Notification on the Implementation of the Information Security Management System Certification Procedure

We would like to inform all interested parties that the International Organization for Standardization (ISO) published the standard ISO/IEC 27006-1:2024 on 1 March 2024, which replaced the previous standard ISO/IEC 27006:2015 on 31 July 2024. The previous standard and its associated amendments have been withdrawn, but remain valid until the end of the transition period.

As ICS Ltd. is an accredited certification body, all activities relating to the certification of Information Security Management Systems (ISMS) must be fully aligned with the requirements of ISO/IEC 27006-1:2024.

Impact of Changes on Certified Organisations

The implementation of the certification procedure in accordance with ISO/IEC 27006-1:2024 may result in the following for certified organisations:

• Changes to audit duration;
• The need to modify certificates in cases where the organisation does not carry out activities at a defined physical location.

Note: These matters will be regulated by the contract or an annex to the contract.

Key Changes That May Affect Your Organisation

Audit Procedures:

• Remote audits must be clearly documented in the audit report (9.4.3.2) – applicable if remote auditing is used.
• If the organisation does not have a physical location, the report and certificate must indicate that activities are carried out remotely (8.2.2) – applicable for online-only clients.

Calculation of Audit Time:

• New concept for individuals performing identical activities (C.2.1) – applicable if such a staff structure exists.
• The definition of the initial number of people is calculated in accordance with C.3.4.

Scope Extensions and Multi-site Organisations:

• Specific requirements for scope extensions (C.7) – applicable if scope expansion is requested.
• Clarifications for organisations with multiple sites (C.6) – applicable for multi-site clients.

Contractual Updates:

• Certification contracts will be updated to reflect the new standard requirements.

Your Responsibilities:

• Please plan a timely transition to the new version of the standard to ensure the uninterrupted validity of your ISO/IEC 27001 certificate.

Transition Period:

On 21 May 2024, the International Accreditation Forum (IAF) published the document IAF MD 29:2024 – Transition Requirements for ISO/IEC 27006-1:2024, which defines the deadlines and requirements for the transition process for both certification and accreditation bodies.

ICS Ltd. has established deadlines for the implementation of certification with its clients in accordance with ISO/IEC 27006-1:2024. The final deadline for transitioning all clients to certification under this standard is 31 March 2026.

Surveillance Audits and Recertifications:

From 1 April 2025, ICS Ltd. will conduct all surveillance audits and recertifications in accordance with ISO/IEC 27006-1:2024.

Should the transition process to the new standard not be completed by this date, surveillance audits and recertifications will temporarily be conducted in accordance with the previous standards (ISO/IEC 27006:2017 and ISO/IEC 27006:2015/Amd.1:2020).

Once accreditation under ISO/IEC 27006-1:2024 has been obtained, ICS Ltd. will, where necessary, issue certificates bearing the accreditation symbol in accordance with the new standard.

Initial Certifications:

Initial certifications will continue to be conducted under the previous standards until 31 March 2025.

From 1 April 2025, following accreditation under ISO/IEC 27006-1:2024, all initial certifications performed by ICS Ltd. will be conducted exclusively in accordance with this standard.