TS ISO/IEC 27001:2013 Information Security Management System Standard was approved and revised by CEN (European Standardization Committee) in 2017. EN ISO/IEC27001:2017 is the European version of the relevant standard. The ISO version of the standard is not affected and the changes do not impose any new requirements. This update is not a change from ISO / IEC, but only a regional update reflecting the acceptance of CEN / Cenelec.
This new version of the ISO / IEC 27001 standard approved by CEN / Cenelec; It is the same as the 2013 Standard, except that two statements (Article 6.1.3 and Annex A Check 8.1) published as Corrigendum's in 2014 and 2015 are included in it. There are no new requirements.
This update does not affect your existing TS ISO/IEC 27001:2013 certificates. The newly issued certificates will be published as TS EN ISO/IEC 27001:2017 upon request.
The changes in Article 6.1.3 and Annex A Control 8.1 are as follows;
1- Related Article in ISO 27001:2013 Standard ( 6.1.3.d)
6.1.3.d produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;
1-The relevant article of the ISO 27001:2017 Standard Revision has been changed as follows. ( 6.1.3.d)
d) produce a Statement of Applicability that contains:
• the necessary controls (see 6.1.3 b) and c));
• justification for their inclusion;
• whether the necessary controls are implemented or not; and
• the justification for excluding any of the Annex A controls.
2- Related Article in ISO 27001:2013 Standard (Annex-A 8.1.1)
8.1.1 Control: Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
2-The relevant article of the ISO 27001:2017 Standard Revision has been changed as follows ( Annex-A 8.1 .1)
8.1.1 Control: Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
There has also been an update to ISO/IEC 27002:2017, Code of practice for information security controls, based on the corrections to control 8.1. They are:
8.1.1 Inventory of assets
Control
Information, other assets associated with information and information
processing facilities should be identified and an inventory of these assets
should be drawn up and maintained.
8.1.3 Acceptable use of assets
Employees and external party users using or having access to the organization’s assets should be made aware of the information security requirements of the organization’s assets associated with information and information processing facilities and resources.
