In practical terms, very little has changed between the 2013 and 2017 ISO 27001 standards except for a few minor cosmetic points and a small name change.
The latest published version of the ISMS standard is – BS EN ISO/IEC 27001: 2017.
The ISO version of the standard (2013) was not affected by the 2017 publication and the changes do not introduce any new requirements.
For those seeking a UKAS accredited ISO 27001 certification, UKAS accredits to the ISO standard so there are no modifications affecting your certification status and therefore no additional transition activities are introduced by this revision.
The 2017 change was introduced to indicate approval by CEN/CENELEC for the EN designation (“European Standard”).
The updated BS does, however, incorporate two previously issued Corrigenda/Amendments to ISO 27001:2013, specifically in Clause 6.1.3 and Annex A clause 8.1.
Let’s take a look at what those Corrigenda covered:
Corrigendum 1: ISO/IEC 27001:2013/Cor.1:2014(en) – published 2014
A.8.1.1 (Inventory of Assets), replaces the control’s objective text from:
“Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.”
“Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.”
The change made it explicit that information itself must also be considered as an asset and be included in the inventory.
For those using ISMS.online, the guidance notes provided in Subclause A.8.1.1, along with our ISO 27001 Virtual Coach, take this into consideration fully.
Unlike some of the older tools on the market, ISMS.online uses an information asset-based approach to risk management so you can be sure this important amendment has been addressed.
Read more about How to develop an Asset Inventory.
Corrigendum 2: ISO/IEC 27001:2013/Cor.2:2015(en) – published 1/12/2015
This involved changes to Subclause. 6.1.3 (Information Security Risk Treatment), and specifically to item d), about the Statement of Applicability (SoA). It was just a cosmetic adjustment, separating the required content for a SoA from the main paragraph into separated bullets, making it clearer that an SoA must contain at least four elements:
The necessary controls to implement the information security risk treatment, considering not only those in Annex A but also controls designed by the organization as required, as well as others identified from any source (e.g., controls from NIST SP 800 series of documents)
Justification for inclusion of these controls
The controls status (e.g. implemented or not)
The justification for excluding any of the Annex A controls
The ISO 27001 Statement of Applicability is often considered one of the more onerous tasks in the Standard, both to create and keep up-to-date. You can read our article, Statement of Applicability Simplified to learn more.
With ISMS.online, the Corrigendum items have been incorporated, both in terms of the guidance and tools you will use to fast-track your ISO 27001 implementation and reduce the ongoing management time of your ISMS.
Looking for simple steps to implement or improve your ISO 27001 ISMS?
Not ready to get started? Subscribe to receive more articles like this.
The information in this blog is for general guidance and does not constitute legal advice.
Julia Heron is the ISMS Solutions Specialist for ISMS.online.