TEN Information Management GmbH

Overview of significant changes to ISO/IEC 27006-1:2024

The revision of ISO 27006 brings significant changes for ISMS audits according to ISO 27001—especially for digitized companies. I have looked into this and identified the following key points:

New calculation logic for audit days

  • Number of employees instead of locations: Audit time is now calculated solely on the basis of the number of people working within the ISMS scope—including freelancers and external staff.
  • Location relevance no longer applies: The previous requirement to automatically include physical locations in the calculation has been removed. Instead, audit days are allocated according to risk assessment and key activities.

Updated remote audit policies

  • More flexible remote auditing: The previous 30% cap on remote auditing has been removed. Instead, the focus is on the effectiveness of the methodology.
  • Clear documentation requirement: For companies that operate virtually without physical locations, this must be explicitly noted in the audit report.

Simplified auditor qualification

No rigid experience requirements: Quantitative requirements such as “four years of professional experience” for auditors have been eliminated. Competence assessment is now risk-based.

Technical adjustments

  • Control alignment: Annex E has been aligned with the updated security controls in ISO 27001:2022.
  • Redundancies removed: Duplications with ISO/IEC 17021-1 (General requirements for certification bodies) have been eliminated.

More transparent multi-site audits

Detailed specifications: Annex C now provides explicit calculation methods for surveillance audits, recertifications, and multi-site scenarios.

All in all, I believe these are very helpful adjustments that will make the audit procedures of certification bodies more realistic than before. What strikes me is that not all certification bodies seem to have implemented these changes yet. In any case, just last week I received another data request document that still asked for the number of locations—and in which these were also included in the calculation of the audit effort.

Tags

Share post

More articles

Information security does not begin with ISO 27001, but with honesty.

Many believe that the core of effective information security lies in a particularly “good” or “beautiful” implementation of ISO 27001 or NIS-2. But the real success factor is something else: an honest assessment of the...
Read more

Personal liability for violations of the NIS 2 Directive

Personal liability of the management bodies The NIS 2 Directive introduces new personal liability for management bodies for the implementation of cyber security measures. This means that board members and managing directors can be held...
Read more

The Hafnium Exchange Server Hack and its Late Effects – Prevention is the Key

The Exchange server hack from the spring of 2021, which became known as Hafnium, is spreading: numerous servers that have still not been patched are being attacked, the gap exploited, and malware installed. Many server...
Read more