The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have today published a revision to the international standard for information security management, ISO 27001.
Under ISO 27001:2013, organisations needn’t use controls exclusively from Annex A – as they did under the previous iteration of the Standard, ISO 27001:2005. If controls from elsewhere are used, however, they must be compared with the Annex A controls and this must be documented.
Technical Corrigendum 2 updates Subclause 6.1.3 to clarify what is required of the Statement of Applicability (SOA).
Subclause 6.1.3 now reads:
The organization shall define and apply an information security risk treatment process to:
d) produce a Statement of Applicability that contains:
- the necessary controls (see 6.1.3 b) and c));
- justification for their inclusion;
- whether the necessary controls are implemented or not; and
- the justification for excluding any of the Annex A controls.
ISO 27001 implementation
IT Governance has been helping organisations implement ISO 27001 for well over a decade, and is your single source for everything to do with ISO 27001 – from the Standard itself to books, documentation toolkits, training courses, consultancy and software to help you implement an information security management system in your organisation.
Starting at just £380, our ISO 27001 Packaged Solutions combine all of these resources in fixed-price packages to suit all needs. Click here for more information >>
Alternatively, please call 0845 070 1750 to talk to us about your ISO 27001 needs.