Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles
5 General requirements
5.1 Legal and contractual matter
5.2 Management of impartiality
5.3 Liability and financing
6 Structural requirements
6.1 Organizational structure and top management
6.2 Committee for safeguarding impartiality
7 Resource requirements
7.1 Competence of management and personnel
7.2 Personnel involved in the certification activities
7.3 Use of individual external auditors and external
technical experts
7.4 Personnel records
7.5 Outsourcing
8 Information requirements
8.1 Publicly accessible information
8.2 Certification documents
8.3 Directory of certified clients
8.4 Reference to certification and use of marks
8.5 Confidentiality
8.6 Information exchange between a certification body
and its clients
9 Process requirements
9.1 General requirements
9.2 Initial audit and certification
9.3 Surveillance activities
9.4 Recertification
9.5 Special audits
9.6 Suspending, withdrawing or reducing scope of
certification
9.7 Appeals
9.8 Complaints
9.9 Records of applicants and clients
10 Management system requirements for certification bodies
10.1 Options
10.2 Option 1 - Management system requirements in
accordance with ISO 9001
10.3 Option 2 - General management system requirements
Annex A (informative) Analysis of a client organization's
complexity and sector-specific aspects
A.1 Organization's risk potential
A.2 Sector-specific categories of information security
risk
Annex B (informative) Example areas of auditor competence
B.1 General competence considerations
B.2 Specific competence considerations
Annex C (informative) Audit time
Annex D (informative) Guidance for review of implemented
ISO/IEC 27001: 2005, Annex A controls