title>Conformity assessment—Requirements for bodies providing audit and certification of management systems—Part 6:Competence requirements for auditing and certification of business continuity management systems - GB/T 27021.6-2020 - Chinese standardNet - bzxz.net
Home > GB > Conformity assessment—Requirements for bodies providing audit and certification of management systems—Part 6:Competence requirements for auditing and certification of business continuity management systems
Conformity assessment—Requirements for bodies providing audit and certification of management systems—Part 6:Competence requirements for auditing and certification of business continuity management systems
Basic Information
Standard ID:
GB/T 27021.6-2020
Standard Name:Conformity assessment—Requirements for bodies providing audit and certification of management systems—Part 6:Competence requirements for auditing and certification of business continuity management systems
Standard ICS number:Sociology, Services, Organization and Management of Companies (Enterprises), Administration, Transport>>Quality>>03.120.20 Product Certification and Agency Certification, Conformity Assessment
Standard Classification Number:General>>Standardization Management and General Regulations>>A00 Standardization, Quality Management
associated standards
Procurement status:ISO/IEC TS 17021-6:2014
Publication information
publishing house:China Standards Press
Publication date:2020-03-01
other information
drafter:You Qi, Wei Jun, Yang Zhe, Wang Yiliang, Wang Shuguang, Shi Lei, Wang Qian, Qian Yingjie, Shi Jijian, Bao Xuhua, Su Yunfeng, Qin Feng, Zhang Mingzhuang, Jin Lijie, Li Jiakang
Drafting unit:China Cybersecurity Review Technology and Certification Center, China National Accreditation Service for Conformity Assessment, Shandong Institute of Standardization, China Certification and Accreditation Association, Dongfeng Consulting Co., Ltd., S
Focal point unit:National Technical Committee for Certification and Accreditation Standardization (SAC/TC 261)
Proposing unit:National Technical Committee for Certification and Accreditation Standardization (SAC/TC 261)
Publishing department:State Administration for Market Regulation National Standardization Administration
GB/T 27021.6-2020 Requirements for audit and certification bodies for conformity assessment management systems Part 6: Competence requirements for auditing and certification of business continuity management systems
GB/T27021.6-2020
|tt||Standard compression package decompression password: www.bzxz.net
This part supplements the existing requirements of ISO/IEC 17021:2011. This part contains specific competence requirements for personnel involved in the business continuity management system (BCMS) certification process.
Some standard content:
ICS03.120.20 National Standard of the People's Republic of ChinaWww.bzxZ.net GB/T27021.6-—2020/IS0/IECTS17021-6:2014 Conformity assessment Requirements for bodies providing audit and certification of management systems-Part 6: Competence requirements for auditing and certification of business continuity management systems (ISO/IECTS17021-6:2014.IDT) 2020-03-31 released State Administration for Market Regulation National Administration of Standardization 2020-10-01 implementation Normative reference documents Terms and definitions General capability requirements GB/T27021.6—2020/IS0/IECTS17021-62014 times BC Competence requirements for MS auditors, persons reviewing audit reports and persons making certification decisions 5 Business Continuity Management (BCM) terminology Organizational environment Applicable laws, regulations and other requirements Relationship in the business continuity management process Business impact analysis and risk assessment Business continuity strategy Incident management Business continuity plan Business continuity drills· BCMS performance evaluation Implementation The competence requirements of the applicant reviewers shall be used to determine the competence requirements of the audit team, select audit team members and determine the audit time. 6 BCM terminology Organizational environment 6.4 Relationships in the business continuity management process Knowledge of business continuity management system audit and certification Appendix A (informative appendix) References· GB/T27021 "Conformity assessment-Part 1, Requirements; GB/T27021.62020/IS0/IECT S17021-6.2014 Foreword "Requirements for audit and certification bodies of management systems" is divided into the following 7 parts: - Part 2: Competence requirements for audit and certification of environmental management systems; - Part 3: Competence requirements for audit and certification of quality management systems; - Part 4: Competence requirements for audit and certification of sustainability management systems for large-scale events; - Part 5: Competence requirements for audit and certification of asset management systems; - Part 6: Competence requirements for audit and certification of business continuity management systems; - Part 7 Competence requirements for audit and certification of road traffic safety management systems. This part is Part 6 of GB/T27021. This part was drafted in accordance with the rules given in GB/T1.1-2009. This part uses the translation method equivalent to ISO/IECTS17021-6:2014 "Conformity assessment Part 6: Competence requirements for audit and certification of business continuity management systems". Requirements for management system audit and certification bodies The Chinese documents that have a consistent correspondence with the international documents referenced in this part are as follows:-GB/T27000 Conformity assessment vocabulary and general principles (GB/T27000-2006.ISO/IEC17000:2004.IDT)-GB/T30146 Requirements for public security business continuity management system (GB/T30146-2013.ISO22301:2012.This part is proposed and coordinated by the National Technical Committee for Certification and Accreditation of Standardization (SAC/TC261). Please note that some of the contents of this document may involve patents, and the issuing agency of this document does not assume the responsibility for identifying these patents. Drafting units of this part: China Cyber Security Review Technology and Certification Center, China Conformity Assessment National Accreditation Center, Shandong Institute of Standardization, China Certification and Accreditation Association, Dongfeng Consulting Co., Ltd., Shanghai Anyan Information Technology Co., Ltd., Qi'anxin Technology Group Co., Ltd., Guangdong Huneng Information Technology Co., Ltd., Yuntianben (Beijing) Information Technology Co., Ltd., Guangdong Kangyun Technology Co., Ltd., Ping An Technology (Shenzhen) Co., Ltd. The main drafters of this part: Wei Jun, Yang Zhe, Wang Yiliang, Wang Shuguang, Shi Lei, Wang Qian, Qian Yingjie, Shi Jijian, Bao Xuhua, Su Yunfeng, Qin Feng, Zhang Mingzhuang, Jin Lijie, Li Jiakang. GB/T27021.6—2020/IS0/IECTS17021-6:2014 Introduction This part supplements ISO/IEC17021:2011, and in particular clarifies ISO/IEC17021: The competence requirements for personnel involved in the certification process as described in Annex A of ISO/IEC17021:2011. The guiding principles of Chapter 4 of ISO/IEC17021:2011 are the basis for the requirements in this part. The certification body has the corresponding responsibility to the relevant parties (including the clients of the certification body and the customers of the organization that has obtained the management system certification) to ensure that auditors who have been proven to have the corresponding competence can implement business continuity management system (BCMS) audits. BCMS certification personnel need to have the general competence described in ISO/IEC17021:2011, as well as the BCMS-specific knowledge described in this part. The certification body needs to identify the audit scope for each BCMS audit. The following auxiliary verbs are used in this part: “shall” indicates a requirement, “should” indicates a recommendation; “may” indicates permission; “can” indicates a possibility or capability. These auxiliary verbs are described in more detail in Part 2 of the ISO/IEC Working Directives. W 1 Scope GB/T27021.62020/IS0/IECTS17021-6.2014 Conformity assessment Requirements for audit and certification bodies of management systems Part 6: Business continuity management systems Requirements for audit and certification competence This part of GB/T27021 supplements the existing requirements of ISO/IEC17021:2011. This part contains specific competence requirements for personnel involved in the certification process of a business continuity management system (BCMS). 2 Normative references The following documents are indispensable for the application of this document. For all references with dates, only the versions with dates apply to this document. For all references without dates, the latest versions (including all amendments) apply to this document. ISO/IEC17000 Conformity assessment vocabulary and general principles ISO/IEC17021:2011 Conformity assessment management system certification body requirements (Conformity assessment-Requirements for bodies providing audit and certification of management systems)ISO22300 Societal security-TerminologyISO22301 Societal security-Business continuity management system requirements (Societal security-Business continuity management-system-Requirement) 3 Terms and definitions The terms and definitions defined in ISO22300, ISO22301, ISO/IEC17000 and ISO/IEC17021.2011 apply to this document. 4 General competence requirements The certification body shall comply with Table A of ISO/TEC17021:2011.1. When defining competence requirements for each certification function, the certification body shall consider all requirements specified in ISO/IEC 17021:2011 and all requirements specified in clauses 5 to 6 of this part. Note 1: Annex A provides an informative summary of the competence requirements for personnel involved in specific certification functions. NOTE 2: ISO 19011 provides information on audit principles. 5 Competence requirements for BCMS auditors, persons reviewing audit reports and persons making certification decisions 5.1 General All BCMS auditors, persons reviewing audit reports and persons making certification decisions shall have a certain level of competence, including the applicable competence as specified in ISO/IEC 17021:2011 and the BCMS knowledge as described in 5.25.11 of this part. 1 GB/T27021.62020/IS0/IECTS17021-6:2014Note 1: Each auditor in the audit team does not need to have the same competence, however, the overall competence of the audit team needs to be sufficient to achieve the audit objectives.Note 2: Although the basic elements of these knowledge requirements are the same, it can be recognized that the level of detail of the knowledge requirements may vary for auditors, reviewers of audit reports and those who make certification decisions. This is determined by each certification body. 5.2 Business Continuity Management (BCM) Terminology The audit team, reviewers of audit reports and those who make certification decisions shall have knowledge of the terms, definitions and concepts of BCM and risk. 5.3 Organizational environment The audit team, reviewers of audit reports and those who make certification decisions shall have knowledge of the environment in which the organization operates. 5.4 Applicable legal and other requirements The audit team, reviewers of audit reports and those who make certification decisions shall have relevant knowledge to determine whether the organization has identified and evaluated compliance with applicable legal and other requirements. NOTE 1: Administrative and regulatory requirements may be expressed as legal requirements. NOTE 2: Other requirements may include voluntary national, international and industry-specific agreements. 5.5 Relationships in the business continuity management process The audit team, those reviewing the audit report and those making the certification decision shall have knowledge of the relationships between the elements of BCM. Business Impact Analysis and Risk Assessment The audit team, those reviewing the audit report and those making the certification decision shall have knowledge of business impact analysis (BIA), including: - Methodologies and techniques; - Identification of product and service delivery activities; - Assessment of impacts over time to identify when they become unacceptable; - Setting priorities for restart: Identification of dependencies and supporting resources. The audit team, those reviewing the audit report and those making the certification decision shall have knowledge of risk assessment and risk management, including: - Methodologies and techniques: Identification, analysis and evaluation of risks associated with disruption events; - Effectiveness of existing controls; - Identification of appropriate risk treatments. 5.7 Business continuity strategy The audit team, the reviewers of the audit reports and the certification decision-makers shall have knowledge of the strategies and methodologies to reduce the impact and likelihood of disruption events, including: Strategy development: - Preparatory measures: - Selection of alternative strategies; - Cost-benefit analysis of the continuity strategy:- Coordination methods with external stakeholders; - Incident response: - Communication: - Command and control: - Coordination of the response organization; - Recovery and reconstruction. 5.8 Incident management GB/T27021.62020/IS0/IECTS17021-6.2014The audit team, the reviewers of the audit reports and the certification decision-makers shall have knowledge of incident management measures to determine whether the organization has identified appropriate responses to disruption events, including warning and communication needs. The audit team, review audit report personnel and certification decision-making personnel shall have the knowledge to evaluate the effectiveness of the organization's testing of its incident management capabilities. Business Continuity Plan The audit team, review audit report personnel and certification decision-making personnel shall have knowledge of business continuity planning, including the establishment, development, maintenance, purpose, format, structure and details of procedures for business continuity plans. 5.10 Business Continuity Drills The audit team, review audit report personnel and certification decision-making personnel shall have knowledge of planning and conducting business continuity drills, including the types of business continuity drills, processes, techniques and criteria for evaluating the organization's ability to meet its recovery priorities and recovery objectives. 5.11 BCMS Performance Evaluation The audit team, review audit report personnel and certification decision-making personnel shall have knowledge of BCMS performance evaluation, including knowledge of indicators and performance measurements, to determine whether the organization's BCMS performance is achieving the goals and objectives determined by its management. 6 Implement the competence requirements for application review personnel to determine the competence needs of the audit team, select audit team members and determine the audit time. 6.1 General The competences that the teams or individuals involved in other certification functions should possess include the generic competences described in ISO/IEC17021:2011, as well as the BCMS knowledge described in 6.2 and 6.3 of this part. 6.2 BCM terminology The teams or individuals involved in other certification functions should have knowledge of BCM terminology. 6.3 Organizational environment The teams or individuals involved in other certification functions should have knowledge of the environment in which the organization operates. 6.4 Relationships in the business continuity management process The teams or individuals involved in other certification functions should have knowledge of the relationships between BCM elements. 3 GB/T27021.62020/IS0/IECTS17021-6:2014 Appendix A (Informative Appendix) Knowledge Table A.1 for Auditing and Certification of Business Continuity Management Systems provides a summary of the knowledge required for auditing and certification of BCMS. The table is informative because only the knowledge domains required for specific certification functions are identified. The competence requirements for each certification function are given in the main text of this part. In Table A1, "V" indicates that the certification body should determine the criteria and degree of knowledge. Table A.1 Knowledge Table Certification Function Business Continuity Management Terminology Organizational Environment Applicable Laws, Regulations and Other Requirements Relationships in the Business Continuity Management Process Business Impact Analysis and Risk Assessment Business Continuity and Recovery Strategy Event Management Business Continuity Plan Business Continuous Exercise BCMS Performance Evaluation Conduct application review to determine required audit team competence, select audit team members and determine audit schedule V(see 6.2) V(see 6.3) V(see 6.4) Review audit report and make certification decision (see 5.2) V(see 5.3) V(see 5.4) (See 5.5) (See 5.6) V (See 5.7) V (See 5.8) V (See 5.9) V (See 5.10) V (See 5.11) Audit and lead the audit team V (See 5.2) V (See 5.3) V (See 5.5) (5.6) V (See 5.7)|| tt||V (see 5.9) V (see 5.10) V(see 5.11) The audit team should have professional knowledge and skills, or be supplemented by technical experts when necessary. When the audit is conducted by an audit team, the audit team as a whole should have the necessary skills corresponding to the required skill level, without requiring each member of the team to have these skills. 4 GB/T27021.6—2020/IS0/IECTS17021-6:2014 References ISO19011 Guidelines for auditing management systemsISO22313 ISO22398 ISO31000 Societal security-Business continuity management system-GuidanceSocietal security-Guidelines for exercisesRisk management-Principles and guidelinesISOGuide73| |tt||IEC31010 Riskmanagement-Vocabulary Risk management-Risk assessment techniques Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.