On 21 May 2024, IAF published the new Mandatory Document IAF MD 29, Transition Requirements for ISO/IEC 27006-1:2024. This document includes requirements for the transition from ISO/IEC 27006:2015 and ISO/IEC 27006:2015/Amd 1:2020 to ISO/IEC 27006-1:2024, Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of information security management systems – Part 1: General. It is mandatory for all IAF Multilateral Recognition Arrangement (MLA) signatory accreditation bodies and their accredited certification bodies working in the information security management systems (ISMS) scheme.

The document outlines main changes between the standards, which include but are not limited to:

• Refinement of the requirements for remote audit
• Updating the audit time calculation requirement
• Updating Annex D of ISO/IEC 27006:2015 to align with the information security controls listed in Annex A of ISO/IEC 27001:2022
• Refinement of the requirements for referencing other standards in the ISMS certification documents
• Removal of redundancies with ISO/IEC 17021-1:2015
• Deletion of the quantitative requirement for the work experience and training of ISMS auditors

In accordance with this document, accreditation bodies and certification bodies must have completed the transition to ISO/IEC 27006-1:2024 by 31 March 2026. Accreditation bodies must be ready to assess to ISO/IEC 27006-1:2024 no later than 31 December 2024, and use ISO/IEC 27006-1:2024 for all initial (or an extension to existing) accreditation assessments starting no later than 31 March 2025.

View the document here.