Notification on the Implementation of Information Security Management System Certification in Accordance with ISO/IEC 27006-1:2024
On March 1, 2024, the International Organization for Standardization (ISO) published the ISO/IEC 27006-1:2024 standard, titled "Requirements for Bodies Providing Audit and Certification of Information Security Management Systems – Part 1: General". This standard replaces the previous ISO/IEC 27006:2015 and its amendment, which have been simultaneously withdrawn but remain in effect until the end of the transition period.
Given that the Institute for Certification of Systems (ICS) is accredited by the Italian Accreditation Body (ACCREDIA) in accordance with the requirements of ISO/IEC 17021-1:2015 and ISO/IEC 27006:2017, as well as ISO/IEC 27006:2015/Amd.1:2020, ICS is obliged to align its information security management system certification activities with the requirements of ISO/IEC 27006-1:2024.
Impact on Certified Organizations
The implementation of ISO/IEC 27006-1:2024 may result in the following changes for certified organizations:
-
Change in audit duration,
-
Modification of the certificate in cases where the organization does not perform activities within the scope and subject of certification at a defined physical location.
These changes will be regulated through contracts or contract annexes.
Transition Period
On May 21, 2024, the International Accreditation Forum (IAF) published the mandatory document IAF MD 29:2024 "Transition Requirements for ISO/IEC 27006-1:2024", which defines the requirements and deadlines for the transition for both certification and accreditation bodies.
In accordance with this document, ICS has determined that the final deadline for transitioning all clients to certification under the requirements of ISO/IEC 27006-1:2024 is March 31, 2026.
Surveillance Audits and Recertifications
In the upcoming period, ICS will conduct all surveillance audits and recertifications in compliance with the new requirements of ISO/IEC 27006-1:2024.