New Requirements of ISO/IEC 27006-1:2024: What Changes Do They Bring for Your Audit?

ISO/IEC 27006-1:2024 contains the formal requirements for certification bodies that must be implemented when auditing an information security management system (ISMS). It therefore regulates inspection bodies that audit and certify companies in accordance with ISO 27001. This means that changes to ISO 27006 also have an impact on ISMS audits in conformity with ISO 27001.

ISO/IEC 27006 was revised in December 2024. What changes should you be aware of? And what are the consequences for companies undergoing ISO 27001 audits? We asked Maximilian Müller, Managing Security Consultant at usd AG. He has been accompanying companies preparing and undergoing ISMS audits for years and took a look into the new version for us.

ISO/IEC 27006:1-2024 - What Is Changing for ISMS Audits?

The update of the ISO standard is accompanied by significant changes that affect the calculation of audit time and performance of ISMS audits in accordance with ISO 27001. Four areas are particularly significant in terms of their impact:

Number of Employees: Who Is Included in the Time Expenditure Calculation?

The change with the greatest impact on the planning of an ISMS audit concerns the definition of the people who work for the company undergoing certification: It was expanded to include the phrase “regardless of whether they are members of the organization or not”. If a company employs freelancers, for example, the number of these must be included in the calculation of the time required for the ISMS audit, provided they are within the scope of the ISMS. The exact number of employees relevant to the ISMS therefore becomes an integral part in the initial calculation of the time required for your audit.

Company Location part of the Calculation of Effort: Simplified Calculation of Time and On-Site Distribution?

For companies with multiple sites, the time required for an ISO 27001 audit will be calculated based on the total number of people working for the company in future. The number of sites of a company will no longer be relevant for calculating the time needed. The calculated audit days are to be distributed accordingly based on the relevance of the respective location for the ISMS, the activities on site and the potential risks.

Remote Audits: Relief for Audit Planning?

The restriction on the proportion of remote audits in the certification process has been fundamentally revised. Now, separate pre-approval of the audit plan is no longer necessary if the proportion of remote audit activities exceeds 30 percent. As part of the initial certification audit, the audit activities include both Stage I and Stage II.

“The removal of the time limit for the proportion of remote audits will bring a noticeable relief in planning for many companies. The previous 30 percent limit was often quickly reached, making it almost impossible to avoid travel times and costs. In the future, the remote share can be arranged more flexibly, which not only saves time, but also reduces the organizational effort.”

Maximilian Müller

Scope Extensions: An Addition to ISO 27006

A new addition is a specification for calculating the time required for scope extensions. The ISO standard specifies exactly which criteria will be used to calculate the audit time in the future. These include, among other factors:

• Activities of the current certification
• Number of controls that are relevant for certification
• Information risks that are added in connection with the new activities

---

Digression: The DAkkS

In Germany, the German Accreditation Body (DAkkS) is responsible for the accreditation of testing and certification bodies. As a central national organization, it ensures that these bodies comply with defined standards. In this way, the DAkkS guarantees the quality and trustworthiness of certifications in various areas.

---

Do you have any questions or need support in carrying out your ISO 27001 audit? Contact us, our experts will be happy to help you.