Paragraph 5.2.2 Conflict of interest of the ISO/IEC 27006-1 states:
Certification bodies may add value during certification and surveillance audits (e.g. by identifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions) without it being considered as consultancy or having a potential conflict of interest.
The certification body shall not provide internal information security reviews of the client’s ISMS subject to certification. Furthermore, the certification body shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit.
Question:
Does this mean that a CAB, which assigns a freelance auditor, who also acts as a consultant for the same client, is not compliant with the requirements of this standard? So any ISMS freelance auditor cannot consult ISMS or conduct internal audits for the same client?
March 2025
Yes, it is not compliant with the requirements of the standard if the CAB collaborates for any clients under certification of ISMS with an auditor who provides the internal ISMS audit to those clients. Different to ISO/IEC 17021-1, there is no 2 years limit for mitigation.
Note: Independence in the question has been understood as impartiality in the ISO/IEC 27006-1.
Consultancy activities, other than internal ISMS audits provided by freelance auditors shall be addressed according to ISO/IEC 17021-1, 5.2.10.