The ISO/IEC 27006-1:2024 Requirements for bodies providing audit and certification of Information Security Management System standard has been published in March 2024.
This standard will have a significant impact to CyberSecurity Malaysia as the ISMS Certification Body and small impact to the ISMS clients of CyberSecurity Malaysia.
CyberSecurity Malaysia will have a two-year transition period to migrate to ISO/IEC 27006-1:2024 standard (until March 2026). CyberSecurity Malaysia will start the migration to this standard in February 2025 and completed the accreditation by Standards Malaysia in December 2025.
The main changes between ISO/IEC 27006:2015 and ISO/IEC 27006-1:2024 include but are not limited to:
- Refinement of the requirements for remote audits.
- Updating the audit time calculation requirement (see Annex C).
- Updating Annex D of ISO/IEC 27006:2015 to align with the information security controls listed in Annex A of ISO/IEC 27001:2022 and transferring it as Annex E of ISO/IEC 27006-1:2024. Table D was relabeled as Table E.
- Refinement of the requirements for referencing other standards in the ISMS certification documents (see 8.2.3).
- Removal of the redundancies with ISO/IEC 17021-1:2015. For example, clauses 5.2, 7.1.3, 9.3.2.2, and 9.4 (ISO/IEC 27006-1:2024) have been updated.
- Deletion of the quantitative requirement for the work experience and training of ISMS auditors, for example, 4-year full time practical workplace experience.
For further information, please contact us at