INCITS/ISO/IEC 27006 : 2012

Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles
5 General requirements
   5.1 Legal and contractual matter
   5.2 Management of impartiality
   5.3 Liability and financing
6 Structural requirements
   6.1 Organizational structure and top management
   6.2 Committee for safeguarding impartiality
7 Resource requirements
   7.1 Competence of management and personnel
   7.2 Personnel involved in the certification activities
   7.3 Use of individual external auditors and external
        technical experts
   7.4 Personnel records
   7.5 Outsourcing
8 Information requirements
   8.1 Publicly accessible information
   8.2 Certification documents
   8.3 Directory of certified clients
   8.4 Reference to certification and use of marks
   8.5 Confidentiality
   8.6 Information exchange between a certification body
        and its clients
9 Process requirements
   9.1 General requirements
   9.2 Initial audit and certification
   9.3 Surveillance activities
   9.4 Recertification
   9.5 Special audits
   9.6 Suspending, withdrawing or reducing scope of
        certification
   9.7 Appeals
   9.8 Complaints
   9.9 Records of applicants and clients
10 Management system requirements for certification bodies
   10.1 Options
   10.2 Option 1 - Management system requirements in
        accordance with ISO 9001
   10.3 Option 2 - General management system requirements
Annex A (informative) Analysis of a client organization's
        complexity and sector-specific aspects
      A.1 Organization's risk potential
      A.2 Sector-specific categories of information security
          risk
Annex B (informative) Example areas of auditor competence
      B.1 General competence considerations
      B.2 Specific competence considerations
Annex C (informative) Audit time
Annex D (informative) Guidance for review of implemented
        ISO/IEC 27001: 2005, Annex A controls