ISO/IEC 27006-1:2024, the standard that defines the requirements for Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General, was published in March 2024. ANAB-accredited certification bodies (CBs) will have 24 months from the last day of the publication month of ISO/IEC 27006-1:2024 (i.e., 31 March 2026) to transition to ISO/IEC 27006-1:2024. ANAB will use ISO/IEC 27006-1:2024 for all initial (or an extension to existing) accreditation assessments no later than 31 March 2025.
Certification bodies will be required to use ISO/IEC 27006-1:2024 for all initial and recertification audits immediately after accreditation for ISO/IEC 27006-1:2024. All ANAB-accredited and applicant information security management systems (ISMS) CBs will be required to use ISO/IEC 27006-1:2024 for all clients no later than 31 March 2026.
Changes to ISO/IEC 27006-1:2024
The primary differences between ISO/IEC 27006:2015 / ISO/IEC 27006:2015-AMD 1:2020 and ISO/IEC 27006-1:2024 include, but are not limited to:
- Added several new definitions and terms
- Deleted the quantitative requirement for work experience and training for ISMS auditors (e.g., 4-year full time practical workplace experience)
- Defined requirements more clearly for referencing other standards in the ISMS certification documents
- Removed the redundancies with ISO/IEC 17021-1:2015. (e.g., 5.2, 7.1.3, 9.3.2.2, 9.4)
- Defined new requirements for deploying remote audits
- Added requirement that the extent and effectiveness of applying a remote audit be included in the audit report
- Removed requirement for obtaining approval from the accreditation body (AB) if remote auditing activities represent more than 30% of planned on-site audit time
- Added requirement for audit report and certification document for organizations with few or no physical relevant sites state that organization’s activities are conducted remotely
- Relabeled Annex B from ISO/IEC 27006:2015 to Annex C, “Audit time”
- Updated the audit time calculation requirement in Annex C
- Introduced the concept of persons performing certain identical activities (effective number of personnel) and defined the requirement for how to determine the initial number of persons using this new concept
- Defined new requirements for audit time for scope extensions
- Clarified the approaches for calculating audit time for multi-sites
- Relabeled Annex C from ISO/IEC 27006:2015 to Annex D, “Methods for audit time calculations”
- Relabeled Annex D from ISO/IEC 27006:2015 to Annex E, “Guidance for review of implemented ISO/IEC 27001:2022, Annex A controls,” and updated the annex to align with the information security controls listed in Annex A of ISO/IEC 27001:2022
Transition for ANAB-Accredited Certification Bodies
ANAB will utilize a transition application to meet the IAF MD 29:2024 requirements and will announce the release of the application in early September via a Heads Up. CBs are encouraged to transition early to avoid delays due to the large number of CBs required to transition to ISO/IEC 27006-1:2024 by 31 March 2025.