INTERNATIONAL STANDARD

Similar documents
Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems

This document is a preview generated by EVS

INTERNATIONAL STANDARD

Information technology Security techniques Application security. Part 5: Protocols and application security controls data structure

Information technology Security techniques Sector-specific application of ISO/IEC Requirements

Information technology Security techniques Mapping the revised editions of ISO/IEC and ISO/IEC 27002

Information technology Extensions of Office Open XML file formats. Part 1: Guidelines

This document is a preview generated by EVS

Information technology Service management. Part 10: Concepts and terminology

Information technology Governance of IT Governance of data. Part 1: Application of ISO/IEC to the governance of data

Part 1: Numbering system

Information technology Security techniques Cryptographic algorithms and security mechanisms conformance testing

Systems and software engineering Information technology project performance benchmarking framework. Part 4:

Information technology Multimedia service platform technologies. Part 3: Conformance and reference software

Information technology Automatic identification and data capture techniques PDF417 bar code symbology specification

Information technology Identification cards Biometric System-on-Card. Part 3: Logical information interchange mechanism

Mobile robots Vocabulary

This document is a preview generated by EVS

This document is a preview generated by EVS

Solid biofuels Determination of mechanical durability of pellets and briquettes. Part 1: Pellets

Technical product documentation Design for manufacturing, assembling, disassembling and end-of-life processing. Part 1:

Information technology Security techniques Guidance on the integrated implementation of ISO/IEC and ISO/IEC

This document is a preview generated by EVS

Systems and software engineering Framework for categorization of IT systems and software, and guide for applying it

INTERNATIONAL STANDARD

This document is a preview generated by EVS

Information technology Service management. Part 11: Guidance on the relationship between ISO/IEC :2011 and service management frameworks: ITIL

Information technology Cloud computing Service level agreement (SLA) framework. Part 3: Core conformance requirements

Technical Specification C++ Extensions for Coroutines

Tool holders with rectangular shank for indexable inserts. Part 14: Style H

Identification cards Optical memory cards Holographic recording method. Part 3: Optical properties and characteristics

Packaging Distribution packaging Graphical symbols for handling and storage of packages

This document is a preview generated by EVS

Software engineering Guidelines for the application of ISO 9001:2008 to computer software

Information technology IT asset management Overview and vocabulary

Information technology Programming languages, their environments and system software interfaces Guidelines for language bindings

Information technology Process assessment Process measurement framework for assessment of process capability

This document is a preview generated by EVS

This document is a preview generated by EVS

Sýnishorn. Information technology Dynamic adaptive streaming over HTTP (DASH) Part 1: Media presentation description and segment formats

This document is a preview generated by EVS

Information technology Process assessment Concepts and terminology

This document is a preview generated by EVS

This document is a preview generated by EVS

Part 6: Earth-moving machinery Safety. Requirements for dumpers. Engins de terrassement Sécurité Partie 6: Exigences applicables aux tombereaux

This document is a preview generated by EVS

Part 5: Hash-functions

Information technology Service management. Part 10: Concepts and vocabulary

This document is a preview generated by EVS

ISO/IEC Information technology Open Systems Interconnection The Directory. Part 9: Replication

Medical devices Quality management Medical device nomenclature data structure

Information technology Security techniques Blind digital signatures. Part 1: General

This document is a preview generated by EVS

Information technology Office equipment Method for Measuring Scanning Productivity of Digital Multifunctional Devices

This document is a preview generated by EVS

This document is a preview generated by EVS

Information technology Security techniques Information security controls for the energy utility industry

This document is a preview generated by EVS

Dentistry Polymer-based pit and fissure sealants

Implants for surgery Metallic materials. Part 7: Forgeable and cold-formed cobaltchromium-nickel-molybdenum-iron. alloy

ISO/IEC INTERNATIONAL STANDARD

This document is a preview generated by EVS

Information Technology Real Time Locating System (RTLS) Device Conformance Test Methods. Part 62:

This document is a preview generated by EVS

Information technology Realtime locating system (RTLS) device performance test methods. Part 62:

PROOF/ÉPREUVE. Safety of machinery Relationship with ISO Part 1: How ISO relates to type-b and type-c standards

Graphical symbols Safety colours and safety signs Registered safety signs

This document is a preview generated by EVS

Information technology Office equipment Method for measuring digital printing productivity

This document is a preview generated by EVS

This document is a preview generated by EVS

This document is a preview generated by EVS

Sýnishorn ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Road vehicles Local Interconnect Network (LIN) Part 7: Electrical Physical Layer (EPL) conformance test specification

This document is a preview generated by EVS

This document is a preview generated by EVS

Ergonomics of human-system interaction. Part 333: Stereoscopic displays using glasses

This document is a preview generated by EVS

This document is a preview generated by EVS

This document is a preview generated by EVS

Graphic technology Colour data exchange format (CxF/X) Part 2: Scanner target data (CxF/X-2)

This document is a preview generated by EVS

This document is a preview generated by EVS

Part 1: Overview and concepts

ISO/IEC INTERNATIONAL STANDARD. General requirements for the competence of testing and calibration laboratories

Tool holders with rectangular shank for indexable inserts. Part 12: Style S

Information technology Scalable compression and coding of continuous-tone still images. Part 1:

This document is a preview generated by EVS

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Part 5: Face image data

Identification cards Optical memory cards Holographic recording method. Part 2: Dimensions and location of accessible optical area

This document is a preview generated by EVS

Part 7: Selected object classes

Data structures for electronic product catalogues for building services. Part 2: Geometry

Information technology Automatic identification and data capture techniques Bar code verifier conformance specification. Part 2:

Part 6: Fall cone test

Information technology MPEG systems technologies. Part 8: Coding-independent code points

This document is a preview generated by EVS

This document is a preview generated by EVS

This document is a preview generated by EVS

Transcription:

INTERNATIONAL STANDARD ISO/IEC 27006 Third edition 2015-10-01 Information technology Security techniques Requirements for bodies providing audit and management systems Technologies de l information Techniques de sécurité Exigences systèmes de management de la sécurité de l information Reference number ISO/IEC 27006:2015(E) ISO/IEC 2015

COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerland the requester. Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 www.iso.org ii ISO/IEC 2015 All rights reserved

Contents Page Foreword...v Introduction...vi 1 Scope... 1 2 Normative references... 1... 1 4 Principles... 1 5 General requirements... 2 5.1 Legal and contractual matters... 2... 2... 2... 2 6 Structural requirements... 2 7 Resource requirements... 2 7.1 Competence of personnel... 2 7.1.1 IS 7.1.1 General considerations... 3 7.1.2 IS 7.1.2 Determination of Competence Criteria... 3... 6 7.2.1 IS 7.2 Demonstration of auditor knowledge and experience... 6 7.3 Use of individual external auditors and external technical experts... 7 7.3.1 IS 7.3 Using external auditors or external technical experts as part of the audit team... 7 7.4 Personnel records... 7 7.5 Outsourcing... 7 8 Information requirements... 8 8.1 Public information... 8... 8... 8... 8... 8 8.4.1 IS 8.4 Access to organizational records... 8... 8 9 Process requirements... 8... 8 9.1.1 Application... 8 9.1.2 Application review... 9 9.1.3 Audit programme... 9 9.1.4 Determining audit time...10 9.1.5 Multi-site sampling...10...11 9.2 Planning audits...11 9.2.1 Determining audit objectives, scope and criteria...11 9.2.2 Audit team selection and assignments...12 9.2.3 Audit plan...12...13...13 9.4 Conducting audits...14 9.4.1 IS 9.4 General...14...14 9.4.3 IS 9.4 Audit report...14...15...15 ISO/IEC 2015 All rights reserved iii

...15 9.6.1 General...15 9.6.2 Surveillance activities...15...16 9.6.4 Special audits...17...17 9.7 Appeals...17 9.8 Complaints...17 9.8.1 IS 9.8 Complaints...17 9.9 Client records...17...17 10.1 Options...17 10.1.1 IS 10.1 ISMS implementation...17...17...17 Annex A (informative)...18 Annex B (normative) Audit time...20 Annex C (informative) Methods for audit time calculations...25 Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2013, Annex A controls...28 Bibliography...35 iv ISO/IEC 2015 All rights reserved

Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical members of ISO or IEC participate in the development of International Standards through technical organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). constitute an endorsement. assessment, as well as information about ISO s adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques. Information technology, Subcommittee SC 27, IT Security techniques. This third edition cancels and replaces the second edition (ISO/IEC 27006:2011), which has been ISO/IEC 2015 All rights reserved v

Introduction this International Standard. The text in this International Standard follows the structure of ISO/IEC 17021-1 and the additional used to indicate recommendation. vi ISO/IEC 2015 All rights reserved

This is a free preview. Purchase the entire publication at the link below: ISO/IEC 27006:2015 - PDF his is a free 6 page sample. Access the full version online. Looking for additional Standards? Visit SAI Global Infostore Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation Need to speak with a Customer Service Representative - Contact Us

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback