This question concerns how the calculation of auditor time for ISMS audits should be carried out. One CB we have is applying a formula to calculate ‘effective personnel’ and then applying the tables in Annex B and Annex C of ISO 27006. There is a concept of ‘effective personnel’ contained in ISO 50003 but there is no such term used in ISO 27006. IAF MD 5 also includes the concept of ‘effective personnel’ for QMS and EMS audits.
Does the committee consider this acceptable?
March 2018
Annex B of ISO 27006 states:
“The total number of persons doing work under the organization’s control for all shifts is the starting
point for determination of audit time.”
The concept in the 2 documents is the same: the effective personnel is the personnel falling into the scope of the QMS or ISMS, which means potentially each and every person who is utilizing the ISMS or the QMS.
The concept in ISO 50003(Annex A) is different as the effective personnel is defined as personnel “who materially impact the EnMS”.
The criteria of IAF MD5, i.e. the effective number of personnel, should be the one taken into account for implementing ISO 27006.