TEN Information Management GmbH

Overview of significant changes to ISO/IEC 27006-1:2024

The revision of ISO 27006 brings significant changes for ISMS audits according to ISO 27001—especially for digitized companies. I have looked into this and identified the following key points:

New calculation logic for audit days

  • Number of employees instead of locations: Audit time is now calculated solely on the basis of the number of people working within the ISMS scope—including freelancers and external staff.
  • Location relevance no longer applies: The previous requirement to automatically include physical locations in the calculation has been removed. Instead, audit days are allocated according to risk assessment and key activities.

Updated remote audit policies

  • More flexible remote auditing: The previous 30% cap on remote auditing has been removed. Instead, the focus is on the effectiveness of the methodology.
  • Clear documentation requirement: For companies that operate virtually without physical locations, this must be explicitly noted in the audit report.

Simplified auditor qualification

No rigid experience requirements: Quantitative requirements such as “four years of professional experience” for auditors have been eliminated. Competence assessment is now risk-based.

Technical adjustments

  • Control alignment: Annex E has been aligned with the updated security controls in ISO 27001:2022.
  • Redundancies removed: Duplications with ISO/IEC 17021-1 (General requirements for certification bodies) have been eliminated.

More transparent multi-site audits

Detailed specifications: Annex C now provides explicit calculation methods for surveillance audits, recertifications, and multi-site scenarios.

All in all, I believe these are very helpful adjustments that will make the audit procedures of certification bodies more realistic than before. What strikes me is that not all certification bodies seem to have implemented these changes yet. In any case, just last week I received another data request document that still asked for the number of locations—and in which these were also included in the calculation of the audit effort.

Tags

Share post

More articles

“Internal Audit” vs Management Review: What’s the difference?

This question is often asked by novices who are dealing with ISO 27001 for the first time. What is an Internal Audit? An internal audit is a self-audit to verify three key points by an...
Read more

AI phone fraud

A few months ago, BR reported on attacks that work very similarly to the analogue “grandson trick”. Attackers pretend to be a close family member, claiming to be in an emergency situation – and in...
Read more

Instant 27001 now for Microsoft 365

Instant 27001, the simple and pragmatic documentation system for information security management systems (ISMS) according to the international standard ISO 27001, is now also available for Microsoft 365 in addition to Atlassian Confluence. Seamless integration...
Read more