BS ISO-IEC 27006-2015 pdf free download – Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems.
7.1.2.1.3 Information security management system standards and normative documents Auditors involved in ISMS auditing shall have knowledge of:
a) all requirements contained in ISO/IEC 27001.
Collectively, all members of the audit team shall have knowledge of:
b) all controls contained in ISO/IEC 27002 (if determined as necessary also from sector specific standards) and their implementation, categorized as:
1) information security policies;
2) organization of information security;
3) human resource security;
4) asset management;
5) access control, including authorization;
6) cryptography;
7) physical and environmental security;
8) operations security, including IT-services;
9) communications security, including network security management and information transfer;
10) system acquisition, development and maintenance;
11) supplier relationships, including outsourced services;
12) information security incident management;
13) information security aspects of business continuity management, including redundancies;
14) compliance, including information security reviews.
7.1.2.1.4 Business management practices
Auditors involved in ISMS auditing shall have knowledge of:
a) industry information security good practices and information security procedures;
b) policies and business requirements for information security;
c) general business management concepts, practices and the inter-relationship between policy,
objectives and results;
d) management processes and related terminology.
NOTE These processes also include human resources management, internal and external communication and other relevant support processes.
7.1.2.1.5 Client business sector
Auditors involved in ISMS auditing shall have knowledge of:
a) the legal and regulatory requirements in the particular information security field, geography and jurisdiction(s);
NOTE Knowledge of legal and regulatory requirements does not imply a profound legal background.
b) information security risks related to business sector;
c) generic terminology, processes and technologies related to the client business sector;
d) the relevant business sector practices.
The criteria a) may be shared amongst the audit team.
7.1.2.1.6 Client products, processes and organization
Collectively, auditors involved in ISMS auditing shall have knowledge of:
a) the impact of organization type, size, governance, structure, functions and relationships on development and implementation of the ISMS and certification activities, including outsourcing;
b) complex operations in a broad perspective;
c) legal and regulatory requirements applicable to the product or service.
7.1.2.2 Competence requirements for leading the ISMS audit team
In addition to the requirements in 7.1.2.1, audit team leaders shall fulfil the following requirements,
which shall be demonstrated in audits under guidance and supervision:
a) knowledge and skills to manage the certification audit process and the audit team;
b) demonstration of the capability to communicate effectively, both orally and in writing.
7.1.2.3 Competence requirements for conducting the application review
7.1.2.3.1 Information security management system standards and normative documents Personnel conducting the application review to determine audit team competence required, to select the audit team members and to determine the audit time shall have knowledge of:
a) relevant ISMS standards and other normative documents used in the certification process.
7.1.2.3.2 Client business sector
Personnel conducting the application review to determine the audit team competence required, to select the audit team members and to determine the audit time shall have knowledge of:
a) generic terminology, processes, technologies and risks related to the client business sector.
7.1.2.3.3 Client products, processes and organization
Personnel conducting the application review to determine audit team competence required, to select the audit team members and to determine the audit time shall have knowledge of:
a) client products, processes, organization types, size, governance, structure, functions and relationships on development and implementation of the ISMS and certification activities, including outsourcing functions.BS ISO-IEC 27006 pdf download