BS ISO/IEC 27006:2015 pdf download-Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems.
7.1.1 IS 7.1.1 General considerations 7.1.1.1 Generic competence requirements The certification body shall ensure that it has knowledge of the technological, legal and regulatory developments relevant to the ISMS of the client which it assesses. The certification body shall define the competence requirements for each certification function as referenced in Table A.1 of ISO/IEC 17021-1. The certification body shall take into account all the requirements specified in ISO/IEC 17021-1 and 7.1.2 and 7.2.1 of this International Standard that are relevant for the ISMS technical areas as determined by the certification body. NOTE Annex A provides a summary of the competence requirements for personnel involved in specific certification functions. 7.1.2 IS 7.1.2 Determination of Competence Criteria 7.1.2.1 Competence requirements for ISMS auditing 7.1.2.1.1 General requirements The certification body shall have criteria for verifying the background experience, specific training or briefing of audit team members that ensures at least: a) knowledge of information security; b) technical knowledge of the activity to be audited; c) knowledge of management systems; d) knowledge of the principles of auditing; NOTE Further information on the principles of auditing can be found in ISO 19011. e) knowledge of ISMS monitoring, measurement, analysis and evaluation. These above requirements a) to e) apply to all auditors being part of the audit team, with the exception of b), which can be shared among auditors being part of the audit team. The audit team shall be competent to trace indications of information security incidents in the client’s ISMS back to the appropriate elements of the ISMS. The audit team shall have appropriate work experience of the items above and practical application of these items (this does not mean that an auditor needs a complete range of experience of all areas of information security, but the audit team as a whole shall have enough appreciation and experience to cover the ISMS scope being audited).