ISO/IEC 27001 revision

The internationally acclaimed standard for information security management (ISO/IEC 27001) and accompanying ISO/IEC 27002, ‘Code of practice for information security management controls’ have been revised, with the new versions released October 2013. You can now work with us to get your ISO/IEC 27001:2013 certificate that is UKAS accredited.

What are the main changes?

The revised standard has been written using the new high level structure, which is common to all new management systems standards. This will make integration straightforward when implementing more than one management system
Terminology changes have been made and some definitions have been removed or relocated
Risk assessment requirements have been aligned with BS ISO 31000
Management commitment requirements have a focus on “leadership”
Preventive action has been replaced with “actions to address, risks and opportunities”
SOA requirements are similar, with more clarity on the need to determine controls by the risk treatment process
Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have also been added around cryptography and security in supplier relationships.
Greater emphasis is on setting objectives, monitoring performance and metrics

I’m interested in certifying to ISO/IEC 27001 now – what should I do?

ISO/IEC 27001:2005 is currently still valid. If you are close to implementing your ISO/IEC 27001 management system we can assess you against the ISO/IEC 27001:2005 standard, as long as your visits are completed by 1 October 2014. We can then work with you to complete your transition to the new ISO/IEC 27001:2013 version during your continual assessment visits.

If you are still in the very early stages of adopting ISO/IEC 27001, or unlikely to be able to go through the assessment visits before 1 October 2014, we would recommend that you work towards certification against ISO/IEC 27001:2013.

Return to the ISO/IEC 27001 pages to find out how we can help you on your journey to certification

I’m currently certified to ISO/IEC 27001 – what do I need to do?

We are here to make sure that as an existing ISO/IEC 27001:2005 certification customer you have all the information and tools that you need to understand the changes to the standard. We will work with you to make sure your transition to the new standard is completed as part of your planned certification surveillance visits before 1 October 2015 deadline. If you haven't started to do so already, please liaise with you client managet to discuss appropriate timescales to complete your transition.

A free transition guide is available, giving you an overview of the main differences and proving pointers on key aspects you should consider.

Download our ISO/IEC 27001 transition guide
Download ISO/IEC 27001 mapping document