SIST ISO/IEC 27006:2012

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo presoje in certificiranje sistemov upravljanja informacijske varnostiTechnologies de l'information -- Techniques de sécurité -- Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'informationInformation technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems35.040Nabori znakov in kodiranje informacijCharacter sets and information coding03.120.20Certificiranje proizvodov in podjetij. Ugotavljanje skladnostiProduct and company certification. Conformity assessmentICS:Ta slovenski standard je istoveten z:ISO/IEC 27006:2011oSIST ISO/IEC 27006:2012en,fr,de01-februar-2012oSIST ISO/IEC 27006:2012SLOVENSKI
STANDARD
oSIST ISO/IEC 27006:2012
Reference numberISO/IEC 27006:2011(E)© ISO/IEC 2011
INTERNATIONAL STANDARD ISO/IEC27006Second edition2011-12-01 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems Technologies de l'information — Techniques de sécurité — Exigences pour les organismes procédant à l'audit et à la certification des systèmes de management de la sécurité de l'information
oSIST ISO/IEC 27006:2012
©
ISO/IEC 2011 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56  CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii
© ISO/IEC 2011 – All rights reserved
oSIST ISO/IEC 27006:2012
iii Contents Page Foreword . iv Introduction . v 1 Scope . 1 2 Normative references . 1 3 Terms and definitions . 1 4 Principles . 2 5 General requirements . 2 5.1 Legal and contractual matter . 2 5.2 Management of impartiality . 2 5.3 Liability and financing . 3 6 Structural requirements . 3 6.1 Organizational structure and top management . 3 6.2 Committee for safeguarding impartiality . 3 7 Resource requirements . 3 7.1 Competence of management and personnel . 3 7.2 Personnel involved in the certification activities . 4 7.3 Use of individual external auditors and external technical experts . 6 7.4 Personnel records . 6 7.5 Outsourcing . 6 8 Information requirements . 6 8.1 Publicly accessible information . 6 8.2 Certification documents . 7 8.3 Directory of certified clients . 7 8.4 Reference to certification and use of marks. 7 8.5 Confidentiality . 7 8.6 Information exchange between a certification body and its clients . 7 9 Process requirements . 8 9.1 General requirements . 8 9.2 Initial audit and certification . 11 9.3 Surveillance activities . 15 9.4 Recertification . 16 9.5 Special audits . 16 9.6 Suspending, withdrawing or reducing scope of certification . 16 9.7 Appeals . 17 9.8 Complaints . 17 9.9 Records of applicants and clients . 17 10 Management system requirements for certification bodies . 17 10.1 Options . 17 10.2 Option 1 – Management system requirements in accordance with ISO 9001 . 17 10.3 Option 2 – General management system requirements . 17 Annex A (informative)
Analysis of a client organization’s complexity and
sector-specific aspects . 19 Annex B (informative)
Example areas of auditor competence . 22 Annex C (informative)
Audit time . 24 Annex D (informative)
Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls . 30
oSIST ISO/IEC 27006:2012
© ISO/IEC 2011 – All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. This second edition cancels and replaces the first edition (ISO/IEC 27006:2007), which has been technically revised. oSIST ISO/IEC 27006:2012

v Introduction ISO/IEC 17021 sets out criteria for bodies operating audit and certification of organizations' management systems. If such bodies are to be accredited as complying with ISO/IEC 17021 with the objective of auditing and certifying information security management systems (ISMS) in accordance with ISO/IEC 27001:2005, some additional requirements and guidance to ISO/IEC 17021 are necessary. These are provided by this International Standard. The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the letters “IS”. The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate recommendation. One aim of this International Standard is to enable accreditation bodies to more effectively harmonize their application of the standards against which they are bound to assess certification bodies. NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably. The definition of a management system can be found in ISO 9000:2005. The management system as used in this International Standard is not to be confused with other types of system, such as IT systems. oSIST ISO/IEC 27006:2012

oSIST ISO/IEC 27006:2012
INTERNATIONAL STANDARD ISO/IEC 27006:2011(E) © ISO/IEC 2011 – All rights reserved 1 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems 1 Scope This International Standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification. The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification. NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of management systems ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements ISO 19011, Guidelines for auditing management systems 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the following apply. 3.1 certificate certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an accreditation symbol or statement 3.2 certification body third party that assesses and certifies the ISMS of a client organization with respect to published ISMS standards, and any supplementary documentation required under the system oSIST ISO/IEC 27006:2012

© ISO/IEC 2011 – All rights reserved 3.3 certification document document indicating that a client organization's ISMS conforms to specified ISMS standards and any supplementary documentation required under the system 3.4 mark legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation body or of a certification body, indicating that adequate confidence in the systems operated by a body has been demonstrated or that relevant products or individuals conform to the requirements of a specified standard 3.5 organization company, corporation, firm, enterprise, authority or institution, or part or combination thereof, whether incorporated or not, public or private, that has its own functions and administration and is able to ensure that information security is exercised 4 Principles The principles from ISO/IEC 17021:2011, Clause 4 apply. 5 General requirements 5.1 Legal and contractual matter The requirements from ISO/IEC 17021:2011, Clause 5.1 apply. 5.2 Man
...

SLOVENSKI STANDARD
01-november-2012
1DGRPHãþD
SIST ISO/IEC 27006:2011
Informacijska tehnologija - Varnostne tehnike - Zahteve za organe, ki izvajajo
presojanje in certificiranje sistemov upravljanja informacijske varnosti
Information technology -- Security techniques -- Requirements for bodies providing audit
and certification of information security management systems
Technologies de l'information -- Techniques de sécurité -- Exigences pour les
organismes procédant à l'audit et à la certification des systèmes de management de la
sécurité de l'information
Ta slovenski standard je istoveten z: ISO/IEC 27006:2011
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO/IEC
STANDARD 27006
Second edition
2011-12-01
Information technology — Security
techniques — Requirements for bodies
providing audit and certification of
information security management
systems
Technologies de l'information — Techniques de sécurité — Exigences
pour les organismes procédant à l'audit et à la certification des
systèmes de management de la sécurité de l'information

Reference number
©
ISO/IEC 2011
©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved

Contents Page
Foreword . iv
Introduction . v
1  Scope . 1
2  Normative references . 1
3  Terms and definitions . 1
4  Principles . 2
5  General requirements . 2
5.1  Legal and contractual matter . 2
5.2  Management of impartiality . 2
5.3  Liability and financing . 3
6  Structural requirements . 3
6.1  Organizational structure and top management . 3
6.2  Committee for safeguarding impartiality . 3
7  Resource requirements . 3
7.1  Competence of management and personnel . 3
7.2  Personnel involved in the certification activities . 4
7.3  Use of individual external auditors and external technical experts . 6
7.4  Personnel records . 6
7.5  Outsourcing . 6
8  Information requirements . 6
8.1  Publicly accessible information . 6
8.2  Certification documents . 7
8.3  Directory of certified clients . 7
8.4  Reference to certification and use of marks. 7
8.5  Confidentiality . 7
8.6  Information exchange between a certification body and its clients . 7
9  Process requirements . 8
9.1  General requirements . 8
9.2  Initial audit and certification . 11
9.3  Surveillance activities . 15
9.4  Recertification . 16
9.5  Special audits . 16
9.6  Suspending, withdrawing or reducing scope of certification . 16
9.7  Appeals . 17
9.8  Complaints . 17
9.9  Records of applicants and clients . 17
10  Management system requirements for certification bodies . 17
10.1  Options . 17
10.2  Option 1 – Management system requirements in accordance with ISO 9001 . 17
10.3  Option 2 – General management system requirements . 17
Annex A (informative) Analysis of a client organization’s complexity and sector-specific aspects . 19
Annex B (informative) Example areas of auditor competence . 22
Annex C (informative) Audit time . 24
Annex D (informative) Guidance for review of implemented ISO/IEC 27001:2005, Annex A controls . 30

© ISO/IEC 2011 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27006 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 27006:2007), which has been technically
revised.
iv © ISO/IEC 2011 – All rights reserved

Introduction
ISO/IEC 17021 sets out criteria for bodies operating audit and certification of organizations' management
systems. If such bodies are to be accredited as complying with ISO/IEC 17021 with the objective of auditing
and certifying information security management systems (ISMS) in accordance with ISO/IEC 27001:2005,
some additional requirements and guidance to ISO/IEC 17021 are necessary. These are provided by this
International Standard.
The text in this International Standard follows the structure of ISO/IEC 17021, and the additional ISMS-specific
requirements and guidance on the application of ISO/IEC 17021 for ISMS certification are identified by the
letters “IS”.
The term “shall” is used throughout this International Standard to indicate those provisions which, reflecting
the requirements of ISO/IEC 17021 and ISO/IEC 27001, are mandatory. The term “should” is used to indicate
recommendation.
One aim of this International Standard is to enable accreditation bodies to more effectively harmonize their
application of the standards against which they are bound to assess certification bodies.
NOTE Throughout this International Standard, the terms “management system” and “system” are used interchangeably.
The definition of a management system can be found in ISO 9000:2005. The management system as used in this
International Standard is not to be confused with other types of system, such as IT systems.
© ISO/IEC 2011 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 27006:2011(E)

Information technology — Security techniques — Requirements
for bodies providing audit and certification of information
security management systems
1 Scope
This International Standard specifies requirements and provides guidance for bodies providing audit and
certification of an information security management system (ISMS), in addition to the requirements contained
within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification
bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence
and reliability by any body providing ISMS certification, and the guidance contained in this International
Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other
audit processes.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of
management systems
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
ISO 19011, Guidelines for auditing management systems
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17021, ISO/IEC 27001 and the
following apply.
3.1
certificate
certificate issued by a certification body in accordance with the conditions of its accreditation and bearing an
accreditation symbol or statement
3.2
certification body
third party that assesses and certifies the ISMS of a client organization with respect to published ISMS
standards, and any supplementary documentation required under the system
© ISO/IEC 2011 – All rights reserved 1

3.3
certification document
document indicating that a client organization's ISMS conforms to specified ISMS standards and any
supplementary documentation required under the system
3.4
mark
legally reg
...

S L O V E N S K I SIST ISO/IEC 27006

STANDARD
november 2012
Informacijska tehnologija – Varnostne tehnike – Zahteve za organe, ki

izvajajo presojanje in certificiranje sistemov upravljanja informacijske

varnosti
Information technology – Security techniques – Requirements for bodies
providing audit and certification of information security management systems

Technologies de l'information – Techniques de sécurité – Exigences pour les
organismes procédant à l'audit et à la certification des systèmes de management
de la sécurité de l'information

Referenčna oznaka
ICS 03.120.20; 35.040 SIST ISO/IEC 27006:2012 (sl)

Nadaljevanje na straneh 2 do 40

© 2015-07. Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.

SIST ISO/IEC 27006 : 2012
NACIONALNI PREDGOVOR
Standard SIST ISO/IEC 27006 (sl), Informacijska tehnologija – Varnostne tehnike – Zahteve za
organe, ki izvajajo presojanje in certificiranje sistemov upravljanja informacijske varnosti, 2012, ima
status slovenskega standarda in je istoveten mednarodnemu standardu ISO/IEC 27006 (en),
Information technology – Security techniques – Requirements for bodies providing audit and
certification of information security management systems, 2011-12.

NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27006:2011 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.

Slovenski standard SIST ISO/IEC 27006:2012 je prevod mednarodnega standarda ISO/IEC
27006:2011. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni mednarodni
standard v angleškem jeziku. Slovenski standard SIST ISO/IEC 27006:2012 je pripravil tehnični odbor
SIST/TC ITC Informacijska tehnologija.

Odločitev za izdajo tega standarda je dne 26. septembra 2012 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI

S privzemom tega evropskega standarda veljajo za omejeni namen referenčnih standardov vsi
standardi, navedeni v izvirniku, razen tistih, ki so že sprejeti v nacionalno standardizacijo:
SIST ISO/IEC 17021:2011 Ugotavljanje skladnosti – Zahteve za organe, ki presojajo in certificirajo
sisteme vodenja (ISO/IEC 17021:2011)
SIST ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (zamenjan s SIST ISO/IEC 27001:2013)
SIST ISO 19011 Smernice za presojanje sistemov vodenja (ISO 19011:2011)

OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27006:2011

OPOMBI
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27006:2012 to pomeni “slovenski standard”.

– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
SIST ISO/IEC 27006 : 2012
VSEBINA Stran
Predgovor . 5
Uvod . 6
1 Področje uporabe . 7
2 Zveza s standardi . 7
3 Izrazi in definicije . 7
4 Načela. 8
5 Splošne zahteve . 8
5.1 Pravne in pogodbene zahteve . 8
5.2 Obvladovanje nepristranskosti . 8
5.3 Obveznosti in financiranje . 8
6 Strukturne zahteve . 9
6.1 Organizacijska struktura in najvišje vodstvo . 9
6.2 Odbor za varovanje nepristranskosti . 9
7 Zahteve glede virov . 9
7.1 Kompetentnost vodstva in osebja . 9
7.2 Osebje, vključeno v aktivnosti certificiranja . 10
7.3 Uporaba posameznih zunanjih presojevalcev in zunanjih tehničnih strokovnjakov . 11
7.4 Zapisi o osebju . 12
7.5 Oddajanje del zunanjim izvajalcem . 12
8 Zahteve glede informacij . 12
8.1 Javno dostopne informacije . 12
8.2 Certifikacijski dokumenti . 12
8.3 Register certificiranih strank . 12
8.4 Sklicevanje na certifikacijo in uporaba znakov . 12
8.5 Zaupnost . 13
8.6 Izmenjava informacij med certifikacijskim organom in njihovimi strankami . 13
9 Zahteve glede procesov . 13
9.1 Splošne zahteve . 13
9.2 Začetna presoja in certifikacija . 16
9.3 Nadzorne aktivnosti . 20
9.4 Obnovitev certifikacije . 21
9.5 Posebne presoje . 21
9.6 Začasni odvzem, preklic ali krčenje obsega certifikata . 21
9.7 Prizivi . 21
9.8 Pritožbe . 21
9.9 Zapisi o vložnikih in strankah . 22
10 Zahteve za sistem vodenja certifikacijskih organov . 22
10.1 Možnosti . 22
10.2 Možnost št. 1 – Zahteve za sistem vodenja v skladu z ISO 9001 . 22
SIST ISO/IEC 27006 : 2012
10.3 Možnost št. 2 – Splošne zahteve za sistem vodenja . 22
Dodatek A (informativni): Analiza kompleksnosti organizacije stranke in specifičnih sektorskih
vidikov . 23
Dodatek B (informativni): Primer področij kompetentnosti presojevalca . 26
Dodatek C (informativni): Čas presoje . 28
Dodatek D (informativni): Navodila za pregled uvedenih kontrol po ISO/IEC 27001:2005,
dodatek A . 33
SIST ISO/IEC 27006 : 2012
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili iz 2. dela Direktiv ISO/IEC.
Glavna naloga združenega tehničnega odbora je priprava mednarodnih standardov. Osnutki
mednarodnih standardov, ki jih sprejme združeni tehnični odbor, se pošljejo nacionalnim organom v
glasovanje. Za objavo kot mednarodni standard je treba pridobiti soglasje najmanj 75 % glasov
glasujočih nacionalnih organov.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega dokumenta predmet patentnih pravic.
ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih patentnih pravic.
ISO/IEC 27006 je pripravil združeni tehnični odbor ISO/IEC JTC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
Ta druga izdaja razveljavlja in nadomešča prvo izdajo (ISO/IEC 27005:2008), ki je bila tehnično
revidirana.
SIST ISO/IEC 27006 : 2012
Uvod
Standard ISO/IEC 17021 določa kriterije za organe, ki presojajo in certificirajo sisteme vodenja
organizacij. Če so ti organi akreditirani v skladu z ISO/IEC 17021 ter nameravajo presojati in
certificirati sisteme upravljanja informacijske varnosti (SUIV) v skladu z ISO/IEC 27001:2005,
potrebujejo nekatere dodatne zahteve in navodila k ISO/IEC 17021. Ti so na voljo v tem
mednarodnem standardu.
Besedilo v tem mednarodnem standardu sledi strukturi ISO/IEC 17021 in zato so dodatne zahteve,
specifične za SUIV, in navodila o uporabi ISO/IEC 17021 za certificiranje SUIV označeni s črkama
"IV".
V celotnem mednarodnem standardu je modalni glagol "morati" uporabljen za označevanje tistih
določil, ki odražajo zahteve ISO/IEC 17021 in ISO/IEC 27001 ter so obvezne. Izraz "naj" se uporablja
za izražanje priporočil.
Eden od ciljev tega mednarodnega standarda je omogočiti akreditacijskim organom, da uspešneje
uskladijo svojo uporabo standardov s tistimi, katerim so zavezani pri ocenjevanju certifikacijskih
organov.
OPOMBA: V tem mednarodnem standardu se izraza "sistem upravljanja" in "sistem" uporabljata izmenično. Definicijo
sistema upravljanja (vodenja) je mogoče najti v ISO 9000:2005. Sistem upravljanja, kot se uporablja v tem
mednarodnem standardu, se ne sme zamenjati z drugimi vrstami sistemov, kot so sistemi IT.
SIST ISO/IEC 27006 : 2012
Informacijska tehnologija – Varnostne tehnike – Zahteve za organe, ki izvajajo
presojanje in certificiranje sistemov upravljanja informacijske varnosti
1 Področje uporabe
Ta mednarodni standard določa zahteve in daje navodila organom, ki presojajo in certificirajo sistem
upravljanja informacijske varnosti (SUIV), kot dodatek k zahtevam, ki jih vsebujeta ISO/IEC 17021 in
ISO/IEC 27001. Namenjen je predvsem v podporo akreditiranju certifikacijskih organov, ki nudijo
certificiranje SUIV.
Izpolnjevanje zahtev iz tega mednarodnega standarda mora vsak organ, ki nudi certificiranje SUIV,
dokazati z vidika kompetentnosti in zanesljivosti, navodila iz tega mednarodnega standarda pa
vsakemu organ, ki nudi certificiranje SUIV, zagotavljajo dodatno razlago teh zahtev.

OPOMBA: Ta mednarodni standard se lahko uporablja kot dokument kriterijev za akreditacijo, medsebojno ocenjevanje ali
druge procese presoje.
2 Zveza s standardi
Za uporabo tega standarda so nujno potrebni naslednji navedeni dokumenti. Pri datiranih sklicevanjih
se uporablja zgolj navedena izdaja. Pri nedatiranih sklicevanjih se uporablja zadnja izdaja
navedenega dokumenta (vključno z dopolnili).

ISO/IEC 17021:2006 Ugotavljanje skladnosti – Zahteve za organe, ki presojajo in certificirajo
sisteme vodenja
ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve

ISO/IEC 19011 Smernice za presojanje sistemov vodenja

3 Izrazi in definicije
V tem dokumentu se uporabljajo izrazi in definicije, podani v ISO/IEC 17021, ISO/IEC 27001 in v
nadaljevanju.
3.1
certifikat
certifikat, ki ga izda certifikacijski organ v skladu s pogoji svoje akreditacije in ima znak akreditacije ali
izjavo
3.2
certifikacijski organ
tretja stranka, ki ocenjuje in certificira SUIV organizacije stranke glede na objavljene standarde SUIV
in vso dodatno dokumentacijo, ki se potrebuje v sistemu

3.3
certifikacijski dokument
dokument, ki dokazuje, da je
...