What happened?
ISO/IEC 27006-1:2024 is the current standard that sets additional requirements for bodies that audit and certify information security management systems against ISO/IEC 27001. It complements ISO/IEC 17021-1 with ISMS-specific expectations for certification activity.
Why it matters
Many organisations treat ISO 27001 certification as customer assurance evidence. That assurance is stronger when the certification body is competent, impartial, and properly accredited. ISO/IEC 27006-1:2024 helps protect the credibility of ISO 27001 certificates by defining expectations for certification bodies and accreditation reviews.
Practical checks
- Confirm that your ISO 27001 certification body is accredited for ISO/IEC 27001 certification.
- Check whether the certificate clearly states scope, sites, accreditation marks, and the ISO/IEC 27001 edition.
- Ask your certification body how it is applying ISO/IEC 27006-1:2024 in audit planning and certification decisions.
- Keep audit evidence current so surveillance audits can test the operating ISMS, not only policy documents.
The practical takeaway is simple: certification planning should include certifier due diligence. A credible ISO 27001 certificate is not only about passing the audit; it is about being able to defend the certificate to customers, regulators, and procurement teams.