an information security management system (ISMS) with the objective of assisting companies in securing their information assets. In 2017, the European Union announced an update to the standard.

    Following successful completion of an audit, organisations that satisfy the requirements of the standard may opt to be certified by a recognised certification authority.

  2. ISO 27021

    ISO 17021 is an International Standard that establishes guidelines for Certification Bodies (CB) to guarantee that their management system certification process is conducted competently, consistently, and impartially.

    This International Standard establishes a generic set of requirements for management system auditing, with the objective of obtaining a reliable determination of compliance to the applicable certification requirements, conducted by a competent audit team equipped with sufficient resources and following a standard procedure, with consistent reporting of results.

    It was developed to address the need for an International Standard that would facilitate the recognition of bodies conducting compliance assessments and the recognition of their certifications on a national and international level, thereby facilitating the acknowledgement of management system certification for the purposes of international trade.

  3. ISO 19011

    ISO 19011 is a standard that establishes auditing requirements for management systems. The standard provides recommendations on administering an audit programme, auditing principles, and evaluating persons responsible for audit programme management. An audit programme is made up of the preparations necessary to conduct all of the individual audits required to accomplish a specified objective, in this case, an ISO certification.

    ISO 19011 contains helpful guidance on how to systematically enhance an audit programme, just as other departments within a company are expected to do. One part of such improvement is ensuring that the audit program’s objectives align with the management system’s goals and objectives on a constant basis.

Why the relationship between ISO 27006, ISO 27001, ISO 27021 and ISO 19011?

Any appropriately authorised entity that issues ISO 27001 compliance certifications must meet the standards of ISO 27006, ISO 17021, and ISO 19011 on their competence, appropriateness, and reliability to execute their task effectively.

This is important to guarantee that issued ISO 27001 compliance certifications are meaningful and accurately reflect that the company has complied with all of ISO 27001’s requirements.

If anyone could issue certificates without adhering to the certification processes covered in this standard, non-compliant organisations could theoretically purchase their ISMS certificates or simply certify themselves rather than demonstrate compliance. This happening can effectively discredit the entire certification system.

ISO 27001 certification – What is it?

ISO 27001 certification confirms that your organisation has made significant investments in people, processes, and technology (e.g., tools and systems) to safeguard its data and services. an impartial, expert assessment of the level of protection afforded to your data.

How does an information security management system work?

The term “information security management system” refers to a system that manages information security. An ISMS is a detailed management system comprised of a collection of security rules designed to safeguard the confidentiality, availability, and integrity of assets against threats and vulnerabilities.

Which is the initial step in the development of an ISMS?

Your initial action should be to choose a project leader to manage the ISMS’s implementation. They should possess a broad understanding of information security and the authority to lead a team and provide directives to management (whose departments they will need to review).

Why is it critical for an ISMS to establish an internal audit programme?

Conducting frequent internal audits demonstrates to the company and the certification authority that the Information Security Management System is being reviewed on a constant basis (ISMS). Internal audits act as a reminder to employees that regulatory compliance is a corporate priority.

What audit evidences does an auditor look for when verifying an organization’s compliance with ISO 27001?

The auditor will examine how the company has identified and documented its legal, regulatory, and contractual duties; the responsibilities for complying with such requirements; and any appropriate policies, processes, and other controls for complying with such requirements.

How can make implementing ISO 27006 easy

At, we make it easy for you to document your Information Security Governance so that it is in line with the ISO 27006 standard. We provide you with a logical, usable, cloud-based information management interface that will help your organisation check its infosec governance processes and progress against the ISO 27006 standard.

Our cloud-based platform allows you to access all your ISMS resources in one place. We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27006 implementation so that you can demonstrate your dedication to information security governance best practices. Call on +44 (0)1273 041140 to find out more about how we can help you get certified to ISO 27001.

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.

What kind of help do you need from us?

New to information security?

We have everything you need to design, build and implement your first ISMS.

Find out more

Ready to transform your ISMS?

We’ll help you get more out of the infosec work you’ve already done.

Find out more

Want to unleash your infosec expertise?

With our platform you can build the ISMS your organisation really needs.

Find out more

Explore other standards within the ISO 27k family

  • 1

    The ISO 27000 family

  • 2

    ISO 27002

  • 3

    ISO 27003

  • 4

    ISO 27004

  • 5

    ISO 27005

  • 6

    ISO 27008

  • 7

    ISO 27009

  • 8

    ISO 27010

  • 9

    ISO 27014

  • 11

    ISO 27013

  • 12

    ISO 27016

  • 13

    ISO 27017

  • 14

    ISO 27018

  • 15

    ISO 27019

  • 16

    ISO 27038

  • 17

    ISO 27039

  • 18

    ISO 27040

  • 19

    ISO 27050

  • 20

    ISO 27102