Revision to ISO 27001 - Information Security Management System -
The New 2013 Version
ISO 27001, the International standard for Information Security management systems has been revised effective from 01 October 2013, with ISO27001:2013 replacing the previous 2005 version.
As is usual with ISO standard revisions there is a transition period for certification bodies and their clients alike to allow any changes in the new version to be understood and properly addressed before new certificates can be issued.
A two year transition period for this new version is in place supported by an IAF statement which states:
"The General Assembly, acting on the recommendation of the Technical Committee, resolved to endorse ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems – Requirements, as a normative document. The General Assembly further agreed that the deadline for conformance to ISO/IEC 27001:2013 will be two years from the date of publication."
One year after publication of ISO/IEC 27001:2013, all new accredited certifications issued shall be to ISO/IEC 27001:2013.
ISO 27001:2013 - What are the main changes?
There were two major influences on the revision:
1) Alignment with Annex SL to Part 1 of the ISO/IEC Directives
ISO has mandated that all new and revised management system standards must conform to the high level structure and identical core text defined in Annex SL to Part 1 of the ISO/IEC Directives.
This ensures that management system requirements that are not discipline specific are identically worded in all management system standards.
This benefits Organisations that operate integrated management systems (e.g: ISO 9001 and ISO 27001).
2) Alignment with ISO 31000 (Risk Management)
Risk assessment principles of ISO 27001 have been aligned with guidance provided in ISO 31000. This benefits organisations that operate integrated management systems since the same risk assessment methodology can be used across various standards.
There are, of course, other changes, including ISMS specific changes including those in Annexure A of the standard.
WHAT DOES THIS MEAN FOR YOU?
If you already hold a Bureau Veritas Certificate to ISO27001:2005
Bureau Veritas Certification can perform audits against the 2013 from 01 March 2014. There will be a minimum of one additional audit day added to existing surveillance times to perform the transition audit to the 2013 version.
Your Bureau Veritas Certification contact will discuss and agree this as part of the usual planning for your surveillance visit.
When do I need to upgrade my existing certificate?
You must transition to the new version by 01 October 2015. Where possible Bureau Veritas Certification will perform the transition visit with your existing surveillance. If you are due to be recertified in 2014 and are ready to transition to the new version this can be done at the same time.
Will I get a new certificate?
Yes, new certificates will be issued.
If you are considering applying for certification of your ISMS with Bureau Veritas Certification
From 01 October 2014 all new ISMS accredited certificates must be to the 2013 version. Therefore it would be beneficial to build your ISMS against the 2013 requirements from the beginning. Bureau Veritas Certification will review each new client at the contract stage to ensure your requirements are clearly understood.
Your Bureau Veritas Certification contact will be available to discuss any specific queries you may have.
0845 600 1828Send an e-mail