When you purchase a copy of the information security standard and begin to investigate what the requirements are, it can be confusing as there seems to be both an older and a newer version. You may even see both dates in the title of the published standard.
- What’s changed?
- Are there different requirements?
The short answer is there are no significant changes to what you need to do to meet the requirements of the standard – there are only minor changes such as the addition of ‘EN’ to the title and the incorporation of the 2017 date. There are some minor changes to wording and layout rather than requirements. The change largely came about to indicate approval by another body (European Body) in addition to ISO.
Just to reiterate, there are no differences in what you must do to achieve certification to the standard by a UKAS accredited certification body (2013 compared to 2017).
As for the other minor changes, in Annex A there’s a change which places emphasis on information as an asset:
- “entities are called on to create an inventory of assets (on information) -2013 edition’
- ‘In the 2017 edition, information itself is specifically named as an asset”
Another minor change, for clarity in presentation, is that the Statement of Applicability in clause 6.1.3. There was previously a list in the 2013 edition and in the 2017 edition it is now four bulleted points.
- The necessary controls
- Justifications for inclusion
- Are necessary controls implemented
- Justification for exclusions for any Annex A Controls
These minor changes emphasise rather than add any new requirements.
To find out more about ISO 27001 and for assistance in achieving certification to the information security management system standard contact one of our consultants on 01236 734447.