Revision to ISO 27001 released today – ISO/IEC 27001:2013 Technical Corrigendum 2

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have today published a revision to the international standard for information security management, ISO 27001.

Under ISO 27001:2013, organisations needn’t use controls exclusively from Annex A – as they did under the previous iteration of the Standard, ISO 27001:2005. If controls from elsewhere are used, however, they must be compared with the Annex A controls and this must be documented.

Technical Corrigendum 2 updates Subclause 6.1.3 to clarify what is required of the Statement of Applicability (SOA).

Subclause 6.1.3 now reads:

The organization shall define and apply an information security risk treatment process to:


d) produce a Statement of Applicability that contains:

  • the necessary controls (see 6.1.3 b) and c));
  • justification for their inclusion;
  • whether the necessary controls are implemented or not; and
  • the justification for excluding any of the Annex A controls.

ISO 27001 implementation

IT Governance has been helping organisations implement ISO 27001 for well over a decade, and is your single source for everything to do with ISO 27001 – from the Standard itself to books, documentation toolkits, training courses, consultancy and software to help you implement an information security management system in your organisation.

Starting at just £380, our ISO 27001 Packaged Solutions combine all of these resources in fixed-price packages to suit all needs. Click here for more information >>

Alternatively, please call 0845 070 1750 to talk to us about your ISO 27001 needs.

Share now…

Share on Twitter Share on Facebook Share on LinkedIn