This Technical Bulletin is applicable to all Information Security Management Systems (ISMS) Certification Bodies.
Following the publication of ISO/IEC 27006-1:2024, this bulletin has been produced to update Certification Bodies and stakeholders on the UKAS assessment process and overall timelines for assessment against the requirements of the revised standard.
Compared to the previous version (ISO/IEC 27006:2015/AMD1:2020), the revised edition has (amongst other things):
- refined the requirements for remote audits;
- updated the audit time calculation requirements;
- updated Annex E to align with the information security controls listed in Annex A of ISO/IEC 27001:2022;
- refined the requirements for referencing other standards in the ISMS certification documents; and
- removed the quantitative requirement for the work experience and training experience of ISMS auditors, for example, 4-year full time practical workplace experience.
UKAS has developed a transition plan in line with our current understanding of the forthcoming requirements of IAF MD XX:2024 (detail to be confirmed) and is now ready to assess against the requirements of the new standard.
To enable the transition to progress in a timely manner, UKAS accredited Certification Bodies are requested to complete a documented gap analysis, F627 Transition Requirements and Gap Analysis – ISO/IEC 27006-1:2024, detailing how they have implemented the changes introduced by ISO/IEC 27006-1:2024, and submit it to UKAS by no later than 30 April 2024. The submitted information shall include:
- the gap analysis of the changes in ISO/IEC 27006-1:2024;
- the transition arrangements and evidence of implementation;
- evidence of the authorisation of related personnel.
Given the limited number of changes introduced by ISO/IEC 27006:2024, it is not envisaged that significant additional assessment effort will be required by UKAS to review the changes made by the certification body, however this is dependent on the clarity of the submitted information provided by the CB. It is estimated that an initial 1.25 day of effort will be required to review the changes and complete the associated back-office activities.
If the initial technical document review is unable to verify the effective implementation and conformance with the CB’s transition arrangements, then an office assessment may be required. If areas are identified that do not adequately fulfil the revised requirements, then these will be raised as findings. All mandatory findings shall be addressed by the certification body in the normal way.
Timeline:
Date | Milestone/Activity |
01 March 2024 | Publication of ISO/IEC 27006-1:2024 |
01 May 2024 | UKAS ready to assess to ISO/IEC 27006-1:2024 |
31 July 2025 | All UKAS transitions of Certification Bodies completed |
Should you require any clarification on the above, please contact your Assessment Manager in the first instance. In the absence of your Assessment Manager, one of the following may be able to assist:
- Kevin Belson: Technical Manager – [email protected]
- Alastair Hunter: Technical Focus (ISMS) – [email protected]
Download a PDF copy of this bulletin here.