/ Published in Information Security

What’s the difference between ISO 27001:2013 and ISO27001:2017?

When you purchase a copy of the information security standard ISO 27001 and delve into its requirements, you might come across two versions: ISO 27001:2013 and ISO 27001:2017. In this article, we’ll clarify the differences between these older and newer versions and what they mean for your certification process.

Changes and Requirements: ISO 27001:2013 vs. ISO 27001:2017

If you’re wondering what has changed between ISO 27001:2013 and ISO 27001:2017, the answer is not much in terms of requirements. The core requirements remain the same, with only minor adjustments such as the addition of ‘EN’ to the title and the incorporation of the 2017 date. These changes largely came about to indicate approval by another body (European Body), in addition to ISO.

To emphasise, whether you are following ISO 27001:2013 or ISO 27001:2017, there are no differences in what you must do to achieve certification to the standard by a UKAS accredited certification body.

Minor Changes in ISO 27001:2017

Emphasis on Information as an Asset: In Annex A, there’s a noteworthy change which places emphasis on the importance of information as an asset. While the 2013 edition called for creating an inventory of assets, the 2017 edition specifically names information itself as an asset.

Statement of Applicability: Another minor change, introduced for clarity in presentation, is the Statement of Applicability in clause 6.1.3. In the 2013 edition, it included a list, while in the 2017 edition, it is presented as four bulleted points.

  • The necessary controls
  • Justifications for inclusion
  • Are necessary controls implemented
  • Justification for exclusions for any Annex A Controls

These minor changes are more about emphasising existing principles than introducing new requirements

Understanding the differences between ISO 27001:2013 and ISO 27001:2017 is crucial for organisations looking to maintain their information security standards. While the core requirements remain consistent, these minor changes reflect updates in presentation and emphasis, ensuring that your security measures align with the latest standards.

Get Assistance with ISO 27001 Certification

If you’re seeking more information about ISO 27001 or need assistance in achieving certification for your information security management system, don’t hesitate to contact one of our consultants at 01236 734447.

Share
Share

What you can read next

ISO 27001 Meeting the needs of the Legal Profession
Information Security: ‘Zero Breaches’ through ISO 27001
The Steps to ISO 27001 Compliance in Contact Centres