ISO/IEC 27006:2024 Transition

The ISO/IEC 27006-1:2024 – Requirements for organizations providing audit and certification of information security management systems – Part 1 standard was published in March 2024. The International Accreditation Forum (IAF) has defined the requirements necessary for the transition to the relevant standard in its IAF MD 29:2024 document.

We announce to all our customers and other relevant parties that the process of ensuring the compliance of our organization’s personnel and related documentation involved in ISMS activities with this revision will be completed no later than March 31, 2026.

Key Changes Introduced by 27006-1:2024:

  • Improved requirements for remote audits;
    • New requirements have been added regarding the deployment of remote audits.
    • The requirement to include the scope and effectiveness of the remote audit in the audit report has been added.
    • The requirement to obtain approval from the EU has been removed if remote audit activities constitute more than 30% of the planned on-site audit time.
    • For clients with few or no physical sites of interest, the requirement to state in the audit report and certificate that the client’s activities were carried out remotely has been added.
  • Annex B in ISO/IEC 27006:2015 has been renamed as Annex C.
    • Audit time calculation requirements have been updated (Annex C). The concept of individuals performing specific identical activities was introduced, and the requirement for determining the initial number of individuals using this new concept was defined.
    • New requirements regarding audit duration for scope expansions were defined.
    • Approaches to calculating the audit duration for multiple sites were clarified.
  • Annex C in ISO/IEC 27006:2015 was renamed Annex D.
  • Annex D of ISO/IEC 27006:2015 was transferred as Annex E of ISO/IEC 27006-1:2024, aligning with the information security controls listed in Annex A of ISO/IEC 27001:2022. Table D was renamed Table E.
  • Requirements for referencing other standards in ISMS certification documents were more clearly defined.
  • Unnecessary repetitions were eliminated, achieving better compliance with ISO/IEC 17021-1. For example, clauses 5.2, 7.1.3, 9.3.2.2 and 9.4 (ISO/IEC 27006-1:2024) have been updated.
  • The quantitative requirement for work experience and training of ISMS Auditors has been removed (e.g., 4 years of full-time practical workplace experience).

Since the audit duration determination requirements have changed in the 2024 edition of ISO/IEC 27006-1, the contract between ASCERT CERTIFICATION and our existing certified clients may need to be revised.

You can contact us for detailed information about the changes.