Updated ISO/IEC 27006-1:2024 giving confidence in certification | CQI | IRCA
Steve Wilson ISO/IEC 27006-1
Home

Updated ISO/IEC 27006-1:2024 giving confidence in certification

Progress indicator

Steve Wilson ISO/IEC 27006-1
Published: 22 May 2024

BS EN ISO/IEC 27006-1:2024, giving requirements for bodies that provide audit and certification of information security management systems, was published in March this year. Steve Watkins, Chair of the BSI technical committee IST/33 for information security, cybersecurity and privacy protection standards, and co-editor of the standard, talks through its key points.

BS EN ISO/IEC 27006-1:2024 is the UK adoption of ISO/IEC 27006-1:2024, the information security management system (ISMS)-specific extension of ISO/IEC 17021-1, the discipline-generic requirements for providing audit and certification of management systems.

The (rather long-winded!) full name of the standard is ISO/IEC 27006-1:2024 Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of information security management systems.

It replaces ISO/IEC 27006:2015 and, together with ISO/IEC 17021-1, sets the requirements for audit bodies to ensure we can have confidence in the ISO/IEC certificates issued by accredited certification bodies.

Extending the requirements

The change from ISO/IEC 27006 to ISO/IEC 27006-1 facilitates a multi-part series of standards. This accommodates the extension of the ISMS certification scheme for privacy information management and ISO/IEC 27701:2019, with the accreditation requirement extensions published in ISO/IEC 27006-2.

The ISO/IEC 27006-1 requirements cover topics such as: independence and impartiality; competence of various roles involved in providing a certification service; certification documents; the certification and audit processes, including the minimum audit duration; and the certification decision process. There is also a section on appeals and complaints.

In each of these areas, ISO/IEC 27006-1 extends the requirements in ISO/IEC 17021-1.

The 2024 edition is a limited revision of the previous standard, published in 2015.

The requirements relating to conducting audit activity remain largely unchanged. The importance of the boundary of the ISMS, the information security risk assessment, and the relationship between the risk decision, risk treatment plan and Statement of Applicability being considered during audits remains.

"The existence of ISO/IEC 27006-1 means all users of standards can derive a consistent level of confidence in accredited ISO/IEC 27001 certificates of conformity."

Steve Watkins, Chair of the BSI technical committee for information security, cybersecurity and privacy protection standards, IST/33, and a Director at Kinsnall Consulting, UK.

Other largely unchanged requirements are those relating to considering the effectiveness of internal ISMS audit and management review arrangements, along with multiple references to information security controls throughout the certification activity requirements. These references range from determining audit time and the design of the audit programme, through the audit plan, to their effectiveness being considered across the audits in the certification cycle.

Key changes to the standard

Despite this similarity in the versions, the 2024 edition does introduce some key changes, including:

  • Accommodating remote auditing to a greater extent, reflecting the increasing move to remote operations and the emergence of virtual organisations.
  • Changes to the requirements for determining the audit duration and audit time. This includes introducing some flexibility for accommodating situations where many people in scope are performing identical activities, potentially resulting in a lower minimum audit time than would have been the case previously.
  • Clarification of the requirements for handling multi-site certifications and scope variations, including ensuring there is sufficient audit time to enable a suitably informed recommendation and subsequent decision to offer certification or extend the scope of it.
  • How certificates can reference information security control sets from sources other than ISO/IEC 27001 Annex A, including not implying the certificate is for conformity to those alternative sources of controls.
  • The table (previously at Annex D, but at Annex E in the 2024 version) that provides guidance on how the ISO/IEC 27001 Annex A controls might be reviewed has been updated to reflect the 2022 reference control set.
    It indicates where individual controls might be reviewed through either system testing or visual inspection, and provides possible items of evidence demonstrating the design and implementation of the control.

There are also some relatively minor changes to the requirements for an audit body’s competence scheme for those roles involved in ISMS certification activity. The standard recognises roles for application review, reviewing audit reports and making certification decisions, and, of course, conducting audits (audit team leaders, auditors and technical experts).

Implications for organisations

Given ISO/IEC 27006-1:2024 is a replacement for ISO/IEC 27006:2015, it means that organisations working with the standard need to transition to the new standard.

The implication of this for various bodies is summarised below.

  • •Accreditation bodies: need to start assessing certification bodies to the 2024 standard. This includes making sure their assessors are competent in working with the 2024 standard.
  • Certification bodies: need to update their ISMS certification management system to reflect the changed requirements in ISO/IEC 27006-1:2024.
  • Organisations with accredited certification to ISO/IEC 27001: should not need to do anything. They simply benefit from the evolving scheme requirements and additional flexibilities that their certification body may be able to offer.

It should be noted that the 'BS EN’'at the start of BS EN ISO/IEC 27006-1:2024 has a significance. EN represents the European-wide adoption of the international standard and the BS reflects the UK adoption of it. Together, these ensure the ISMS-accredited certification scheme arrangements in the UK and across Europe are consistent with the rest of the world, delivering ‘equivalent’ certificates.

Summary

The publication of ISO/IEC 27006-1:2024 means the ISO/IEC 27001 certification scheme requirements that ensure equivalence in ISMS certificates issued as part of the worldwide accredited certification scheme have been refreshed to reflect changing operational practices.

The existence of ISO/IEC 27006-1 means all users of standards can derive a consistent level of confidence in accredited ISO/IEC 27001 certificates of conformity.

About the author

Steve Watkins is Chair of the BSI Technical Comittee for information security, cybersecurity and privacy protection standards, IST/33, and through his membership of ISO/IEC JTC 1/SC 27 was co-editor of ISO/IEC 27006-1:2024. He contributes to the operation of the accredited certification scheme as a contracted UKAS Technical Assessor. 

He is a Director at Kinsnall Consulting, and is also a published author, with the 8th edition of IT Governance – An international guide to data security and ISO 27001/ISO 27002 due to be published this year. 

Read more about cybersecurity

Gary Ruffhead CQP MCQI takes a closer look at ISO 27001 and managing risk for information security, cybersecurity and privacy protection.

Click to find out more

Tags

Quality Live 2024

Quality Live 24
Quality Live 2024: Conference and awards

Quality World

Get the latest news, interviews and features on quality in our industry leading magazine.

Read the magazine

Access the CQI Quality Learning Hub

CQI Quality Learning Hub .png

Supporting your professional development

Explore the hub today