Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27001 2017 Revision – What’s it all about?

 

The more observant of you may have noticed that on some websites, including BSI in the UK, the version of the ISO/IEC 27001 standard being offered for sale is dated 2017. Does this mean that we all need to re-certify to a new version of the standard?

The short answer is “No”. There are no significant changes to the standard, you don’t need to re-certify and (just to reassure you) the CertiKit ISO/IEC 27001 toolkit is still completely applicable.

So What’s Happened?

The longer answer is that this update to 2017 version is only relevant to “BS EN ISO/IEC 27001:2017” and it’s the “EN” part that has changed; basically ISO27001 has been ratified at the European level and hence the inclusion of the letters “EN” and the 2017 date. We did put the question to BSI when they first published this version on their website and the response we received was as follows:

“I can confirm it was BS ISO/IEC 27001 that was published in 2013 but it was adopted as a European Standard in 2017 and hence BSI republished as BS EN ISO/IEC 27001:2013. You are correct there has been no revision in ISO since 2013, the content of the standard is the same.”

There are two very minor amendments to the wording of some of the controls in Annex A (which correspond to our understanding and hence are catered for in the toolkit) but no new requirements.

UKAS has released a bulletin which states their position on this issue:

“Please be aware that the ISO version of the standard is not affected and the changes do not introduce any new requirements. The change has been introduced to indicate approval by CEN/CENELEC for the EN designation. The updated BS does however incorporate two previously issued Corrigenda/Amendments in Clause 6.1.3 and Annex A clause 8.1.

As UKAS accredits to the ISO standard there are no modifications affecting your accreditation status and therefore no additional transition activities are introduced by this revision.”

The Changes in Detail

Ok, so there are some changes; but I feel you’ll agree that they’re pretty subtle and unlikely to make you feel that you’re back to the drawing board. The changes in detail are as follows:

Technical Corrigendum 1

Page 12, Subclause A.8.1.1

Replace

Control

Assets associated with information and information processing facilities shall be identified and an inventory of these assets should be drawn up and maintained.

with

Control

Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

 

Technical Corrigendum 2

Page 4, Subclause 6.1.3

Replace

Control

  1. d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;

with

Control

d) produce a Statement of Applicability that contains:

  • the necessary controls (see 6.1.3 b) and c));
  • justification for their inclusion;
  • whether the necessary controls are implemented or not; and
  • the justification for excluding any of the Annex A controls.

In Summary

So basically there’s no new ISO27001 just yet and as we enter 2018 no major revision appears to be on the horizon from SC27 (the ISO sub-committee that creates and revises standards in this area).

Watch this space and for now I hope this clears up a potentially confusing situation.


More ISO27001 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

Thanks for saving me many, many hours of policy writing!

Le Rucher
France

View all Testimonials