Assessment of ISO/IEC 27006:2015/AMD1:2020
This Technical Bulletin is applicable to all Information Security Management Systems (ISMS) Certification Bodies.
Following the publication of ISO/IEC 27006:2015/AMD1:2020, this bulletin has been produced to update certification bodies and stakeholders on the UKAS assessment process and overall timelines for assessment against the amended requirements introduced by Amendment 1:2020.
In July IAF published a transition/implementation resolution that requires Accreditation Bodies to be ready to assess this from 8 months after publication of the amendment, and that the assessment process should be completed for all CBs by 24 months from publication of the amendment.
The amendment was issued in March 2020 and since then UKAS has been reviewing its impacts and preparing for the implementation.
Certification Bodies are requested to complete a documented gap analysis detailing how they have implemented the changes introduced by ISO/IEC 27006:2015/AMD 1:2020 and forward it to UKAS at least 4 weeks prior to their planned assessment. Given the limited number of changes introduced by ISO/IEC 27006:2015/AMD1:2020, it is not envisaged that significant additional assessment effort will be required by UKAS to review the changes made by the certification body, however this is dependent on the clarity of the gap analysis provided by the CB. Any additional time required as part of the assessment will be chargeable, typically this would be a ½ day assessment effort plus planning and preparation.
The effectiveness of the changes will be verified by the assessment team during the scheduled assessment. If areas are identified that do not adequately fulfil the revised requirements, then these will be raised as findings. All mandatory findings shall be addressed by the certification body in the normal way.
Timeline:
| Date | Milestone/Activity |
| 26 March 2020 | ISO/IEC 27006:2015/AMD1:2020 issued |
| Date of this bulletin | UKAS ready to start assessing to ISO/IEC 27006:2015/AMD1:2020 |
| Date of this bulletin | Only applications to ISO/IEC 27006:2015/AMD1:2020 accepted |
Should you require any clarification on the above, please contact one of the following:
- Kevin Belson: Technical Manager – [email protected]
- Alastair Hunter: UKAS Technical Focus Person for Information Assurance – [email protected]
Steve Randall: UKAS Accreditation Specialist – Certification – [email protected]
To download a PDF version click here.