Listen to: "What You Need to Know about ISO 27001 Changes Between 2013 and 2017"
Being in a business that handles sensitive data means keeping up with the latest recommendations and requirements for data security. Often, changes to best practices will develop over time. Having partners who can keep you up to date and help you understand what’s changed can keep you in compliance and keep your most sensitive information safe.
The observant will notice that many websites are now offering ISO 27001:2017 in place of the previous ISO 27001:2013. As a result, you are probably wondering what the changes mean for you. Do you need to make some changes to internal processes? Will you be required to recertify? The short answer to the second question is “no.” The answer to the first is “probably not.” So, what is different between the two iterations?
Differences Between ISO 27001:2013 and ISO 27001:2017
There are actually only a few very minor changes between the two. One is just a name change to reflect a regional update. ISO27001 was adopted as a standard at the EU level in 2017. This lead to inclusion of the letters “EN” in “BS EN ISO/IEC 27001:2017” along with the 2017 date.
There are also two very minor changes to the wording regarding some of the controls in Annex A. The first applies to asset. In the 2013 version, entities are called on to create an inventory of assets that have to do with information. In 2017, information itself is specifically named as an asset. As a result, there is a call to specifically inventory information.
The other change is strictly aesthetic. In the 2013 version, the items that go on the Statement of Applicability are presented as a list. In the 2017 version, they are presented as a series of four bulleted points. The four items on the list remain, however, unchanged. They are:
- the necessary controls
- justification for their inclusion;
- whether the necessary controls are implemented or not; and
- the justification for excluding any of the Annex A controls.
In both cases, it appears that the changes were made specifically for emphasis. They do not introduce any new requirements or practices. Rather, they call closer attention to requirements that already exist.
Putting Information in Your Asset Inventory
ISO 27001 treats information as assets and the updated language stresse the importance of safeguarding them.
It only makes sense to treat information as assets and to safeguard it appropriately. The loss of sensitive data can be even more devastating to your business than the loss of physical assets. Data loss can lead to huge financial losses, liability and even irreparable harm to your reputation. During inventory, it it vital to assess how important a piece of information is, what the risks associated with it are and who is in charge of safeguarding that asset.
The reasons for this categorization is to properly assess your risk. After all, if you have not accurately assessed vulnerabilities relating to information assets, you are at risk of failing to properly safeguard that information. Taking on an asset inventory as part of your certification helps you ensure that you’ve covered every base.
Getting Statements of Applicability Right
Many consider the Statement of Applicability the most onerous part of certification. However, this document is an important part assurances for your auditors and other interested parties and give a sense of the depth and breadth of your information security management system ISMS. It is also often used to identify controls that you need for other reasons that include contracts and managing legislation that applies to your firm.
By changing the format in the part of ISO 27001 to emphasize the four parts of this requirement, the authors make it clearer what is required. While the process of cataloging everything can be difficult, having everything neatly in place means having an information security system that is easier to implement and more likely to keep you in compliance.
Is ISO 27001 certification right for your organization? We can help you understand the benefits, as well as the requirements for certification. Get in touch with I.S. Partners, LLC for a consultation. Call us at 215-675-1400 or request a quote online.