RINA announced that a new amendment for the EN-ISO-IEC 27006 was published. The standard defines the requirements for the bodies providing audits and certification of information security management systems.
In 2020, amendment 1 of the EN-ISO-IEC 27006:2020 standard “Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems” was published.
The standard defines the requirements for the bodies providing audits and certification of information security management systems.
The main requirements of the previous 2015 version have been confirmed; a particular focus, as regards the impact on organizations, concerns:
- The calculation of the audit duration, specifying that the starting point for determining the audit time is the total number of people who, as part of the certification, carry out work under the control of the organization for all shifts
- The possibility of reporting on the certificate the reference to national and international standards (other than ISO/IEC 27001) as origin of controls included in the Statement of Applicability.
The reference to these standards will be reported as an information specifying that these standards are not part of the certification issued (refer to modification of the certification regulation Information Security Management Systems Certification Regulation and guidelines ISO / IEC 27xxx extension – RC/C 56).