Information for CBs certifying ISMS
NoticesStandard ISO/IEC 27006:2015 containing the requirements and guidelines for bodies which assess and certify Information Security Management Systems (ISMS), as an addition to the requirements contained in ISO/IEC 17021‑1 and ISO/IEC 27001, which primarily serve as a support in accreditation of certification bodies which provide services of ISMS certification, was published in October 2015.
The said standard replaced former standard ISO/IEC 27006:2011, which was adopted as SRPS ISO/IEC 27006:2013 and which the Accreditation Body of Serbia (ATS) uses in the procedure of accreditation of certification bodies certifying Information Security Management Systems.
On the General Assembly in Milan in 2015, the International accreditation forum (IAF) made a decision that the transition period for conformity with the requirements of the new standard ISO/IEC 27006:2015 will be two years from the date of publication of the standard.
Considering the stated, as well as the status of the Accreditation Body of Serbia in IAF as a signatory to the IAF Multilateral Agreement (IAF MLA), the Accreditation Body of Serbia hereby informs accredited certification bodies certifying Information Security Management Systems, as well as bodies in the certification procedure, that the final deadline for transition to certification against ISO/IEC 27006:2015 is 30th September 2017.
Considering the stated, the Accreditation Body of Serbia shall not accept applications for accreditation by certification bodies certifying Information Security Management Systems according to SRPS ISO/IEC 17021-1:2015 and SRPS ISO/IEC 27006:2013 (ISO/IEC 27006:2011) after 20th March 2017.
All assessments made after 20th March 2017 shall also include assessment of fulfillment of the requirements of standard ISO/IEC 27006:2015.
Accredited certification bodies certifying Information Security Management Systems according to SRPS ISO/IEC 17021-1:2015 and SRPS ISO/IEC 27006:2013 standards are obligated to prepare a plan of transition to accreditation according to ISO/IEC 27006:2015 and submit it to the Accreditation Body of Serbia by 20th April 2017 at the latest.
Upon receipt and assessment of the plan for transition to accreditation according to ISO/IEC 27006:2015, the Accreditation Body of Serbia will check the application of the requirements of the new standard at the head offices of certification bodies, during regular surveillance assessments or reassessments.
When the Institute for Standardization of Serbia adopts appropriate SRPS ISO/IEC 27006, which will be identical to ISO/IEC 27006:2015, the Accreditation Body of Serbia will move to accreditation of certification bodies certifying Information Security Management Systems by standards SRPS ISO/IEC 17021-1:2015 and SRPS ISO/IEC 27006:2017.