ISO 27001 - The Tale of Two Standards?

20 June 2018

Some of you may have noticed two versions of the 27001 standard: ISO/IEC 27001:2013 and BS EN ISO/IEC 27001:2017. So what’s the difference I hear you ask – Nothing, sort of!

As happens from time to time an existing international Standard, ISO/IEC 27001:2013, has been adopted as a EuroNorm Standard and becomes EN ISO/IEC 27001:2017 and is often offered with a national prefix before the EN.

The newer version – BS EN ISO/IEC27001:2017 is a new European version of the standard which includes approval by CEN/Cenelec. The ISO version of the standard is not affected and the changes do not introduce any new requirements. The change has been introduced to highlight approval by CEN/Cenelec for the EN (European) Designation. This is not a change from ISO/IEC 27001:2013; it is just a regional update to reflect the acceptance from CEN/Cenelec.

The update to the BS EN version incorporates the two previously issued Corrigenda/Amendments in Clause 6.1.3 and Annex A Clause 8.1. Versions of the standards currently available address both standards.

If you try to buy a copy of the 27001 standard you should only see 27001:2017 however it will be the correct version. As ISO 27001 is an international Standard it cannot be altered except by the ISO Technical designated to oversee it.

And so this 2017 Standard is identical with the 2013 Standard except that two very minor rewordings issued as Corrigendum’s in 2014 and 2015 have been incorporated into it. There are no new requirements.

So what does this mean to your ISO/IEC 27001:2013 certification? Will you need to update to the latest ISO/IEC 27001:2017 version?

NO – currently the BS EN is only an implementation of the IS/IEC 27001:2013 standard so any certification will remain against ISO/IEC 27001:2013. Any new certification will also be issued against the global ISO/IEC 27001:2013 version.