ISO/IEC 27006:2011, which details information technology security techniques and stipulates requirements for “bodies providing audit and certification of information security management systems” (ISMSs), is currently under review.
The final draft of ISO/IEC 27006 was made available in June 2015 for final review and approval.
The Standard details requirements for certification bodies related to the competence of audit teams, audit processes and guidance for calculating audit time, among others.
Annex B of the new draft Standard defines how long a certification audit should take, based on an organisation’s size and complexity.
While the audit time guidance in the draft Standard appears to be similar to the 2011 guidance, there are important differences that will place a significant cost burden on small and medium-sized entities applying for ISO 27001 accredited certification.
The table below indicates the differences in audit time between the two standards.
By contrast, Annex B of the new draft Standard is “Normative”, which means that the audit times are mandatory and also places limits on the extent of deviation from the stipulated audit times:
“In order to ensure effective audits being performed and to ensure reliable and comparable results, the audit time provided in the audit time chart shall not be reduced by more than 30%”.While the figures above seem similar, Annex C of ISO 27006:2011 is “Informative”, which implies that the Standard merely provides guidance on the appropriate duration of the certification audit. This effectively means that certification bodies can apply the guidance to whatever extent they deem appropriate, including whether it is the starting point for determining audit time or not, and the extent to which they can move away from it.
The 2015 FDIS also states that the total number of persons doing work under the organisation’s control for all shifts is the starting point for determining audit time.
Let’s look at the implications of this revision. For instance, an IT Governance client with 16 employees wishing to apply for ISO 27001 certification would typically be quoted by an accredited certification body for a three-day audit (one day for Stage 1 and two days for Stage 2).
Under the current FDIS, the same organisation would be quoted a minimum of 4.9 days, at least one full day more. For companies with up to 45 employees, the minimum audit time will be 6 days.
With daily audit rates of between £500 and £1,000, this change will introduce significantly higher audit costs for small businesses, not to mention time and resources spent addressing the auditor’s requirements.
From the experience of IT Governance’s many clients that have attained ISO 27001 certification, the duration of audits for organisations with fewer than five employees has been just two days (against ISO 27006:2011). In addition, many of our ISO 27001 FastTrack™ clients have been audited in just two days by certification bodies. (FastTrack is IT Governance’s flagship packaged consultancy service for companies with fewer than 20 employees.)
Under the revised ISO 27006, however, small businesses will be burdened with extended audit time, resulting in higher certification fees – a change that will discourage, rather than encourage, small and medium-sized businesses from seeking ISO 27001 certification.
Is this not contrary to the spirit of encouraging global adoption of ISO 27001 among all businesses?
Dislike these proposed changes?
If you would like to object to these proposed changes, you can write to the ISO/IEC Joint Technical Committee of the ISO 27001 family of Standards (1/SC 27).