""

Changes resulting from PN-EN ISO/IEC 27006:2024

Top News03/14/2025

We would like to inform you that a new edition of the PN-EN ISO/IEC 27006:2024-8 (ISO/IEC 27006-1:2024) standard has been published: Information security, cybersecurity and privacy protection. Requirements for bodies auditing and certifying information security management systems.

This standard specifies the rules for conducting audits and certification for compliance with the PN-EN ISO/IEC 27001:2023 standard.

The document IAF MD 29:2024 ‘Requirements for transition to ISO/IEC 27006-1:2024’ of 21 May 2024 establishes a two-year transition period for accreditation and certification bodies to take the new requirements into account.

ISOCERT has submitted an application to update its accreditation to the current requirements of PN-EN ISO/IEC 27006:2024.
The changes resulting from the new edition of PN-EN ISO/IEC 27006-1:2024 do not require any adjustments to the ISMS in our clients' organisations. The requirements of the updated standard impose obligations on ISOCERT.


These relate in particular to:
 

1. Remote audit:

  • New requirements have been introduced for the implementation of remote audits – in particular, the performance of risk analysis and justification of the use of remote audits throughout the certification cycle
  • The report must indicate the extent to which audit methods have been used and their effectiveness in achieving the audit objectives
  • The requirement to obtain the consent of the Accreditation Body has been removed if remote audit activities constitute more than 30% of the planned on-site audit time
  • For clients with few or no relevant physical locations, the audit report and certification documents must indicate that the client's activities are conducted remotely
 

2. Audit time:

the concept of persons performing identical activities has been introduced and the requirement for determining the initial number of personnel has been defined;
new requirements for the duration of audits for ISMS scope extensions have been introduced;
methods for calculating audit time for multiple locations have been clarified.
 

3. Referencing other standards in ISMS certification documents

The requirements for referring to other standards in SZBI certification documents have been clarified. Where the Statement of Applicability contains references to additional safeguards that are specified in international or national sectoral standards, it is possible to refer to these standards in the PN-EN ISO/IEC 27001:2023 certification document. This reference must clearly indicate that these are only additional safeguards resulting from the standards in question, which have been defined as applicable in the Statement of Applicability, and that this is not certification in accordance with these standards.


The new requirements will be applied immediately after ISOCERT accreditation is granted for PN-EN ISO/IEC 27006:2024. The requirements for determining the time of the audit have changed, so it may be necessary to amend the agreements concluded with you. We will analyse each case individually when ISOCERT is granted accreditation for the PN-EN ISO/IEC 27006:2024 version.

Discover our news