The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have today published a revision to the international standard for information security management, ISO 27001.

Under ISO 27001:2013, organisations needn’t use controls exclusively from Annex A – as they did under the previous iteration of the Standard, ISO 27001:2005. If controls from elsewhere are used, however, they must be compared with the Annex A controls and this must be documented.

Technical Corrigendum 2 updates Subclause 6.1.3 to clarify what is required of the Statement of Applicability (SOA).

Subclause 6.1.3 now reads:

The organization shall define and apply an information security risk treatment process to:

[…]

d) produce a Statement of Applicability that contains:

the necessary controls (see 6.1.3 b) and c));

justification for their inclusion;

whether the necessary controls are implemented or not; and

the justification for excluding any of the Annex A controls.

ISO 27001 implementation

IT Governance has been helping organisations implement ISO 27001 for well over a decade, and is your single source for everything to do with ISO 27001 – from the Standard itself to books, documentation toolkits, training courses, consultancy and software to help you implement an information security management system in your organisation.

Starting at just £380, our ISO 27001 Packaged Solutions combine all of these resources in fixed-price packages to suit all needs. Click here for more information >>

Alternatively, please call 0845 070 1750 to talk to us about your ISO 27001 needs.

Share now…