The definition in ISO/IEC 27006-1 for multi-site under C.6 is:
Generally, the total audit time for on-site audit shall be calculated by considering the total number of persons doing work under the organization’s control irrespective of their location.
Alternatively, for justified reasons which shall be documented, it is permitted to sum the audit times which are individually calculated for each site, as long as this total audit time is larger than that defined in accordance with the first paragraph of this clause.
These two requirements seem to contradict the requirements in IAF MD1, and the second sentence in C.6 seems illogical since the sum of the individual calculations is always greater than using the total sum of the FTE in a company.
Example: a company has a total of 150 FTE in 3 locations, each 50 FTE. Audit time in total for the whole organization would be 13 days. The total of all 3 locations would be 10 days each site which equals to 30 days if calculated separately.
Question: How do we deal with this requirement internationally in a harmonized way and does it overwrite IAF MD1?
September 2024
ISO/IEC 27006-1 shall be applied, as stipulated in the scope of IAF MD1.