{"id":12693,"date":"2017-10-25T08:10:16","date_gmt":"2017-10-25T08:10:16","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=12693"},"modified":"2024-12-21T13:15:24","modified_gmt":"2024-12-21T13:15:24","slug":"european-2017-revision-of-isoiec-27001-what-has-changed","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2017\/10\/25\/european-2017-revision-of-isoiec-27001-what-has-changed\/","title":{"rendered":"European 2017 Revision of ISO\/IEC 27001: What has changed?"},"content":{"rendered":"<p>Released at the beginning of April 2017 by BSI (the British Standards Institution), the standard BS EN ISO\/IEC 27001:2017 is a corrigendum over previous standard BS ISO\/IEC 27001:2013. It has raised some concern among organizations with Information Security Management Systems certified against <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, the leading ISO standard for information security risk management. It was stated by BSI that it incorporates previous amendments (called a \u201ccorrigendum\u201d), released for ISO 27001.<\/p>\n<p>In this article, we\u2019ll provide you information about what has changed in this new version, and the impact of these changes to ISO 27001 certified ISMSs. We\u2019ll also let you know what organizations should consider with regards to this new standard.<\/p>\n<h2>What is a technical corrigendum?<\/h2>\n<p>A technical corrigendum is a publication used by standardization bodies with the purpose to amend an existing standard, to correct minor technical flaws, implement usability improvements, or include limited-applicability extensions.<\/p>\n<p>Such amendments that are considered relevant are released during the current life-cycle of a standard\u2019s version. They are also expected to be included as updates at the standard\u2019s next scheduled review.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>ISO 27001 related corrigenda<\/h2>\n<p>ISO 27001 has three related corrigenda (where \u201ccorrigenda\u201d is the plural of corrigendum), dated from September 2014, December 2015, and March 2017. The first two were published by ISO (the International Organization for Standardization) and the last one by BSI. These corrigenda cover the following issues:<\/p>\n<p>September 2014 corrigendum was related to control A.8.1.1 (Inventory of Assets), replacing the control\u2019s objective text from:<\/p>\n<p style=\"text-align: center;\"><em>\u201cAssets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.\u201d<\/em><\/p>\n<p>to:<\/p>\n<p style=\"text-align: center;\"><em>\u201cInformation, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.\u201d<\/em><\/p>\n<p>This change now makes it explicit that information itself also must be considered an asset to be included in the inventory. <a href=\"https:\/\/www.iso.org\/obp\/ui\/#iso:std:iso-iec:27001:ed-2:v1:cor:1:v1:en\" target=\"_blank\" rel=\"noopener noreferrer\">Click here to see this corrigendum.<\/a> See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/how-to-handle-asset-register-asset-inventory-according-to-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to handle Asset register (Asset inventory) according to ISO 27001<\/a>.<\/p>\n<p>The December 2015 corrigendum was related to sub-clause 6.1.3 (Information Security Risk Treatment), specifically to item d), about the <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&#038;doc=statement-of-applicability\" target=\"_blank\" rel=\"noopener\">Statement of Applicability (SoA)<\/a>. It was just a cosmetic adjustment, separating the required content for a SoA from the main paragraph into separated bullets. In my opinion this adjustment makes clearer that an SoA must contain at least four elements:<\/p>\n<ul>\n<li>The necessary <a href=\"https:\/\/staging.advisera.com\/27001academy\/documentation\/statement-of-applicability\/\" target=\"_blank\" rel=\"noopener noreferrer\">controls<\/a> to implement the information security risk treatment, considering not only those in Annex A but also controls designed by the organization as required, as well as others identified from any source (e.g., controls from NIST SP 800 series of documents)<\/li>\n<li>Justification for inclusion of these controls<\/li>\n<li>The controls status (e.g. implemented or not)<\/li>\n<li>The justification for excluding any of the Annex A controls<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.iso.org\/obp\/ui\/#iso:std:iso-iec:27001:ed-2:v1:cor:2:v1:en\" target=\"_blank\" rel=\"noopener noreferrer\">Click here to see this corrigendum.<\/a> See also <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/the-importance-of-statement-of-applicability-for-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">The importance of Statement of Applicability for ISO 27001<\/a>.<\/p>\n<p>The last corrigendum, from March 2017, is related to the British version of the standard (the BS ISO\/IEC 27001:2013) and it changes almost nothing. Changes comprise the standard\u2019s renumbering to BS EN ISO\/IEC 27001:2017, to reflect its status as a now recognized \u201cEuropean Standard\u201d (signaled by the letters \u201cEN\u201d), and the inclusion in the standard\u2019s text of the changes made by ISO\u2019s two previous corrigenda. The recognition as a \u201cEuropean Standard\u201d was approved by CEN\/CENELEC (the European Committee for Standardization \u2013 CEN; and the European Committee for Electrotechnical Standardization &#8211; CENELEC), European standard bodies recognized by the European Union.<\/p>\n<p>The new \u201cEN\u201d status means that the 34-member countries of CEN\/CENELEC must adopt the Standard at a national level and withdraw any standard(s) conflicting with it. For companies that are certified against ISO 27001 that doesn\u2019t change anything \u2013 it only means that local standardization bodies must take care that other local information security standards must comply with this European ISO 27001.<\/p>\n<h2>What do these corrigenda mean to my certified ISMS and what should I do?<\/h2>\n<p>Since neither corrigenda added new requirements to the standard, and most certification bodies are accredited for services related to the ISO version of the standard, these amendments will have no impact on the status of current certified ISMS.<\/p>\n<p>For those organizations certified against the British version of the standard, the BS ISO\/IEC 27001:2013, the single change to be made is the updating of the standard reference on documentation to BS EN ISO\/IEC 27001:2017.<\/p>\n<p>In terms of standard documentation, those with copies of ISO 27001:2013 should consider download a copy of ISO corrigenda (from the links above mentioned), keep copies of them with their standard\u2019s documentation and communicate at least the changes on control A.8.1.1 to <a href=\"https:\/\/staging.advisera.com\/27001academy\/documentation\/inventory-of-assets\/\" target=\"_blank\" rel=\"noopener noreferrer\">asset<\/a> owners. Although there are no significant <a href=\"https:\/\/staging.advisera.com\/27001academy\/documentation\/change-management-policy\/\" target=\"_blank\" rel=\"noopener noreferrer\">changes<\/a> with these corrigenda, this action would demonstrate due diligence regarding documentation change monitoring, which is the type of thing appreciated by certification auditors.<\/p>\n<p>For those organizations with copies of the BS ISO\/IEC 27001:2013, you should contact your standard publisher regarding the availability of the updated version (in some case these updates are provided free of charge).<\/p>\n<h2>Standards also are living documents<\/h2>\n<p>Although the changes implemented on BS EN BS EN ISO\/IEC 27001:2017 have not brought any new requirements, and have no impact on ISO certified ISMSs, in my opinion the modifications added value by making some issues clearer. Above all, it signals that European organizations, and those operating in European countries, must take this standard more seriously.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To learn how to implement ISO 27001 in the most cost-efficient way when compared to other solutions, and to save your employees time,<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a 14-day free trial<\/span><\/a>\u00a0<em><span class=\"notion-enable-hover\" data-token-index=\"3\">of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><!-- notionvc: fa4232d3-e7d3-457e-96fe-069684851bfc --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Released at the beginning of April 2017 by BSI (the British Standards Institution), the standard BS EN ISO\/IEC 27001:2017 is a corrigendum over previous standard BS ISO\/IEC 27001:2013. It has raised some concern among organizations with Information Security Management Systems certified against ISO 27001, the leading ISO standard for information security risk management. It was &#8230;<\/p>\n","protected":false},"author":41,"featured_media":12694,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[381,1657,1658,1659],"class_list":["post-12693","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-27001","tag-bs-en-27001","tag-2017-corrigendum","tag-new-version"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/12693","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=12693"}],"version-history":[{"count":1,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/12693\/revisions"}],"predecessor-version":[{"id":103223,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/12693\/revisions\/103223"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/12694"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=12693"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=12693"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=12693"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}