Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27006-1:2024 — ISMS Audit and Certification Body Requirements
Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27006-1:2024 specifies requirements for bodies providing audit and certification of an Information Security Management System (ISMS) against ISO/IEC 27001. Unlike the guidance standards in the 27000 family (27003, 27004, 27005, 27007), this is a normative requirements standard — certification bodies must comply with it to be accredited for ISO/IEC 27001 certification. It replaces ISO/IEC 27006:2015 and introduces significant updates reflecting the changes in ISO/IEC 27001:2022, including the restructured Annex A controls, enhanced competence requirements for auditors, and formalized provisions for remote auditing. For organizations seeking certification, understanding this standard is essential because it governs how certification bodies operate and how audits are planned, conducted, and reported.
ISO/IEC 27006-1 is NOT an optional guideline. It is a mandatory standard for certification bodies seeking or maintaining accreditation for ISO/IEC 27001 certification. Non-compliance can result in loss of accreditation status, which would prevent the body from issuing or maintaining valid ISO/IEC 27001 certificates.
1. Core Requirements for Certification Bodies
The standard is structured around the ISO/IEC 17021-1 (conformity assessment) framework, with ISMS-specific additions that address the unique aspects of auditing information security management systems. The key requirement areas provide a comprehensive governance framework for certification bodies:
| Requirement Area | Key Provisions | Auditor Impact |
|---|---|---|
| Legal and contractual matters | Certification body must be a legal entity with agreements defining liability, confidentiality, and rights of appeal | Ensures auditors operate within a clear legal framework with defined rights and obligations |
| Management of competence | Competence criteria for auditors covering 27001 knowledge, risk management, ISMS principles, and sector-specific expertise | Auditors must maintain demonstrated competence through initial evaluation and ongoing monitoring |
| Audit duration | Detailed tables specifying minimum audit man-days based on effective headcount, scope complexity, number of sites, and risk factors | More complex organizations require longer audits; part-time and multi-shift adjustments are specified |
| Multi-site sampling | Statistical and risk-based rules for sampling multiple sites under a single certification scope | Sample size is limited based on total site count, homogeneity, and risk assessment results |
| Certification decision | Decision must be made by persons different from those who conducted the audit (separation of duties) | Ensures independence; the audit team recommends but does not grant certification |
| Surveillance and recertification | Minimum surveillance activity requirements, annual visit frequency, and recertification intervals | At least one on-site surveillance visit per year; full recertification audit every 3 years |
2. Key Changes in ISO/IEC 27006-1:2024
The 2024 edition introduces several important updates that reflect lessons learned since the 2015 edition and align with the evolving information security landscape:
- Alignment with ISO/IEC 27001:2022: The control structure now references the 93 controls of 27001:2022 Annex A, organized into 4 themes (organizational, people, physical, technological) instead of the previous 14 domains with 114 controls. Audit checklists, duration tables, and competence requirements have been adjusted to reflect this structural change.
- Enhanced competence requirements for emerging technologies: Auditors must now demonstrate understanding of cloud computing, artificial intelligence, IoT/OT security, and their associated risks. This reflects the modern threat landscape where traditional perimeter-based security models are no longer sufficient.
- Formalized remote audit provisions: The 2024 edition provides structured guidelines for conducting remote audit activities, including criteria for determining which activities can be performed remotely, information security requirements for remote assessment tools, and data protection considerations for cross-border remote audits.
- Revised audit duration tables: Updated minimum man-day calculations based on accumulated industry data and feedback, with increased scrutiny on any deviations from the standard durations. Systematic reduction of audit days as a competitive practice is explicitly discouraged.
A critical change in the 2024 edition is the increased scrutiny on audit duration. Certification bodies must now formally justify any deviation from the minimum audit durations specified in the standard’s tables. The practice of systematically reducing audit days below the recommended minimum — sometimes used by certification bodies as a competitive differentiator — is explicitly discouraged, as under-resourced audits may fail to detect significant nonconformities.
3. Practical Implications for Organizations Seeking Certification
While ISO/IEC 27006-1 is addressed to certification bodies, organizations preparing for ISO/IEC 27001 certification should understand its content because it directly governs how their certification audit will be planned and conducted:
- Audit duration planning: Understand the minimum audit days applicable to your organization’s size and complexity. Stage 1 (readiness review) typically requires 1-2 days depending on scope. Stage 2 (full assessment) duration depends on effective headcount, scope complexity, number of sites, and whether the organization operates in multiple shifts or has part-time staff.
- Auditor competence expectations: You should expect auditors assigned to your audit to have relevant sector knowledge. If your organization operates in healthcare, finance, manufacturing, or another specialized industry, the certification body should assign auditors with demonstrated competence in that sector.
- Nonconformity classification and resolution: Major nonconformities (significant failures that affect the ISMS’s ability to achieve intended results) must be resolved before certification can be granted. Minor nonconformities (isolated lapses) require a corrective action plan within a defined timeline, typically 60-90 days from the audit.
- Certification cycle management: The initial certification is valid for 3 years, with mandatory surveillance audits in years 1 and 2, followed by a full recertification audit in year 3. Surveillance audits must include on-site visits at least annually.
Proactive tip: Review the audit duration tables in ISO/IEC 27006-1 before engaging a certification body. If the certification body proposes significantly fewer audit days than the standard recommends, treat this as a red flag — an under-resourced audit may not provide adequate coverage of your ISMS, potentially leading to overlooked nonconformities or, worse, a certification that does not withstand regulatory or customer scrutiny.
4. Frequently Asked Questions
Q: What is the difference between ISO/IEC 27006-1 and ISO/IEC 27007?
A: ISO/IEC 27006-1 specifies mandatory requirements for certification bodies (the organizations that issue ISO/IEC 27001 certificates) and governs how they must operate. ISO/IEC 27007 provides guidelines for individuals conducting ISMS audits — it is written for auditors performing the work, not for the organizations managing the certification process.
A: ISO/IEC 27006-1 specifies mandatory requirements for certification bodies (the organizations that issue ISO/IEC 27001 certificates) and governs how they must operate. ISO/IEC 27007 provides guidelines for individuals conducting ISMS audits — it is written for auditors performing the work, not for the organizations managing the certification process.
Q: Does ISO/IEC 27006-1:2024 apply only to ISMS certification?
A: Part 1 specifically covers ISMS certification against ISO/IEC 27001. Additional parts of the 27006 series (e.g., 27006-2 for privacy information management, 27006-3 for cybersecurity) extend these requirements to other standards in the 27000 family.
A: Part 1 specifically covers ISMS certification against ISO/IEC 27001. Additional parts of the 27006 series (e.g., 27006-2 for privacy information management, 27006-3 for cybersecurity) extend these requirements to other standards in the 27000 family.
Q: Can small organizations be certified under ISO/IEC 27006-1 rules, or is it only for large enterprises?
A: Yes, small organizations can absolutely be certified. The audit duration tables include specific categories for small organizations (1-5 employees, limited scope). For very small organizations, Stage 1 and Stage 2 audits may be combined into a single visit, reducing the overall audit burden while maintaining thoroughness.
A: Yes, small organizations can absolutely be certified. The audit duration tables include specific categories for small organizations (1-5 employees, limited scope). For very small organizations, Stage 1 and Stage 2 audits may be combined into a single visit, reducing the overall audit burden while maintaining thoroughness.
Q: How can I verify that a certification body complies with ISO/IEC 27006-1?
A: Check whether the certification body is accredited by a recognized national accreditation body (e.g., UKAS in the United Kingdom, ANAB in the United States, DAkkS in Germany, CNAS in China) for the specific scope of ISO/IEC 27001 certification you require. Accreditation bodies verify compliance with ISO/IEC 27006-1 as an integral part of the accreditation process.
A: Check whether the certification body is accredited by a recognized national accreditation body (e.g., UKAS in the United Kingdom, ANAB in the United States, DAkkS in Germany, CNAS in China) for the specific scope of ISO/IEC 27001 certification you require. Accreditation bodies verify compliance with ISO/IEC 27006-1 as an integral part of the accreditation process.
