BS EN ISO/IEC 27001:2017 – what has changed?
There is a new European version of ISO/IEC 27001:2017 which includes approval by CEN/Cenelec. It incorporates the two corrected items from 2016 in Clause 6.1.3 and Annex A control 8.1. The 2013 version is now withdrawn by the UK.
Following this approval by CEN/Cenelec in Europe you will now see BS EN ISO/IEC 27001:2017 available in our shop and your membership/subscription, in place of the withdrawn ISO/IEC 27001:2013. This is not a change from ISO/IEC, it is a regional update that just reflects the acceptance by CEN/Cenelec and has no other modifications requiring your actions. We therefore have no current plans to update certificates to the 2017 version so you will continue to receive an ISO/IEC 27001:2013 certificate at this stage. We will notify certification clients if this changes in the future.
There has also been an update to ISO/IEC 27002:2017, Code of practice for information security controls, based on the corrections to control 8.1. that you may wish to consider when reviewing your security controls. They are:
8.1.1 Inventory of assets
Information, other assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.
8.1.3 Acceptable use of assets
Employees and external party users using or having access to the organization’s assets should be made aware of the information security requirements of the organization’s assets associated with information and information processing facilities and resources.
ISO/IEC 27000:2017, Overview and vocabulary, is also updated to remain aligned.
Frequently asked questions
I’m an existing client certified to ISO/IEC 27001:2013 – will my certification be updated to ISO/IEC 27001:2017?
No, at this stage it is only a BS EN implementation of the ISO/IEC 27001:2013 standard so your certification will remain against ISO/IEC 27001:2013. These changes don’t affect the way we audit and the certificates we provide. We will update you if the situation changes in the future.
I’m interested in certification – will BSI now certify me to ISO/IEC 27001:2017?
No all certifications for new clients will still be issued against the global ISO/IEC 27001:2013 at this stage. The requirements outlined in BS EN ISO/IEC 27001:2017 still cover the scheme requirements so by purchasing a copy of the latest version you will be prepared for a BSI assessment audit for ISO/IEC 27001 certification.