ISO/IEC 27006 imposes strict confidentiality obligations. The CB must have legal agreements in place to protect client information. Furthermore, the audit team must be vetted, and the CB must ensure that audit notes and evidence are securely stored and destroyed after the retention period.
Without ISO 27006, the value of an ISO 27001 certificate would be uncertain. It acts as the backbone of the "trust chain" in cybersecurity compliance: www.socialsciencesresearch.com a pragmatic view with an IT outsourcing company case study iso 27006
| Annex | Title | Type | |--------|-------|------| | A | Competence requirements for ISMS auditors (knowledge, skills, experience) | Normative | | B | Additional guidance for competence of certification body personnel | Informative | | C | Audit time determination (calculation rules) | Normative | | D | Multi-site sampling methodology | Normative | | E | Example of qualification process for ISMS auditors | Informative | | F (Amd 1:2020) | Additional guidance on auditing cloud services and outsourced ISMS | Informative | ISO/IEC 27006 imposes strict confidentiality obligations
This content is a summary for informational purposes. To perform certification or accreditation activities, purchase the complete official standard from ISO (www.iso.org) or your national standards body. Without ISO 27006, the value of an ISO
This is the most critical aspect of the standard. A certification body must be a "trusted third party." ISO/IEC 27006 mandates strict rules to prevent conflicts of interest (COI).