Paragraph 7.2.2.2 Selecting auditors of the ISO/IEC 27006-1 states:
In addition to 7.1.3.1, the process for selecting auditors shall ensure that each auditor:
a) has professional education or training equivalent to university level;
b) has practical workplace experience in information technology and information security, which is sufficient to act as auditor for ISMS;
The question is about the ISO/IEC 27006-1 assessment and about the 7.2.2.2 (B) paragraph.
– Are there any reasonable limits on professional experience in information technology work in accordance with section 7.2.2 of the ISO/IEC 27006-1 standard? Is it acceptable six months or maybe 1 year as sufficient professional experience in accordance with section 7.2.2 of the ISO/IEC 27006-1 standard (If CAB decides to lower the requirements from 4 years, as stated in the previous version of the standard, to a shorter period)? And what about information security experience?
– Do you focus on the specific duties (e.g., ISMS coordinator, internal auditor) or is simply working in an ISMS environment sufficient?
March 2025
– Are there any reasonable limits on professional experience in information technology work?
No, this is to be determined by the CB in order to demonstrate that its auditors fulfill the requirements as described in 7.1.3 and Annex A of ISO/IEC 27006-1:2024 .– Do you focus on the specific duties (e.g., ISMS coordinator, internal auditor) or is simply working in an ISMS environment sufficient?
There is no focus on specific duties or function as such, depending on what is to be demonstrated, working in an ISMS environment might be sufficient or not. This practical experience should be connected with the client processes and activities normally covered by an ISMS.