ISO 27006:2024 – What’s New?

If you are certified to ISO 27001:2022 the information security management system standard, or planning to be, this update to ISO 27006-1 may affect you.

Here we look at the changes and how ISO 27001 Certification Bodies may apply them.

What is ISO/IEC 27006-1:2024?

ISO/IEC 27006-1:2024 sets out the requirements for bodies providing audit and certification of information security management systems, and has long been used by certification bodies to determine the number of audit days required.

What has changed in ISO/IEC 27006-1:2024?

The newly revised standard has several significant changes including:

Addressing Remote ISO 27001 Audits

Since 2020 the trend has been for more audits to be carried out remotely.   This updated standard refines the provisions for this.

It should also be noted that there is an on-going project to develop a standard to address remote audits under ISO 17012.

New ISO 27001 Audit Time Calculations

Annex C breaks out the audit time calculations in more detail providing sub annexes for surveillance, recertification, multi-site and extension to scope audits.

This appears to give a much clearer steer in these areas.

It should also be noted that multi-site guidance is provided by the International Accreditation forum under: IAF MD for certification of multi-site organisations (who do not meet the IAF MD1 eligibility criteria for sampling) 

Annex E, Guidance for Review of Implementation Changes

Annex E, Guidance for Review of Implementation Changes, has aligned to the updated ISO 27001:2022 control set.

In addition, Clause 9.1.1.2, suggests that an organisation can achieve compliance, even where NO ISO 27001:2022 Annex A controls are adopted, if the organisation has designed controls or identify them from another source.  In reality this is unlikely to happen. 

Changes to ISO 27001 Auditor Competence and Experience

The standard has also removed the quantitative requirement for ISMS Auditors to have 4-years of full time practical workplace experience, although auditors must still be competent on the basis of experience and/or training..

What Does ISO/IEC 27006-1:2024 Mean for Clients?

Clients and organisation who have implemented ISO 27001:2022 do not necessarily need to be familiar with the requirements of ISO 27006, however it can be useful to have an awareness of how the certification body may approach the audit.

Our Certification Management Team can help you define the scope of your ISMS effectively and make the correct application to your chosen Certification Body to avoid delays. 
Contact Us for support!

What Does ISO/IEC 27006-1:2024 Mean for Individual Auditors?

Existing ISO 27001 Auditors would benefit from familarising themselves with the requirements of ISO 27006:2024 as this will inform how they conduct ISMS audits on behalf of a certification body.

For those considering a career as an ISO 27001 Auditor, pay particular attention to the competence and experience requirements of the standard.

Contact the ‘Careers In Standards’ project for support entering the certification industry.

What Does ISO/IEC 27006-1:2024 Mean for Certification Bodies?

Accredited certification bodies will be required to operate to the updated ISO 27006:2024 when determining ISO 27001 audit time and generally conducting audits.

National accreditation bodies will issue their own bulletins, however as an example, UKAS issued the following on 7th March 2024: ISO/IEC 27006-1:2024 ISMS transition arrangements.

This includes a requirement to submit a Gap Analysis to the new standard by 30th April 2024.

Other key Dates:

  • 01 March 2024. Publication of ISO/IEC 27006-1:2024
  • 01 May 2024. UKAS ready to assess to ISO/IEC 27006-1:2024
  • 31 July 2025. All UKAS transitions of Certification Bodies completed.