According to ISO/IEC 27006:2015 (IS 10.1) accredited CAB performing ISMS certification is obliged to implement the ISMS (acc. ISO/IEC 27001).
1) Should AB verify the CAB’s MS acc. ISO/IEC 27001 during every on-site assessment?
2) If CAB is certified acc. to ISO/IEC 27001, can the AB reduce its assessment in this field?
September 2019
According to ISO/IEC 27006, ISMS implementation by an ISMS CB is a recommendation and not an obligation (ISO/IEC 27006 “10.1.1 IS 10.1 ISMS implementation It is recommended that certification bodies implement an ISMS in accordance with ISO/IEC 27001”.).
1) No: As what was discussed in the past and decided for the “Option B” in ISO/IEC 17021-1, it is not the duty of the AB to check the compliance of the CB to any specific management system certification standard.
2)No: The duty of the AB is to verify compliance of the CB to ISO/IEC 27006, not to ISO/IEC 27001; Furthermore, relying on a certification to reduce assessment would put the AB in a conflict of interest situation as in a way subcontracting part of its assessment to a CB client.