Transitional Period extended by ISO Standards

Transitional Period extended by ISO Standards

EN ISO/IEC 27006-1:2024
Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of information security management systems – Part 1: General

Basic information

The standard was published on 1 November 2024.

The standard specifies requirements for certification bodies accredited to audit and certify information security management systems (ISMS).

The certification body AUDISO a.s. has updated its procedures and related documentation to comply with the requirements of EN ISO/IEC 27006-1:2024.

In January 2026, the company will undergo a regular surveillance audit by the Czech Accreditation Institute (Český institut pro akreditaci, o.p.s.), which will verify the implementation of the changes and the conformity of AUDISO a.s. procedures with the requirements of this standard.

Summary of key changes

Alignment with EN ISO/IEC 17021-1:2015 has been updated.

Terminology has been revised in line with EN ISO/IEC 27001:2023.

New requirements have been introduced for auditor competence in the area of risk management.

Requirements for the impartiality evaluation process have been clarified.

References to ISO/IEC TS 27006-2:2021 have been added for certification in the area of cloud services.

What this change means for certified clients

Organizations with an information security management system certified to EN ISO/IEC 27001:2023 do not need to make any changes to their ISMS as a result of the publication of EN ISO/IEC 27006-1:2024. This update primarily concerns the requirements for certification bodies and their procedures; it does not introduce any new obligations for certified clients beyond the requirements of ISO/IEC 27001.

ISO/DIS 9001:2026

1–3 (scope, references, terms and definitions)

• “Documented information” terminology (compared with ISO 9001:2015): in the ISO 9001:2026 draft (DIS), some requirements use the more precise wording “available as documented information.” Compared with ISO 9001:2015, this typically means a clearer definition of when a specific output or piece of evidence must be available as documented information (i.e., demonstrable during an audit). This is not a general increase in documentation, but a clarification where the requirement needs to be objectively evidenced.

• Clarification of terms and definitions: interpretations are expected to be aligned, especially in relation to the concept of risks and opportunities.

4. Context of the organisation (Clause 4)

• Climate change as a topic: the organisation will be expected to explicitly assess whether climate change is relevant to it (e.g., due to supply, prices, risks, regulation).

• Interested parties (who has expectations): greater emphasis on making clear what customers, suppliers, the state/regulators, etc. expect from the organisation (including possible market- or climate-related expectations).

• Scope of the quality management system (QMS): the organisation should clearly describe what its QMS covers and why it is defined in that way (to avoid “out-of-scope” areas without justification).

• Process interaction: the wording of the standard is expected to be more precise, making it easier to describe how processes are connected (dependencies, inputs/outputs).

5. Leadership (Clause 5)

• Quality culture and ethics: top management should actively support a “quality culture” (quality as everyday practice, not just documentation) and ethical behaviour. It is not sufficient to have a policy “on the wall”; it should be evident that leadership applies it in practice.

• This topic appears elsewhere in the draft as well, so it will typically be assessed across the organisation (not only in one clause).

6. Planning (Clause 6)

• Risks vs. actions: the standard aims to distinguish more clearly between:

  • how the organisation identifies risks and opportunities, and

  • how it then plans concrete actions to address risks and exploit opportunities.

• Change management: more emphasis on ensuring changes are not handled “on the fly”; for important changes, the organisation should consider purpose, impacts, resources, and how to verify that the change is effective.

7. Support (Clause 7)

• People’s awareness: training and internal communication will place more emphasis on ensuring people understand not only “what to do” but also “why” (quality culture, ethical behaviour, role expectations).

• The trend is reinforced that certain information should be demonstrably available as documented information (i.e., traceable evidence exists when needed).

8. Operation (Clause 8)

• Changes in operations: more emphasis on the ability to manage unplanned changes (e.g., supplier unavailability, technology changes, staff substitutions, etc.).

• Customer communication when problems occur: communication should also cover situations where supply/service is disrupted and alternative solutions are introduced.

• External providers: clarified expectations for how the organisation manages suppliers and external providers (to define what is “theirs” and what remains the organisation’s responsibility).

9. Performance evaluation (Clause 9)

• Measurement → improvement: more emphasis on ensuring measurement and evaluation are not an end in themselves, but clearly indicate what should be improved.

• Internal audits: clearer structure of requirements (general requirements vs. audit programme), with emphasis on an internal audit programme having objectives and being logically set up.

• Management review: clearer structure (inputs / conduct / outputs) to make it evident what top management reviews and what results from it.

10. Improvement (Clause 10)

• Continual improvement: stronger linkage to data and real outputs of the management system (not “we improve because the standard says so”).

• Corrective actions: clearer requirement to assess whether an issue could recur and to verify that the action taken is truly effective.

• The changes may also lead to a simpler structure in some parts compared with ISO 9001:2015 (more “re-structuring” than new activities).

Annex A (Annex A – guidance/interpretation)

• Expanded annex with additional explanations: helps harmonise interpretation of the standard and supports practical application during audits.

ISO FDIS 14001:2026 – changes by clause (in a clear, understandable way)

Clause 4 – Context of the organisation (where the company operates and what influences it)

• More focus on the “outside world”: the company should better describe external factors that matter from an environmental perspective (e.g., availability of resources, pollution, market demands, local conditions).

• Climate change explicitly: the company should clearly state whether climate change is relevant to it and, if so, how (e.g., supply risks, extreme weather, new customer requirements, or regulation).

• Interested parties: more emphasis on knowing who expects what from the company (customers, authorities, owners, the public…) and what that implies.

• Scope of the EMS (“what is in and what is out”): the scope of the environmental management system (EMS) should be explained more clearly, including why it is defined that way.

• Demonstrability: for some points, there will be a stronger expectation that the company has information demonstrably available (not necessarily more documents, but clearer evidence).

Clause 5 – Leadership (role of top management)

• Leadership should be visible in practice: a real involvement of top management is expected (not only a formal policy).

• More precise language on meeting obligations: clearer wording that the company must meet its obligations (especially legal and other commitments).

Clause 6 – Planning (risks, objectives, changes)

• Clearer handling of risks and opportunities: the standard aims to make it easier to understand how the company:

  • identifies risks/opportunities, and

  • plans concrete measures.

• More structured change management: changes in the EMS should be more “managed” (assessing impacts and resources in advance and verifying that the change works).

• Better distinction of situations: clearer separation between normal operation, “non-standard” situations, and true emergencies.

Clause 7 – Support (people, communication, evidence)

• Emphasis on communication and involvement: to ensure employees know what to do and why, and that the system is not only the responsibility of an “environment manager.”

• Evidence and records: some requirements will push more strongly for results and records to be traceable (again: clarifications rather than “paper overload”).

Clause 8 – Operation (activities, production/services, and suppliers)

• Broader view of external supplies: more emphasis on managing what the company does not directly control but that influences it (suppliers, external services, subcontracting).

• More practical control of impacts: greater clarity on how the company controls environmental impacts in operations and how it addresses this with key suppliers (in a proportionate way).

• Emergency preparedness: linked to risks — not only “having a plan,” but also knowing what the plan is for and when it is activated.

Clause 9 – Performance evaluation (measurements, audits, management review)

• Measure to decide: emphasis that measurement should help identify what to improve (not “measuring for measuring’s sake”).

• Internal audits with objectives: the audit programme should be set up in a useful way (why the audit is done, what is to be verified, what outcomes are expected).

• Clearer management review: a more structured approach to understand what is evaluated as input, how evaluation happens, and what the outputs are (decisions, tasks).

Clause 10 – Improvement (nonconformities and corrective actions)

• Improvement more closely linked to reality: findings from measurements and audits should more clearly lead to improvements.

• Corrective actions “to prevent it from happening again”: emphasis on verifying effectiveness — not only correcting the issue, but also confirming that it will not recur.

Annex A – Guidance (Annex A)

• More explanation on “how to interpret”: an expanded and more practical annex to support more consistent interpretation and a clearer audit approach.

Final note: these are expected changes within the ISO 14001:2026 / ISO 9001:2026 revision process. The final text may still change slightly in details.