With the release of ISO 27001:2013 last month (replacing ISO 27001:2005), it has not only sparked interest in the updated information security standard, but also raised confusion levels to a new high. These are some the questions we’ve been inundated with over the past couple of weeks:
- What are the new changes to the 2013 standard?
- How will they affect me and my organisation?
- How long is the transition period?
- If I am ready to certify now, which version should I go for?
- I’m new to ISO 27001, how do I choose which version to go for?
To help clarify things and reduce those blood pressure levels, we’ve developed a pathway to finding out which ISO 27001 route you should go for:
I’m interested in the new version ISO 27001:2013
ISO 27001:2013, the updated best practice requirements for an information security management system (ISMS), will help you develop a world-class ISMS to protect your information assets. This updated standard is revolutionary in that it has been designed to be easy for newcomers to implement, whilst being easy to convert from ISO27001:2005 to ISO27001:2013.
One of the key benefits of embarking on ISO 27001:2013 – either if you are new to ISO27001 or are interested in following the transition route from ISO27001:2005 – is that your organisation could be one of the first to receive certification against the new standard. Read more >>
I’m looking to implement ISO 27001 – which version should I go for?
Currently, there is no certification scheme available to be certified against ISO27001:2013, and it is anticipated that a certification scheme may only be launched in early 2014. Therefore we recommend you get certified to ISO27001:2005.
However if you are new to the standard and know it will take you over a year to get senior management approval and to start implementing, then you should look into the ISO27001:2013 standard more.
The decision of which version to go for really depends on what timescale you’re looking at to implement the requirements.
I’m already ISO 27001:2005 – what do I need to do about transitioning to ISO27001:2013?
Currently, no accredited certification scheme exists (anywhere in the world) that will allow for companies to apply for or to receive ISO27001:2013-certification from an accredited certification body. At the moment, timelines aren’t clearly defined as to when organisations can receive certifications to the new standard, but it is expected to be in the early part of 2014.
If you currently hold ISO 27001:2005 certification then you have an estimated period of 24 months to transition to the new standard once accreditation for the 2013 version of the standard is available.
UKAS, the UK national accreditation body, is the only UK-based organisation that can accredit certification bodies to issue ISO27001:2013 certificates.
And to answer some of the questions above, we recommend downloading our series of ISO 27001:2013 green papers. Simply click on the download button and enter your email address; the green paper will be sent to you shortly:
NEW! Comparing ISO 27001:2005 to ISO 27001:2013 download »
NEW! ISO27001: 2013 Technical guidance for transitioning from ISO27001:2005 download »
NEW! Preparing for ISO27001:2013 download »