GB/T 27021.6-2020 Requirements for audit and certification bodies for conformity assessment management systems Part 6: Competence requirements for auditing and certification of business continuity management systems GB/T27021.6-2020 |tt||Standard compression package decompression password: www.bzxz.net
This part supplements the existing requirements of ISO/IEC 17021:2011. This part contains specific competence requirements for personnel involved in the business continuity management system (BCMS) certification process.

ICS03.120.20
National Standard of the People's Republic of China
GB/T27021.6-—2020/IS0/IECTS17021-6:2014 Conformity assessment
Requirements for bodies providing audit and certification of management systems-Part 6: Competence requirements for auditing and certification of business continuity management systems (ISO/IECTS17021-6:2014.IDT) 2020-03-31 released
State Administration for Market Regulation
National Administration of Standardization
2020-10-01 implementation
Normative reference documents
Terms and definitions
General capability requirements
GB/T27021.6—2020/IS0/IECTS17021-62014 times
BC Competence requirements for MS auditors, persons reviewing audit reports and persons making certification decisions 5
Business Continuity Management (BCM) terminology
Organizational environment
Applicable laws, regulations and other requirements
Relationship in the business continuity management process
Business impact analysis and risk assessment
Business continuity strategy
Incident management
Business continuity plan
Business continuity drills·
BCMS performance evaluation
Implementation The competence requirements of the applicant reviewers shall be used to determine the competence requirements of the audit team, select audit team members and determine the audit time. 6
BCM terminology
Organizational environment
6.4 Relationships in the business continuity management process Knowledge of business continuity management system audit and certification Appendix A (informative appendix)
References·
GB/T27021 "Conformity assessment-Part 1, Requirements;
GB/T27021.62020/IS0/IECT S17021-6.2014 Foreword
"Requirements for audit and certification bodies of management systems" is divided into the following 7 parts: - Part 2: Competence requirements for audit and certification of environmental management systems; - Part 3: Competence requirements for audit and certification of quality management systems; - Part 4: Competence requirements for audit and certification of sustainability management systems for large-scale events; - Part 5: Competence requirements for audit and certification of asset management systems; - Part 6: Competence requirements for audit and certification of business continuity management systems; - Part 7 Competence requirements for audit and certification of road traffic safety management systems. This part is Part 6 of GB/T27021. This part was drafted in accordance with the rules given in GB/T1.1-2009. This part uses the translation method equivalent to ISO/IECTS17021-6:2014 "Conformity assessment Part 6: Competence requirements for audit and certification of business continuity management systems". Requirements for management system audit and certification bodies
The Chinese documents that have a consistent correspondence with the international documents referenced in this part are as follows:-GB/T27000 Conformity assessment vocabulary and general principles (GB/T27000-2006.ISO/IEC17000:2004.IDT)-GB/T30146
Requirements for public security business continuity management system (GB/T30146-2013.ISO22301:2012.This part is proposed and coordinated by the National Technical Committee for Certification and Accreditation of Standardization (SAC/TC261). Please note that some of the contents of this document may involve patents, and the issuing agency of this document does not assume the responsibility for identifying these patents. Drafting units of this part: China Cyber ​​Security Review Technology and Certification Center, China Conformity Assessment National Accreditation Center, Shandong Institute of Standardization, China Certification and Accreditation Association, Dongfeng Consulting Co., Ltd., Shanghai Anyan Information Technology Co., Ltd., Qi'anxin Technology Group Co., Ltd., Guangdong Huneng Information Technology Co., Ltd., Yuntianben (Beijing) Information Technology Co., Ltd., Guangdong Kangyun Technology Co., Ltd., Ping An Technology (Shenzhen) Co., Ltd.
The main drafters of this part: Wei Jun, Yang Zhe, Wang Yiliang, Wang Shuguang, Shi Lei, Wang Qian, Qian Yingjie, Shi Jijian, Bao Xuhua, Su Yunfeng, Qin Feng, Zhang Mingzhuang, Jin Lijie, Li Jiakang. GB/T27021.6—2020/IS0/IECTS17021-6:2014 Introduction
This part supplements ISO/IEC17021:2011, and in particular clarifies ISO/IEC17021: The competence requirements for personnel involved in the certification process as described in Annex A of ISO/IEC17021:2011.
The guiding principles of Chapter 4 of ISO/IEC17021:2011 are the basis for the requirements in this part. The certification body has the corresponding responsibility to the relevant parties (including the clients of the certification body and the customers of the organization that has obtained the management system certification) to ensure that auditors who have been proven to have the corresponding competence can implement business continuity management system (BCMS) audits.
BCMS certification personnel need to have the general competence described in ISO/IEC17021:2011, as well as the BCMS-specific knowledge described in this part.
The certification body needs to identify the audit scope for each BCMS audit. The following auxiliary verbs are used in this part:
“shall” indicates a requirement,
“should” indicates a recommendation;
“may” indicates permission;
“can” indicates a possibility or capability. These auxiliary verbs are described in more detail in Part 2 of the ISO/IEC Working Directives. W
1 Scope
GB/T27021.62020/IS0/IECTS17021-6.2014 Conformity assessment
Requirements for audit and certification bodies of management systems
Part 6: Business continuity management systems
Requirements for audit and certification competence
This part of GB/T27021 supplements the existing requirements of ISO/IEC17021:2011. This part contains specific competence requirements for personnel involved in the certification process of a business continuity management system (BCMS). 2 Normative references
The following documents are indispensable for the application of this document. For all references with dates, only the versions with dates apply to this document. For all references without dates, the latest versions (including all amendments) apply to this document. ISO/IEC17000 Conformity assessment vocabulary and general principles
ISO/IEC17021:2011 Conformity assessment management system certification body requirements (Conformity assessment-Requirements for bodies providing audit and certification of management systems)ISO22300 Societal security-TerminologyISO22301 Societal security-Business continuity management system requirements (Societal security-Business continuity management-system-Requirement)
3 Terms and definitions
The terms and definitions defined in ISO22300, ISO22301, ISO/IEC17000 and ISO/IEC17021.2011 apply to this document.
4 General competence requirements
The certification body shall comply with Table A of ISO/TEC17021:2011.1. When defining competence requirements for each certification function, the certification body shall consider all requirements specified in ISO/IEC 17021:2011 and all requirements specified in clauses 5 to 6 of this part.
Note 1: Annex A provides an informative summary of the competence requirements for personnel involved in specific certification functions. NOTE 2: ISO 19011 provides information on audit principles. 5 Competence requirements for BCMS auditors, persons reviewing audit reports and persons making certification decisions 5.1 General
All BCMS auditors, persons reviewing audit reports and persons making certification decisions shall have a certain level of competence, including the applicable competence as specified in ISO/IEC 17021:2011 and the BCMS knowledge as described in 5.25.11 of this part. 1
GB/T27021.62020/IS0/IECTS17021-6:2014Note 1: Each auditor in the audit team does not need to have the same competence, however, the overall competence of the audit team needs to be sufficient to achieve the audit objectives.Note 2: Although the basic elements of these knowledge requirements are the same, it can be recognized that the level of detail of the knowledge requirements may vary for auditors, reviewers of audit reports and those who make certification decisions. This is determined by each certification body. 5.2 Business Continuity Management (BCM) Terminology
The audit team, reviewers of audit reports and those who make certification decisions shall have knowledge of the terms, definitions and concepts of BCM and risk. 5.3 Organizational environment
The audit team, reviewers of audit reports and those who make certification decisions shall have knowledge of the environment in which the organization operates. 5.4 Applicable legal and other requirements
The audit team, reviewers of audit reports and those who make certification decisions shall have relevant knowledge to determine whether the organization has identified and evaluated compliance with applicable legal and other requirements.
NOTE 1: Administrative and regulatory requirements may be expressed as legal requirements. NOTE 2: Other requirements may include voluntary national, international and industry-specific agreements. 5.5
Relationships in the business continuity management process
The audit team, those reviewing the audit report and those making the certification decision shall have knowledge of the relationships between the elements of BCM. Business Impact Analysis and Risk Assessment
The audit team, those reviewing the audit report and those making the certification decision shall have knowledge of business impact analysis (BIA), including: - Methodologies and techniques;
- Identification of product and service delivery activities; - Assessment of impacts over time to identify when they become unacceptable; - Setting priorities for restart:
Identification of dependencies and supporting resources.
The audit team, those reviewing the audit report and those making the certification decision shall have knowledge of risk assessment and risk management, including: - Methodologies and techniques:
Identification, analysis and evaluation of risks associated with disruption events; - Effectiveness of existing controls;
- Identification of appropriate risk treatments.
5.7 Business continuity strategy
The audit team, the reviewers of the audit reports and the certification decision-makers shall have knowledge of the strategies and methodologies to reduce the impact and likelihood of disruption events, including:
Strategy development:
- Preparatory measures:
- Selection of alternative strategies;
- Cost-benefit analysis of the continuity strategy:- Coordination methods with external stakeholders;
- Incident response:
- Communication:
- Command and control:
- Coordination of the response organization;
- Recovery and reconstruction.
5.8 Incident management
GB/T27021.62020/IS0/IECTS17021-6.2014The audit team, the reviewers of the audit reports and the certification decision-makers shall have knowledge of incident management measures to determine whether the organization has identified appropriate responses to disruption events, including warning and communication needs. The audit team, review audit report personnel and certification decision-making personnel shall have the knowledge to evaluate the effectiveness of the organization's testing of its incident management capabilities.
Business Continuity Plan
The audit team, review audit report personnel and certification decision-making personnel shall have knowledge of business continuity planning, including the establishment, development, maintenance, purpose, format, structure and details of procedures for business continuity plans. 5.10 Business Continuity Drills
The audit team, review audit report personnel and certification decision-making personnel shall have knowledge of planning and conducting business continuity drills, including the types of business continuity drills, processes, techniques and criteria for evaluating the organization's ability to meet its recovery priorities and recovery objectives. 5.11 BCMS Performance Evaluation
The audit team, review audit report personnel and certification decision-making personnel shall have knowledge of BCMS performance evaluation, including knowledge of indicators and performance measurements, to determine whether the organization's BCMS performance is achieving the goals and objectives determined by its management. 6 Implement the competence requirements for application review personnel to determine the competence needs of the audit team, select audit team members and determine the audit time. 6.1 General
The competences that the teams or individuals involved in other certification functions should possess include the generic competences described in ISO/IEC17021:2011, as well as the BCMS knowledge described in 6.2 and 6.3 of this part. 6.2 BCM terminology
The teams or individuals involved in other certification functions should have knowledge of BCM terminology. 6.3 Organizational environment
The teams or individuals involved in other certification functions should have knowledge of the environment in which the organization operates. 6.4 Relationships in the business continuity management process The teams or individuals involved in other certification functions should have knowledge of the relationships between BCM elements. 3
GB/T27021.62020/IS0/IECTS17021-6:2014 Appendix A
(Informative Appendix)
Knowledge Table A.1 for Auditing and Certification of Business Continuity Management Systems provides a summary of the knowledge required for auditing and certification of BCMS. The table is informative because only the knowledge domains required for specific certification functions are identified.
The competence requirements for each certification function are given in the main text of this part. In Table A1, "V" indicates that the certification body should determine the criteria and degree of knowledge. Table A.1 Knowledge Table
Certification Function
Business Continuity Management Terminology
Organizational Environment
Applicable Laws, Regulations and Other Requirements
Relationships in the Business Continuity Management Process
Business Impact Analysis and Risk Assessment
Business Continuity and Recovery Strategy
Event Management
Business Continuity Plan
Business Continuous Exercise
BCMS Performance Evaluation
Conduct application review to determine required
audit team competence, select audit
team members and determine audit schedule
V(see 6.2)
V(see 6.3)
V(see 6.4)
Review audit report
and make certification decision
(see 5.2)
V(see 5.3)wwW.bzxz.Net
V(see 5.4)
(See 5.5)
(See 5.6)
V (See 5.7)
V (See 5.8)
V (See 5.9)
V (See 5.10)
V (See 5.11)
Audit and lead the audit team
V (See 5.2)
V (See 5.3)
V (See 5.5)
(5.6)
V (See 5.7)|| tt||V (see 5.9)
V (see 5.10)
V(see 5.11)
The audit team should have professional knowledge and skills, or be supplemented by technical experts when necessary. When the audit is conducted by an audit team, the audit team as a whole should have the necessary skills corresponding to the required skill level, without requiring each member of the team to have these skills. 4
GB/T27021.6—2020/IS0/IECTS17021-6:2014 References
ISO19011 Guidelines for auditing management systemsISO22313
ISO22398
ISO31000
Societal security-Business continuity management system-GuidanceSocietal security-Guidelines for exercisesRisk management-Principles and guidelinesISOGuide73| |tt||IEC31010
Riskmanagement-Vocabulary
Risk management-Risk assessment techniques
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.