» Technical Bulletin – ISO/IEC 27006:2015/AMD1:2020

12 August, 2020

Assessment of ISO/IEC 27006:2015/AMD1:2020

This Technical Bulletin is applicable to all Information Security Management Systems (ISMS) Certification Bodies.

Following the publication of ISO/IEC 27006:2015/AMD1:2020, this bulletin has been produced to update certification bodies and stakeholders on the UKAS assessment process and overall timelines for assessment against the amended requirements introduced by Amendment 1:2020.

In July IAF published a transition/implementation resolution that requires Accreditation Bodies to be ready to assess this from 8 months after publication of the amendment, and that the assessment process should be completed for all CBs by 24 months from publication of the amendment.

The amendment was issued in March 2020 and since then UKAS has been reviewing its impacts and preparing for the implementation.

Certification Bodies are requested to complete a documented gap analysis detailing how they have implemented the changes introduced by ISO/IEC 27006:2015/AMD 1:2020 and forward it to UKAS at least 4 weeks prior to their planned assessment. Given the limited number of changes introduced by ISO/IEC 27006:2015/AMD1:2020, it is not envisaged that significant additional assessment effort will be required by UKAS to review the changes made by the certification body, however this is dependent on the clarity of the gap analysis provided by the CB. Any additional time required as part of the assessment will be chargeable, typically this would be a ½ day assessment effort plus planning and preparation.

The effectiveness of the changes will be verified by the assessment team during the scheduled assessment. If areas are identified that do not adequately fulfil the revised requirements, then these will be raised as findings. All mandatory findings shall be addressed by the certification body in the normal way.

Timeline:

Date

Milestone/Activity

26 March 2020

ISO/IEC 27006:2015/AMD1:2020 issued

Date of this bulletin

UKAS ready to start assessing to ISO/IEC 27006:2015/AMD1:2020

Date of this bulletin

Only applications to ISO/IEC 27006:2015/AMD1:2020 accepted

 

Should you require any clarification on the above, please contact one of the following:

  • Kevin Belson: Technical Manager - kevin.belson@ukas.com
  • Alastair Hunter: UKAS Technical Focus Person for Information Assurance – alastair.hunter@ukas.com

Steve Randall: UKAS Accreditation Specialist – Certification – steve.randall@ukas.com

To download a PDF version click here.