New version information security management systems ISO/IEC 27006

The new version of ISO/IEC 27006, ISO/IEC 27006-1:2024 ‘’Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of information security management systems – Part 1: General’’, has been published.

In MD 29 “Transition Requirements for ISO/IEC 27006-1:2024”, the International Accreditation Forum (IAF) describes the transition requirements for this new version. The transition to the new version of the standard is relevant for accredited certification bodies (CBs) for ISO/IEC 27001.

Most important data from the MD 29:

  • CBs must acquire accreditation for certification against this new version within 24 months after publication, meaning: CBs must be accredited before March 31, 2026.
  • CBs must have completed the transition of their clients to ISO/IEC 27006-1:2024 within 24 months after publication. The certified organizations may be certified against the old version until March 31, 2026.
  • Once accredited to ISO/IEC 27006-1:2024, CBs may not conduct initial or re-certification audits using ISO/IEC 27006:2015/Amd 1:2020.

Application for scope extension is necessary

An accreditation for ISO/IEC 27001 is granted in accordance with ISO/IEC 27006. For CBs that are accredited for ISO/IEC 27001 and would like to transition to ISO/IEC 27006-1:2024, the process of RvA is as follows, based on IAF MD 29. As from now, CBs may apply for a scope extension for accreditation for ISO/IEC 27006-1:2024. The application can be submitted to the contact person at RvA as per usual. Only complete applications will be accepted.

Along with the application for scope extension, apart from the signed application forms F105 and F006-2, the CB must provide:

  • the internal audit report about the transition to the new norm;
  • a management review about the transition to the new norm;
  • a gap analysis of changes in ISO/IEC 27006-1:2024 compared to the last version;
  • a plan of action for the transition based on the gap analysis, fulfilling the requirements of MD 29;
  • method and content of provision of information by the certification body to its clients about the changes;
  • information that proves that auditors and decision makers have been trained for the new standard and how this has been secured in the management system.

Simultaneous decision

The extension applications that have been sent in and accepted before October 1, 2024, will be assessed in a simultaneous procedure. A simultaneous procedure has been decided upon to level the playing field as much as possible for all accredited CBs.

CBs for which no non-conformities are determined during this assessment, a simultaneous decision will be made on December 4, 2024.

CBs for which non-conformities are determined may take corrective actions. The simultaneous decision for these CB’s will be made on April 2, 2025.

For CBs that send in their extension application for ISO/IEC 27006-1:2024 after October 1, 2024 and thus do not take part in the simultaneous decision, the accreditation decision will be made after April 2, 2025.

The assessment will be conducted based on documents and will take a minimum of 8 hours, regardless of whether it is part of the simultaneous decision, is supplementing the regular assessment, or is filed as a separate extension application.

Adjusting scopes of accreditation

The version of ISO/IEC 27006:2015/Amd-1:2020 will be mentioned on the scope of accreditation in order to make clear that the CB is accredited for this version. After gaining accreditation for ISO/IEC 27006-1:2024, both versions will be mentioned on the scope of accreditation. Thereby, the ISO/IEC 27006: 2015/Amd-1:2020 states that the accreditation provided according to this standard is valid until April 1, 2026.

Not yet accredited for ISO 27001?

CBs that do not have accreditation for ISO/IEC 27001 may apply for an accreditation scope extension as per usual. The assessment will consist of a documentation assessment, an office assessment and a stage 1 and stage 2 witness assessment ISMS audit (see SAP-C010).

From April 1, 2025, the RvA will no longer accept new applications for accreditation for ISO/IEC 27001, which are granted in accordance with ISO/IEC 27006:2015/Amd-1:2020.