As of March 2024, the ISO/IEC 27006‑1:2024 standard has been published, bringing significant updates and new provisions for organizations that audit and certify Information Security Management Systems (ISMS). This new version includes important changes related to remote auditing processes, audit time calculations, and the streamlining of documentation procedures. Organizations are expected to complete compliance with this revised standard by March 31, 2026.

In this article, we discuss the transition process in detail and highlight the key changes introduced by the new standard.

The International Accreditation Forum (IAF) has defined the requirements for the transition to the new standard in the IAF MD 29:2024 document.

Key Changes Introduced by ISO/IEC 27006‑1:2024

• Enhanced requirements for remote audits

• New mandates for the distribution of remote auditing activities

• Inclusion of the scope and effectiveness of remote auditing in audit reports

• Removal of the requirement to obtain Accreditation Body approval if remote auditing exceeds 30 % of the planned on-site audit time

• For clients with few or no physical sites, a statement must be included in the audit report and certificate that the activity was conducted remotely

• Annex B of ISO/IEC 27006:2015 has been renamed to Annex C

• Audit time calculation requirements have been updated (Annex C)

• Introduction of the concept of “persons performing identical specific activities” to define the initial headcount

• New requirements for audit time when extending the audit scope

• Clarification of approaches to calculate audit time across multiple sites

• Annex C of ISO/IEC 27006:2015 has been renamed Annex D

• Annex D of ISO/IEC 27006:2015, aligned with the controls in Annex A of ISO/IEC 27001:2022, has been transferred as Annex E in ISO/IEC 27006‑1:2024; Table D is now Table E

• Requirements for referencing other standards in ISMS certification documents have been explicitly defined

• Improved alignment with ISO/IEC 17021‑1 by eliminating redundancy—clauses 5.2, 7.1.3, 9.3.2.2, and 9.4 were updated

• Quantitative requirements regarding ISMS auditors’ experience and education (e.g., four years full-time practical work experience) have been removed

Due to changes in audit time determination methods in ISO/IEC 27006‑1:2024, existing contracts with certified clients may need to be revised.

We inform all our clients and relevant stakeholders that our personnel and related documentation involved in ISMS activities will complete their alignment with this revision by 31 March 2026.

For detailed information about these changes, please feel free to contact us.