p.7.2.1.1 c) of ISO/IEC 27006 states:
„In addition to 7.1.2.1, the criteria for selecting auditors shall ensure that each auditor:
(….)
C) has successfully completed at least five days of training, the scope of which covers ISMS audits and audit management.”
Does this mean that the auditor should complete one five-day training course (for example lead auditor course) or can it be, for example, two training courses, lasting together 5 days, that the scope of which covers ISMS audits and audit management.
March 2023
Although there is no clear statement in the standard on the subject, both seem possible when looking at internationally accepted/recognized/common training programs. However, a person who has not yet received lead auditor training in another management system should initially be required to have attended and successfully completed a 5-day training program covering ISMS audit and audit management.
In any case, it will remain the CAB’s responsibility to define the competence criteria to meet this requirement of 27006. (this last sentence is the view of WG ICT DS)