Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC TS 27006-2:2022 — Requirements for Bodies Providing Audit and Certification of ISMS — Part 2: Privacy Information Management
ISO/IEC TS 27006-2 — Technical Specification Overview
Introduction to ISO/IEC TS 27006-2
ISO/IEC TS 27006-2:2022 is a critical Technical Specification that extends the certification body requirements framework to privacy information management. Building on the foundation of ISO/IEC 27006 (requirements for bodies auditing and certifying ISMS) and aligned with ISO/IEC 27701 (privacy information management), this specification defines the specific competence requirements, audit processes, and certification rules for bodies certifying privacy information management systems (PIMS). In an era of increasing privacy regulation — GDPR, CCPA, LGPD, PIPL — the need for credible, standardized certification of privacy management practices has never been greater.
TS 27006-2 bridges the gap between general ISMS certification and the specific requirements of privacy management, ensuring that certification bodies have the specialized knowledge needed to evaluate an organization’s privacy information management practices effectively.
The specification addresses several critical areas that differentiate privacy information management certification from conventional ISMS certification. These include competence requirements for auditors in privacy law and regulations, specific audit duration and methodology adjustments for PIMS, multi-site sampling considerations for privacy management systems, and the integration of PIMS certification with existing ISMS certification processes.
For certification bodies, TS 27006-2 provides the operational framework needed to deliver credible PIMS certification services. For organizations seeking certification, it provides transparency into the certification process and assurance that certified bodies meet consistent competence standards. For regulators and stakeholders, it supports trust in the certification system as a reliable indicator of privacy management capability.
Key Requirements for Certification Bodies
Competence Requirements for Privacy Auditors
The most significant contribution of TS 27006-2 is its detailed specification of competence requirements for personnel involved in PIMS certification. These go substantially beyond the general ISMS auditor competence defined in ISO/IEC 27006:
| Competence Area | Specific Requirements | Evidence Methods |
|---|---|---|
| Privacy Law and Regulations | Knowledge of applicable privacy laws (GDPR, CCPA, etc.), regulatory interpretations, and enforcement trends | Formal training records, professional certifications (CIPP, CIPM), legal qualifications, demonstrated experience in privacy compliance |
| Privacy Information Management | Understanding of PII identification, privacy risk assessment, data protection impact assessment (DPIA), privacy-by-design principles | Participation in PIMS implementations or audits, DPIA facilitation experience, documented privacy risk assessment work |
| Data Processing Technologies | Knowledge of data processing systems, data lifecycle management, anonymization/pseudonymization techniques, data breach detection | Technical training, system implementation experience, incident response participation |
| Cross-Border Data Transfer | Understanding of international data transfer mechanisms (SCCs, BCRs, adequacy decisions), jurisdictional variations | Experience with multi-jurisdictional audits, knowledge of relevant transfer mechanisms and their requirements |
| Privacy Engineering | Knowledge of privacy-enhancing technologies (PETs), encryption, access controls, privacy by design and by default | Engineering background, specialized privacy training, demonstrated implementation of privacy controls |
A common challenge identified during the development of TS 27006-2 was the shortage of auditors with combined expertise in information security, privacy law, and data processing technologies. Certification bodies are encouraged to develop competence through multidisciplinary team composition rather than requiring all competencies in single individuals.
Audit Process Adjustments for Privacy
TS 27006-2 specifies several adjustments to the standard ISMS audit process needed for credible PIMS certification. These adjustments reflect the unique characteristics of privacy management:
| Audit Element | ISMS Audit (ISO/IEC 27006) | PIMS Audit (TS 27006-2) |
|---|---|---|
| Audit Duration | Based on ISMS scope, number of employees, complexity | Additional time required for privacy-specific controls (typically 15-30% more than ISMS audit of same scope) |
| Documentation Review | ISMS policy, risk assessment, SoA, internal audit reports | Plus: PIMS policy, PII inventory, DPIA records, privacy notices, consent management records, data subject request procedures |
| Control Testing | Annex A controls selection | Plus: ISO/IEC 27701 PIMS-specific controls, privacy controls effectiveness, data subject rights implementation |
| Multi-Site Sampling | Based on ISMS standard sampling methodology | Must include sites with significant PII processing; must consider cross-border data flows between sites |
| Findings Classification | Nonconformity, observation, opportunity for improvement | Plus: privacy-specific nonconformity categories (e.g., consent deficiencies, data subject request failures, breach notification delays) |
Implementing TS 27006-2 in Certification Body Operations
For certification bodies implementing TS 27006-2, the primary challenge is building and maintaining the specialized competence required for PIMS certification. The recommended approach includes establishing a dedicated privacy certification scheme managed by personnel with privacy expertise, developing specialized audit protocols and checklists that address the additional PIMS controls, and implementing competence management processes that ensure all PIMS auditors maintain current knowledge of evolving privacy regulations.
The specification also addresses the relationship between ISMS and PIMS certification. Organizations may seek integrated ISMS/PIMS certification (where both management systems are audited together) or standalone PIMS certification. TS 27006-2 provides requirements for both scenarios, including rules for leveraging ISMS audit evidence in PIMS certification and vice versa.
For certification bodies already offering ISMS certification, adding PIMS certification under TS 27006-2 represents a natural extension of services. The integrated approach often provides operational efficiencies while delivering greater value to organizations seeking comprehensive information and privacy management certification.
For organizations seeking PIMS certification, understanding TS 27006-2 helps set expectations for the certification process. Organizations should prepare for auditors who will probe deeply into privacy practices — examining data mapping completeness, DPIA quality, consent management effectiveness, data subject request handling, and breach response procedures. The audit will require evidence of privacy-by-design integration into system development processes and demonstrated accountability through the privacy information management system.
TS 27006-2 also emphasizes the importance of impartiality and conflict of management in PIMS certification. Given the sensitivity of privacy information and the potential for certification bodies to also offer privacy consulting services, the specification reinforces the requirement for clear separation between certification and consulting activities to maintain the integrity of the certification process.
As privacy regulations continue to evolve globally, TS 27006-2 will play an increasingly important role in establishing trusted certification programs that provide organizations with credible demonstration of their privacy management capabilities. The specification represents a significant step toward harmonizing privacy certification practices across jurisdictions and building global confidence in privacy information management systems.
Frequently Asked Questions
Q1: Is TS 27006-2 certification mandatory for ISMS certification bodies?
A: No, TS 27006-2 is a Technical Specification that provides requirements specifically for PIMS certification. ISMS certification bodies that do not offer PIMS certification are not required to comply. However, any body offering PIMS certification should conform to TS 27006-2 to ensure credible and consistent certification.
A: No, TS 27006-2 is a Technical Specification that provides requirements specifically for PIMS certification. ISMS certification bodies that do not offer PIMS certification are not required to comply. However, any body offering PIMS certification should conform to TS 27006-2 to ensure credible and consistent certification.
Q2: How does TS 27006-2 relate to ISO/IEC 27701?
A: ISO/IEC 27701 defines the requirements for a privacy information management system (PIMS) — what organizations must do. TS 27006-2 defines the requirements for bodies certifying conformity to ISO/IEC 27701 — how certification bodies must operate. They are complementary: one defines the management system standard, the other defines the certification requirements.
A: ISO/IEC 27701 defines the requirements for a privacy information management system (PIMS) — what organizations must do. TS 27006-2 defines the requirements for bodies certifying conformity to ISO/IEC 27701 — how certification bodies must operate. They are complementary: one defines the management system standard, the other defines the certification requirements.
Q3: What qualifications must PIMS auditors have under TS 27006-2?
A: PIMS auditors must have ISMS auditor qualifications (per ISO/IEC 27006) plus additional competence in privacy law, privacy information management, data processing technologies, cross-border data transfer mechanisms, and privacy engineering. The specification allows for multidisciplinary audit teams to cover all required competence areas.
A: PIMS auditors must have ISMS auditor qualifications (per ISO/IEC 27006) plus additional competence in privacy law, privacy information management, data processing technologies, cross-border data transfer mechanisms, and privacy engineering. The specification allows for multidisciplinary audit teams to cover all required competence areas.
Q4: Can TS 27006-2 be used for internal audit programs?
A: While designed for third-party certification bodies, the competence requirements and audit methodology in TS 27006-2 can serve as valuable guidance for organizations conducting internal PIMS audits. Internal audit teams should consider the competence areas defined in the specification when building their internal audit capability.
A: While designed for third-party certification bodies, the competence requirements and audit methodology in TS 27006-2 can serve as valuable guidance for organizations conducting internal PIMS audits. Internal audit teams should consider the competence areas defined in the specification when building their internal audit capability.
