Since the publication of ISO/IEC 27006 AMD-1: 2020, the state requirements for multi-site organisations have changed, leading to possible confusion with regard to audit time calculation.
Question: Can the audit time for a multi-site organisation be calculated as if it was a single site?
September 2021
No, Audit Time has to be calculated on the basis of the characteristics of each specific site that is part of the sample. For each site the audit time must be coherent with consideration based on the indication of § 9.1.5.1.2 and the number of people that has access to each specific site. What the amendment states is that this number cannot be less that if it was calculated on the basis of a single site, when and if such situation could be.