We hereby notify all our clients and relevant stakeholders that our organization’s personnel and associated documentation involved in the ISMS (Information Security Management System) activities will complete the transition to comply with ISO/IEC 27006‑1:2024 — “Requirements for bodies providing audit and certification of information security management systems — Part 1” — no later than 31 March 2026, in accordance with the related requirements set by the International Accreditation Forum (IAF) in IAF MD 29:2024.
Key Changes Introduced by ISO/IEC 27006‑1:2024
- Enhanced requirements for remote audits.
- Added requirements regarding the deployment of remote audits.
- New requirement to include the scope and effectiveness of remote audit application in the audit report.
- Removal of the obligation to obtain approval from EU authorities if remote audit activities exceed 30% of the planned on-site audit duration.
- New requirement to indicate in both audit reports and certificate documents when the client conducts few or no physical on-site activities and the audit is performed remotely.
- Annex B and Annex C from ISO/IEC 27006:2015 have been renamed accordingly.
- Updated requirements for audit duration calculation (Annex C).
- Introduction of the concept “persons performing identical activities”, including requirements for determining the initial number of such persons.
- New requirements defined for audit duration in scope expansions.
- Clarified approaches for calculating audit time across multiple sites.
- Annex C and Annex D of ISO/IEC 27006:2015 have been renamed.
- Annex D of ISO/IEC 27006:2015 has been aligned with the information security controls listed in Annex A of ISO/IEC 27001:2022 and carried over as Annex E in ISO/IEC 27006‑1:2024; Table D and Table E have been similarly renamed.
- Certification documentation requirements for referencing other standards have been clarified.
- Better alignment with ISO/IEC 17021‑1 by removing unnecessary duplications. For example, clauses 5.2, 7.1.3, 9.3.2.2, and 9.4 in ISO/IEC 27006‑1:2024 have been updated.
- The quantitative requirements regarding ISMS auditors’ work experience and education (e.g., four years of full-time practical workplace experience) have been removed.
Due to changes in the audit duration determination methods in ISO/IEC 27006‑1:2024, it may be necessary to revise the contracts we have in place with our existing certified clients regarding RoyalCert.
Please contact us for detailed information about these changes.
