1) For accreditation of certification bodies for information security management systems (ISO/IEC 27001), is it sufficient to define the accreditation scope as below, without any sub-areas (similar to IAF codes for ISO 9001)?
Scope: Information Security Management System Certification
Standard: ISO/IEC 27001:2013
If the answer to question 1) is YES, which we assume, as we see this kind of accreditation scope from different NABs,
2) Is it sufficient to make one witnessing activity per accreditation cycle for this scope?
3) If the answer to question 1) or 2) is NO, would EA CC be prepared to develop a harmonized way of presenting suitable sub-areas, to be used for accreditation scopes and/or planning of witnessing activities?
(Possible sub-areas could be: Nuclear, Bank/finance/insurances, Health care, Public sector, Production, Gambling; etc.)
September 2019
1) Yes, it is confirmed that there are currently no sub areas for ISO 27001 certification.
2) Yes, provided that requirements of ISO/IEC 17011 and IAF MD17 part 1 to 3 are fulfilled.
3) Not considered necessary.