Notification on implementation of the information security management system certification procedure in accordance with the requirements of the standard (SRPS EN) ISO/IEC 27006-1:2024

On 01.03.2024. The International Organization for Standardization (ISO) published the standard ISO/IEC 27006-1:2024, and on 31.07.2024.
The standard (SRPS EN) ISO/IEC 27006-1:2024 replaces the standard ISO/IEC 27006:2015 (SRPS ISO/IEC 27006:2017) with the corresponding amendment, which was withdrawn at the same time, but remains in force until the end of the transition period.
Considering that StandCert d.o.o. accredited by the Accreditation Body of Serbia (ATS) according to the requirements of standard SRPS ISO/IEC 17021-1:2015, SRPS ISO/IEC 27006:2017 and ISO/IEC 27006:2015/ Amd.1:2020, StandCert is obliged to comply with the information security management system certification activities with the requirements of the standard SRPS EN ISO/IEC 27006-1:2024.
Considering the purpose of the standard (SRPS EN) ISO/IEC 27006-1:2024, the changes made by the standard refer to certification bodies, and the same changes can partly be reflected on certified organizations.
Impact of changes on certified organizations
Implementation of the certification procedure in accordance with the requirements of the standard (SRPS EN) ISO/IEC 27006-1:2024 can, for certified organizations, result in:

•  By changing audit time (activity of the certification body)
•  The need to change the certificate in cases where no activity of the organization within the scope of certification is undertaken at a defined physical location (activity of the certification body)

The previous issues will be regulated by the Contract/ Annex of the Contract.

Transition period
On 21.05.2024., the International Organization for Accreditation (IAF) published the binding document IAF MD 29:2024 Transition Requirements for ISO/IEC 27006-1:2024, which defines the requirements and deadlines for the implementation of transition activities for both certification and accreditation bodies.
According to the document IAF MD 29:2024 StandCert d.o.o. has established deadlines for the implementation of certification at its clients, in accordance with the requirements (SRPS EN) ISO/IEC 27006-1:2024.
The deadline by which StandCert will move to the certification of all clients according to the requirements of the standard (SRPS EN) ISO/IEC 27006-1:2024 is 31.03.2026.

Surveillance audits and recertifications
From 01.04.2025. StandCert d.o.o. will perform all surveillance audits and recertifications in accordance with (SRPS EN) ISO/IEC 27006-1:2024.
In the event that StandCert does not complete the process of transition to accreditation according to (SRPS EN) ISO/IEC 27006-1:2024 by the above date, surveillance audits and recertifications will be conducted simultaneously and in accordance with the requirements of the standards SRPS ISO/IEC 27006:2017 and ISO/IEC 27006:2015/Amd.1:2020. After receiving a decision on the transition to accreditation according to (SRPS EN) ISO/IEC 27006-1:2024, StandCert will, where necessary, issue the certificates that were created in the certification procedures carried out in accordance with the requirements of the standard (SRPS EN) ISO/IEC 27006-1:2024 with the accreditation symbol.
After obtaining accreditation according to the standard (SRPS EN) ISO/IEC 27006-1:2024, StandCert will conduct all information security management system certifications exclusively according to the standard (SRPS EN) ISO/IEC 27006-1:2024.

Initial certifications
StandCert will carry out initial certifications in accordance with the requirements of the standard SRPS ISO/IEC 27006:2017, ISO/IEC 27006:2015/Amd.1:2020, at the latest until the accreditation according to (SRPS EN) ISO/IEC 27006-1:2024, or until 31.03.2025.
After obtaining accreditation according to the standard (SRPS EN) ISO/IEC 27006-1:2024, or from 01.04.2025., StandCert will conduct initial certifications exclusively in accordance with the standard (SRPS EN) ISO/IEC 27006-1:2024.