TEN Information Management GmbH

Overview of significant changes to ISO/IEC 27006-1:2024

The revision of ISO 27006 brings significant changes for ISMS audits according to ISO 27001—especially for digitized companies. I have looked into this and identified the following key points:

New calculation logic for audit days

  • Number of employees instead of locations: Audit time is now calculated solely on the basis of the number of people working within the ISMS scope—including freelancers and external staff.
  • Location relevance no longer applies: The previous requirement to automatically include physical locations in the calculation has been removed. Instead, audit days are allocated according to risk assessment and key activities.

Updated remote audit policies

  • More flexible remote auditing: The previous 30% cap on remote auditing has been removed. Instead, the focus is on the effectiveness of the methodology.
  • Clear documentation requirement: For companies that operate virtually without physical locations, this must be explicitly noted in the audit report.

Simplified auditor qualification

No rigid experience requirements: Quantitative requirements such as “four years of professional experience” for auditors have been eliminated. Competence assessment is now risk-based.

Technical adjustments

  • Control alignment: Annex E has been aligned with the updated security controls in ISO 27001:2022.
  • Redundancies removed: Duplications with ISO/IEC 17021-1 (General requirements for certification bodies) have been eliminated.

More transparent multi-site audits

Detailed specifications: Annex C now provides explicit calculation methods for surveillance audits, recertifications, and multi-site scenarios.

All in all, I believe these are very helpful adjustments that will make the audit procedures of certification bodies more realistic than before. What strikes me is that not all certification bodies seem to have implemented these changes yet. In any case, just last week I received another data request document that still asked for the number of locations—and in which these were also included in the calculation of the audit effort.

Tags

Share post

More articles

Lack of security awareness in German companies

“37.0 percent of companies in Germany do not regularly train their employees on topics such as spam or phishing. (…) Only every third company (35.5 percent) has a patch management policy. Yet security gaps in...
Read more

AI phone fraud

A few months ago, BR reported on attacks that work very similarly to the analogue “grandson trick”. Attackers pretend to be a close family member, claiming to be in an emergency situation – and in...
Read more

The underestimated danger: Misconfigurations in Microsoft Windows Active Directory environments

Every company that uses Microsoft technologies is familiar with this: its own Windows environment is constantly growing, numerous settings are changed in the Active Directory every day, objects are created and deleted again. What about...
Read more