Dear ISMS Certification Clients,
as you may have heard, ISO 27006 was revised with an amendment in March 2020. This standard defines the rules for auditing and providing ISMS certification based on ISO 27001.
The International Accreditation Forum (IAF), in its resolution "ISO/IEC 27006:2015 AMD 1:2020 Transitional Arrangements" published on July 27, 2020, defined a two-year transition period as well as some arrangements for accreditation and certification bodies.
On 14.08.2020 our accreditation body DAkkS published more detailed transition rules defining deadlines and activities for parties involved in ISMS certification.
One of the obligations defined therein is to inform certified clients about the transition process and other details.
Note: Unfortunately, the international, European and German (and Czech - translator's note) versions were not published in the same year - but the content of ISO 27001:2013 is equivalent in all versions. To improve readability, the generic term "ISO 27001" is usually used to identify the standard.
The German version of ISO 27006:2015 called DIN EN ISO/IEC 27006:2021 was published in May 2021 and already contains the content of Amendment 1 as a consolidated standard.
Translator's note: DIN EN ISO/IEC 27006 Information technology - Security techniques - Requirements for bodies auditing and certifying information security management systems - was published on 1 May 2021.
Please be aware that we cannot distribute copies of any standard due to copyright issues.
TÜV NORD CERT has applied for accreditation to the new edition of the standard and this was granted to DAkkS in March 2022.
Continued ISMS certification in accordance with the newly issued standard:
Validity of certification:
The validity and expiry date of existing certificates are not affected by the change.
Modifications to your ISMS:
Modifications as a result of this amendment do not require any modification to your ISMS as ISO 27001 itself is not affected by this modification.
Standard designation:
The designation of the standard was changed in 2017 to integrate it into the European standards system - the standard is now called "EN ISO/IEC 27001:2017" but still fully conforms to the version of ISO/IEC 27001:2013 (including both published corrections).
Any new certificate will continue to be issued using this "ISO/IEC 27001:2013" identification.
For unambiguous identification, certificates issued after the transition to the amendment will include a reference to the applied certification rules contained in ISO/IEC 27006 Amd1:2020.
Multi-site certification:
The amendment modifies the calculation method for determining the audit time for organizations operating multiple sites. In general, we will complete the current certification cycle as already agreed, planned and prepared, but will use the new method for the next cycle.
Industry standards as a source of additional controls as outlined in the SoA:
If your SoA (Statement of Applicability - PoA) contains references to additional measures as defined in international or national standards, these standards can be referenced in the ISO 27001 certificate. This reference in the certificates must clearly state that the measures according to these standards as defined in the SoA are only supplementary and that it is not a certification according to these standards.
In case you have used international or national (sector specific) standards (see also ISO 27009) as an additional source of measures in your SoA, certificates referencing these standards/controls will be reissued to meet the new requirements and any invalid certification documents will be revoked/revoked.
Depending on the standard used, other specific requirements may apply, such as for audit time or audit team competence.
Please note: in accordance with the current rules, we do not issue any separate certification document corresponding to such a sector-specific standard.
Calculation rules for additional audit duration
As there are no modified or additional requirements for your ISMS, no additional time is required for transition audits. However, the next periodic audit or at the latest the next recertification audit will normally be performed as a transition audit.
Conclusion:
To continue to successfully maintain your ISMS, it is not necessary to update your ISMS due to the release of a new accreditation standard, even though some aspects of the certification procedures are changing. Therefore, the transition audit will not require any special measures on your part. We are therefore happy to continue our successful cooperation.
Responsible for the content:
Dr. Karsten Grans
TIC Manager ISO 27001
kgrans@tuev-nord.de
01/04/2022