: Rules for planning and performing audits, including the time required for an audit (often calculated using a formula based on organization size).

For the organization being certified – no, you do not need to read ISO 27006. For the certification body – yes, they must be accredited against ISO 27006.

ISO 27006 dedicates significant sections to the competence of auditors. If you are hiring a certification body, you want to know that the auditors walking into your server room are qualified. The standard defines the specific knowledge auditors must have regarding: