Users including certified organisations, certification bodies and their auditors & National Accreditation Bodies should be aware of amendments made by way of a corrigenda to ISO/IEC 27001:2013 and ISO/IEC 27002:2013.
It is not often that ISO issue corrigenda (or amendments) to published International Standards & they are used to correct an error that has been highlighted after publication.
Two corrigenda have been published for each of the International Standards; ISO/IEC 27001:2013 and ISO/IEC 27002:2013 as follows:
ISO/IEC 27001:2013
Technical Corrigenda 1 – ISOIEC 27001-2013Cor.1-2014(en)
This amendment relates to the text of the Control A.8.1.1, where the control should, now, read:
Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
Technical Corrigenda 2 – ISOIEC 27001-2013Cor.2-2015(en)
This amendment relates to the text of the sub-clause 6.1.3 d), where the sub-clause should, now, read:
d) produce a Statement of Applicability that contains:
- the necessary controls (see 6.1.3 b) and c));
- justification for their inclusion;
- whether the necessary controls are implemented or not; and
- the justification for excluding any of the Annex A controls.
ISO/IEC 27002:2013
Technical Corrigenda 1 – ISOIEC 27002-2013Cor.1-2014en
This amendment relates to the Implementation Guidance text of two sub-clauses; 7.1.2 c), 8.1.3 & the Control text in 8.1.1, where the implementation guidance and control should, now, read:
Implementation Guidance
…….
c) responsibilities for the classification of information and management of organizational information, other assets associated with information, information processing facilities and information services handled by the employee or contractor (see Clause 8)
Implementation Guidance
Employees and external party users using or having access to the organization’s assets should be made aware of the information security requirements of the organization’s information, other assets associated with information and information processing facilities and resources.
Control
Information, other assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.
Technical Corrigenda 2 – ISOIEC 27002-2013Cor.2-2015en
This amendment relates to the Implementation Guidance text of the sub-clauses 14.2.8, where the control should, now, read:
Implementation Guidance
New and updated systems require thorough testing and verification during the development processes, including the preparation of a detailed schedule of activities and test inputs and expected outputs under a range of conditions. For in-house developments, such tests should initially be performed by the development team. Independent acceptance testing should then be undertaken (both for in-house and for outsourced developments) to ensure that the system works as expected and only as expected (see 14.1.1 and 14.2.9). The extent of testing should be in proportion to the importance and nature of the system.