ISO IEC 27706-2025 PDF

Full title and description

ISO/IEC 27706:2025 — Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems. This international standard specifies mandatory requirements and accompanying guidance for certification bodies that audit and certify Privacy Information Management Systems (PIMS) based on ISO/IEC 27701, aligned with management-system certification principles.

Abstract

ISO/IEC 27706:2025 sets out competence, impartiality and process requirements for bodies performing PIMS audits and certification. It supplements the general requirements of ISO/IEC 17021‑1 by focusing on privacy-specific auditor competencies, audit methods for privacy controls derived from ISO/IEC 27701, and guidance for accreditation and peer assessment of PIMS certification. The document provides both normative requirements and practical guidance to support consistent, reliable certification of privacy management systems.

General information

• Status: Published (International Standard).
• Publication date: October 14, 2025 (first edition, 2025).
• Publisher: Joint publication by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
• ICS / categories: 35.030; 03.120.20 (information security, cybersecurity and privacy protection).
• Edition / version: Edition 1 (2025).
• Number of pages: 24.

Scope

This standard applies to bodies that provide audit and certification of Privacy Information Management Systems (PIMS) in accordance with ISO/IEC 27701. It describes requirements and guidance to demonstrate that a certification body is competent and operates consistently when assessing implementation of privacy controls and PIMS requirements, and it can be used as a criteria document for accreditation, peer assessment or other audit processes. The standard is intended to be applied in addition to ISO/IEC 17021‑1 and is tailored to the privacy context.

Key topics and requirements

• Alignment with ISO/IEC 17021‑1: application of management-system certification principles to PIMS while adding privacy-specific requirements.
• Certification-body competence: criteria for auditor knowledge and experience in privacy laws, data protection practices, PIMS controls and technical privacy safeguards.
• Audit planning and execution: requirements for scoping, evidence collection, sampling, assessing privacy control implementation and effectiveness, and reporting.
• Impartiality and confidentiality: mechanisms to manage conflicts of interest, third‑party relationships and protection of sensitive audit information.
• Surveillance, recertification and management of nonconformities: rules for ongoing oversight of certified PIMS and corrective-action handling.
• Guidance annexes: practical guidance and interpretation for application to PIMS audits (includes examples and expanded clarification to support consistent application by certification and accreditation bodies).

Typical use and users

Primary users are certification bodies that perform PIMS audits, and national/international accreditation bodies that assess and accredit those certification bodies. Secondary users include privacy and compliance professionals, lead auditors, consultancy organizations assisting clients to prepare for certification, and regulators or procurers who need assurance about the credibility of PIMS certification. Organizations preparing for ISO/IEC 27701 certification can consult this standard to understand auditor expectations.

Related standards

Key related standards include ISO/IEC 27701 (Privacy Information Management Systems — requirements and guidance), ISO/IEC 17021‑1 (requirements for bodies providing audit and certification of management systems), and the ISO/IEC 27000 family (information security management and controls such as ISO/IEC 27001 and ISO/IEC 27002). ISO/IEC 27706:2025 replaces the earlier technical specification ISO/IEC TS 27006‑2:2021 as the full International Standard for PIMS certification-body requirements.

Keywords

PIMS, privacy certification, ISO/IEC 27706, ISO/IEC 27701, certification body requirements, accreditation, privacy auditor competence, surveillance, impartiality, audit guidance.

FAQ

Q: What is this standard?

A: ISO/IEC 27706:2025 is an international standard that specifies requirements and guidance for bodies that audit and certify Privacy Information Management Systems (PIMS) based on ISO/IEC 27701.

Q: What does it cover?

A: It covers competence and impartiality requirements for certification bodies, audit planning and evidence requirements specific to privacy controls, rules for surveillance and recertification, and practical guidance (annexes) to ensure consistent, reliable PIMS certification.

Q: Who typically uses it?

A: Certification bodies, accreditation bodies, privacy auditors and consultants, privacy officers and organizations seeking ISO/IEC 27701 certification who want to understand auditor and accreditation expectations.

Q: Is it current or superseded?

A: Current — published in October 2025 (first edition). It supersedes the earlier technical specification ISO/IEC TS 27006‑2:2021 and establishes the full International Standard requirements for PIMS certification bodies.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC information security, cybersecurity and privacy protection family managed by JTC 1/SC 27. It is specifically intended to be used with ISO/IEC 27701 (PIMS) and ISO/IEC 17021‑1 (management‑system certification requirements).

Q: What are the key keywords?

A: PIMS, privacy certification, audit requirements, certification body competence, accreditation criteria, ISO/IEC 27701, ISO/IEC 17021‑1, impartiality, surveillance, recertification.