Skip to main content Scroll Top

FAQ

FAQ Question 48.6 Audit time determination to ISO/IEC 27006-1:2024, determination of initial number of persons (C.3.4)
Question 48.6 Audit time determination to ISO/IEC 27006-1:2024, determination of initial number of persons (C.3.4)

The definition in ISO/IEC 27006-1 for initial number of persons C.3.4 is:

A reduction in the number of persons performing identical activities shall be made based on the risk of the activities associated with the tasks. The square root of the head count of people performing each identical activity may be used to determine the effective number of people, which is used for audit duration calculations, rounded up to the next full number. This number shall be the maximum reduction of the head count allowed.

Example:

Company with 144 FTE (square root =12)

Reduction for each identical activity:

49 technicians = 7 (square root)

49 support personnel = 7

49 service desk personnel = 7

Total reduction 21

Is the total reduction in this case 21 instead of 12 FTE?

(The difference in audit time between 12 and 21 FTE would be 1 day for this example)

September 2024

This question may be related to other similar questions already raised and answered by the EACC in the past (although referring to other schemes), such as EA FAQ 44.1. When addressing the use of square root method, it was noted that “…This could be an appropriate approach. However, with such big reductions, it should be limited to similar/repetitive activities/processes/functions that are considered simple in the way that they require limited skills/knowledge/education, are executed under direction by others, and what they do has a limited effect on the outcome of the management system or its scope (ref. e.g., type of functions listed in IAF MD 5 – Clause 2.3.4)…”.

This said, the accredited CB shall establish, justify and document the criteria related to relevant activities/positions/functions subjected to the referred reduction and consideration of the risks connected with their effect on the specific management system.

It is difficult to understand from the example what is the risk of each of the identified activities. However, it is clear from ISO/IEC 27006-1 that the calculation cannot be applied directly to the entire number of FTEs of the organization (144) but rather to the head count of people performing each relevant identical activity, for which proper justification is presented.

Therefore, the answer is that the acceptable total reduction in this case is 21, the sum of the square roots applied to each category of personnel, this square root calculation for each category being possible as long as this category is relevant according to answer to 44.1, i.e. having similar activities.

It should be noted that the final consideration should always be that the CAB ensures that sufficient audit time is allocated for a complete and effective audit in line with cl. 9.1.4.