Rhand Leal Released at the beginning of April 2017 by BSI (the British Standards Institution), the standard BS EN ISO/IEC 27001:2017 is a corrigendum over previous standard BS ISO/IEC 27001:2013. It has raised some concern among organizations with Information Security Management Systems certified against ISO 27001, the leading ISO standard for information security risk management. It was stated by BSI that it incorporates previous amendments (called a “corrigendum”), released for ISO 27001.
In this article, we’ll provide you information about what has changed in this new version, and the impact of these changes to ISO 27001 certified ISMSs. We’ll also let you know what organizations should consider with regards to this new standard.
What is a technical corrigendum?
A technical corrigendum is a publication used by standardization bodies with the purpose to amend an existing standard, to correct minor technical flaws, implement usability improvements, or include limited-applicability extensions.
Such amendments that are considered relevant are released during the current life-cycle of a standard’s version. They are also expected to be included as updates at the standard’s next scheduled review.
ISO 27001 related corrigenda
ISO 27001 has three related corrigenda (where “corrigenda” is the plural of corrigendum), dated from September 2014, December 2015, and March 2017. The first two were published by ISO (the International Organization for Standardization) and the last one by BSI. These corrigenda cover the following issues:
September 2014 corrigendum was related to control A.8.1.1 (Inventory of Assets), replacing the control’s objective text from:
“Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.”
to:
“Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.”
This change now makes it explicit that information itself also must be considered an asset to be included in the inventory. Click here to see this corrigendum. See also: How to handle Asset register (Asset inventory) according to ISO 27001.
The December 2015 corrigendum was related to sub-clause 6.1.3 (Information Security Risk Treatment), specifically to item d), about the Statement of Applicability (SoA). It was just a cosmetic adjustment, separating the required content for a SoA from the main paragraph into separated bullets. In my opinion this adjustment makes clearer that an SoA must contain at least four elements:
- The necessary controls to implement the information security risk treatment, considering not only those in Annex A but also controls designed by the organization as required, as well as others identified from any source (e.g., controls from NIST SP 800 series of documents)
- Justification for inclusion of these controls
- The controls status (e.g. implemented or not)
- The justification for excluding any of the Annex A controls
Click here to see this corrigendum. See also The importance of Statement of Applicability for ISO 27001.
The last corrigendum, from March 2017, is related to the British version of the standard (the BS ISO/IEC 27001:2013) and it changes almost nothing. Changes comprise the standard’s renumbering to BS EN ISO/IEC 27001:2017, to reflect its status as a now recognized “European Standard” (signaled by the letters “EN”), and the inclusion in the standard’s text of the changes made by ISO’s two previous corrigenda. The recognition as a “European Standard” was approved by CEN/CENELEC (the European Committee for Standardization – CEN; and the European Committee for Electrotechnical Standardization – CENELEC), European standard bodies recognized by the European Union.
The new “EN” status means that the 34-member countries of CEN/CENELEC must adopt the Standard at a national level and withdraw any standard(s) conflicting with it. For companies that are certified against ISO 27001 that doesn’t change anything – it only means that local standardization bodies must take care that other local information security standards must comply with this European ISO 27001.
What do these corrigenda mean to my certified ISMS and what should I do?
Since neither corrigenda added new requirements to the standard, and most certification bodies are accredited for services related to the ISO version of the standard, these amendments will have no impact on the status of current certified ISMS.
For those organizations certified against the British version of the standard, the BS ISO/IEC 27001:2013, the single change to be made is the updating of the standard reference on documentation to BS EN ISO/IEC 27001:2017.
In terms of standard documentation, those with copies of ISO 27001:2013 should consider download a copy of ISO corrigenda (from the links above mentioned), keep copies of them with their standard’s documentation and communicate at least the changes on control A.8.1.1 to asset owners. Although there are no significant changes with these corrigenda, this action would demonstrate due diligence regarding documentation change monitoring, which is the type of thing appreciated by certification auditors.
For those organizations with copies of the BS ISO/IEC 27001:2013, you should contact your standard publisher regarding the availability of the updated version (in some case these updates are provided free of charge).
Standards also are living documents
Although the changes implemented on BS EN BS EN ISO/IEC 27001:2017 have not brought any new requirements, and have no impact on ISO certified ISMSs, in my opinion the modifications added value by making some issues clearer. Above all, it signals that European organizations, and those operating in European countries, must take this standard more seriously.
To remind yourself of the concepts of the 2013 revision of ISO 27001 if you are a veteran, or learn about this standard if you are a beginner, try this free ISO 27001 Foundations Online Course.
