ISO IEC 27006:2015 pdf free
ISO IEC 27006:2015 pdf free.Information technology一Security techniques
Certification bodies may carry out the following duties without them being considered as consultancy or having a potential conflict of interest:
a) arranging and participating as a lecturer in training courses, provided that, where these courses relate to information security management, related management systems or auditing,certification bodies shall confine themselves to the provision of generic information and advice which is publicly available, i.e. they shall not provide company-specific advice which contravenes the requirements of b) below;
b) making available or publishing on request information describing the certification body’s interpretation of the requirements of the certification audit standards (see 9.1.3.6);
c) activities prior to audit, solely aimed at determining readiness for certification audit; however, such activities shall not result in the provision of recommendations or advice that would contravene this clause and the certification body shall be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certification audit duration;
d) performing second and third-party audits according to standards or regulations other than those being part of the scope of accreditation;
e) adding value during certification audits and survillance visits, e.g. by identifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions.
The certification body shall not provide internal information security reviews of the client’s ISMS subject to certification. Furthermore, the certification body shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit.
The audit team shall be competent to trace indications of information security incidents in the client’s ISMS back to the appropriate elements of the ISMS.
The audit team shall have appropriate work experience of the items above and practical application of these items (this does not mean that an auditor needs a complete range of experience of all areas of information security, but the audit team as a whole shall have enough appreciation and experience to cover the ISMS scope being audited).