With the pending deadline due to the change of ISO27001 from the 2005 version to 2013 two years ago, the world starts to ask a lot of questions. What will change for me? What are the consequences for certification? Will I still be certified? Can I migrate my certificate to 2013? Until when can I be certified against the 2005 version? All over the world, a large number of Information Security Professionals have been writing about these topics. Each and every one providing their views and opinions on the topic.
Being able to provide answers to clients and their customers is a necessity. Being able to go through an assessment of the accreditation body and answer the assessor’s questions also increases this challenge which is quite a challenge if you’d ask me. Especially since, besides ISO27001, my employer EY CertifyPoint is also accredited for ISO9001 which is due to change next year and ISO20000 which was changed in 2011. For a certification body, it is not just that one standard which is changing. There are a number of ISO documents changing with it to which we must comply.
What are the changes?
When an ISO Standard is changed, there are usually changes to both the accreditation requirements and the certification requirements.
What changed from an accreditation perspective?
From an accreditation perspective, the internal operational changes are not that big. The certification body is already accredited to provide certification against the old standard. Therefore the only ‘proof’ that has to be provided is that the involved personnel is made aware of the changes of the new standard and is competent to provide audits on the new standard. However, an assessment must be made if other ISO documents have also changed as a result of the introduction of the new standard. For the ISO27001, the only version that has changed at the same time is the ISO27002 standard, which is an implementation guidance on the so called Annex A controls of ISO27001:2013.
The external ramifications of such a change are quite bigger. All clients must be made aware of the change and start creating a transition plan. This causes them to come with various questions. The next sections provides some insight in the types of questions that clients raise and what answers we provide to them.
What changed from a certification perspective?
Obviously with a new version, there will be a number of changes. One of the most discussed changes is the removal of the Plan-Do-Check-Act or PDCA Cycle from the Management System. But is the PDCA Cycle completely gone now? No, it simply became Establish, Implement, Maintain and Improve. Different wording but the same principle, perhaps somewhat more ‘professionalized’.
The other primary change is the alignment with other management standards and as such, the adoption of a number of topics.
- Context of the organization and internal and external issues; The actual context of the organization in which it operates with focus on both internal and external stakeholders has a more prominent place in the management system. Also, potential issues of both these internal and external stakeholders need to be identified and documented as input to the overall risk based approach.
- Alignment of risk assessment approach with ISO31000; The actual approach of risk assessment is now less descriptive than in the 2005 version. Organizations are more free to choose their approach and have it documented.
- Update of Annex A controls; Both the selection of controls and their logical grouping have been updated. Also, a number of controls are no longer included as they were already more or less duplicate in the Annex A.
Until when can I be certified against the 2005 version?
Some clients have started their implementation quite some while ago. In some cases even before the 2013 standard was released. If they are nearly finished with their implementation, they come with the question that their management system is implemented in line with the 2005 standard. Changing to the 2013 standard is expected to be a major effort and therefore they want to know until when they can be certified against the 2005 standard. The official deadline set by the Accreditation bodies for this is October 1, 2014, until then it is allowed to obtain certification based on the old ISO27001:2005 version. After that date, any certification audit completed must be completed against the ISO27001:2013 standard.
What are the consequences for my current certification?
The good news is that previously provided certificates will remain valid for a period of time. There is however a catch regarding the time when to transition into the new version. Certificates provided under the 2005 standard will remain valid until October 1, 2015. This means that before that date, the currently implemented management system must be migrated to the new standard’s requirements. Once this is completed, any subsequent surveillance audit can be performed against the new standard and the certificate can be migrated to the 2013 version. Also, any surveillance audit performed after October 1, 2014 is recommended to be performed against the new standard. This means that if a surveillance audit is planned after that date, your current management system must be upgraded. Certificates on ISO27001:2005 which are valid until after October 1, 2015 but have not been updated by that time will automatically become invalid.
Can I migrate my certificate to 2013?
Yes, it is possible to transition to the new standard and receive an updated version of the certificate. However, the expiration date of the certificate will remain the same as it is only an update version of your current certificate against the new standard. As mentioned in the previous section, this is due to be performed before October 1, 2015. From this date onward it is mandatory for all certified companies to have their ISMS transitioned to the new ISO27001:2013 version.