Transition arrangements for ISO/IEC 27006-1:2024

Bulletin date:
Bulletin number:
2024-18

Action required

ISO/IEC 27006-1:2024 Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems and IAF MD29:2024 Transition Requirements for ISO/IEC 27006-1:2024 were published earlier this year.

 

All SCC-accredited Information Security Management System (ISMS) certification bodies need to transition to the latest version of the standard by the deadline.

 

Affected customers

Information Security Management System customers and applicants.

 

Background

ISO/IEC 27006-1:2024 was published on March 31, 2024 replacing ISO/IEC 27006:2015/AMD1:2020

 

New requirements

The main changes include:
 

  • Refined requirements for remote audits:
    • New requirements for deploying remote audit (section 9.1.3.3).
    • The extent and effectiveness of applying remote audit shall be indicated in the audit report (section 9.4.3.2)
    • Removed the requirements for obtaining approval from the accreditation body if the remote auditing activities represent more than 30% of the planned on-site audit time.
    • Clients with few or no physical relevant sites, the audit report (section 9.4.3.2) and certification document (section 8.2.2) shall state that the client’s activities are conducted remotely.
  • Updated the audit time calculation requirement (Annex C).
    • Introduced the concept of persons performing certain identical activities (section C.2.1) and defined the requirement on how to determine the initial number of persons in section C.3.4.
    • New requirements for audit time for scope extensions (section C.7).
    • Clarified the approaches to calculate audit time of multiple sites (section C.6). 
  • Updated Annex D of ISO/IEC 27006:2015 to align with the information security controls listed in Annex A of ISO/IEC 27001:2022 and transferring it as Annex E of ISO/IEC 27006-1:2024. Table D was relabeled as Table E.
  • Refined the requirements for referencing other standards in the ISMS certification documents (section 8.2.3).
  • Removed the redundancies with ISO/IEC 17021-1:2015. Clauses 5.2, 7.1.3, 9.3.2.2, and 9.4 (ISO/IEC 27006-1:2024) have been updated.
  • Removed the quantitative requirement for the work experience and training of ISMS auditors.
     

SCC anticipates that given the scope of changes introduced to ISO/IEC 27006-1:2024 it is estimated that an initial 1.25 days of effort is required on its part to review the changes and complete associated administrative activities. This effort depends on the completeness and clarity of the submission received from the conformity assessment body (CAB).

 

An office assessment may be required if SCC is unable to verify the effective implementation and conformance with the CAB transition arrangements. SCC will raise mandatory findings to be handled in the normal way if there is insufficient evidence to confirm the CAB does not adequately address the revised requirements.


Deadline

  • March 31, 2024 - Publication of ISO/IEC 27006-1:2024
  • December 31, 2024 - SCC will begin assessing to ISO/IEC 27006-1:2024
  • March 31, 2025 - SCC will use ISO/IEC 27006-1:2024 for all initial accreditation assessments, including extensions to existing assessments.
  • March 31, 2026 – Deadline for all CABs to complete the transition to ISO/IEC 27006-1:2024 and use this standard for all their clients in the program.


Note: For the clients certified before the deadline to complete the transition, the CAB may use either ISO/IEC 27006:2015 or ISO/IEC 27006-1:2024 for surveillance audits after accreditation for ISO/IEC 27006-1:2024.

 

All SCC-accredited Information Security Management System certification bodies shall complete the following steps by September 30, 2024

  • Submit transition arrangements and plan to SCC and be ready to apply new requirements according to set deadlines indicated above dates.
  • Complete a gap analysis.
  • Transition plan to address:
    • changes between old and new processes. For example: sales/quoting, auditing process, certification document, competence management and communication with existing certified clients.
    • analyses on the impact of changes on certification auditing activities and processes, and identify actions to ensure conformance.
  • Ensure that relevant personnel are competent for the revised version and transition processes.

 
Questions?

Please contact Abdel Kassou, Director, Accreditation Services, abdel.kassou@scc-ccn.ca or +1 613 238 3222 for more information.