Requirements for remote audits have been improved;
New requirements for the deployment of remote audits have been added;
The requirement to include the scope and effectiveness of the remote audit in the audit report has been added;
The requirement to obtain approval from the EU has been removed if remote audit activities constitute more than 30% of the planned on-site audit time;
For clients with few or no physical sites of interest, the requirement to state in the audit report and certificate that the client's activities were conducted remotely has been added;
Annex B in ISO/IEC 27006:2015 has been renamed Annex C;
Audit time calculation requirements have been updated (Annex C). The concept of individuals performing specific identical activities was introduced, and the requirement for determining the initial number of individuals using this new concept was defined.
New requirements regarding audit duration for scope expansions were defined.
Approaches to calculating the audit duration for multiple sites were clarified.
Annex C in ISO/IEC 27006:2015 was renamed Annex D.
Annex D of ISO/IEC 27006:2015 was transferred as Annex E of ISO/IEC 27006-1:2024, aligning with the information security controls listed in Annex A of ISO/IEC 27001:2022. Table D was renamed Table E.
Requirements for referencing other standards in ISMS certification documents were more clearly defined.
Unnecessary repetitions were eliminated, achieving better compliance with ISO/IEC 17021-1. For example, clauses 5.2, 7.1.3, 9.3.2.2 and 9.4 (ISO/IEC 27006-1:2024) have been updated. The quantitative requirement regarding the work experience and education of ISMS auditors has been removed. (For example, 4 years of full-time practical workplace experience)