» Transition to ISO/IEC 27001: 2013 – Updated June 2014

09 June, 2014

This bulletin provides updated information regarding the requirements for transition of Certification Bodies offering ISMS certification under ISO/IEC 17021: 2011 from ISO/IEC 27001: 2005 to ISO/IEC 27001: 2013. The bulletin follows on from the letter sent to Certification Bodies on 7th October 2013.

Transition Requirements.

IAF has issued a resolution with regards to the transition, this is worded as follows:

“The General Assembly, acting on the recommendation of the Technical Committee, resolved to endorse ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems – Requirements, as a normative document. The General Assembly further agreed that the deadline for conformance to ISO/IEC 27001:2013 will be two years from the date of publication.   One year after publication of ISO/IEC 27001:2013, all new accredited certifications issued shall be to ISO/IEC 27001:2013.

Note: As the date of publication was 1 October 2013, the deadline for Certification Bodies to conform will be 1 October 2015.”

As previously stated, all UKAS ISMS assessments from January 2014 will be to the 2013 standard while still taking the 2005 standard into account; exising accreditation to the 2005 standard remains valid, subject to successful surveillance, until transition is achieved.

Once accredited for new requirements, CBs should move to transition their certified clients and, as previously stated, should carry out transition audits at the next scheduled visit. CBs may choose to audit their clients to the 2013 standard prior to gaining accreditation but please note that no accredited certificate shall be issued against ISO/IEC 27001:2013 until accreditaiton is achieved, and for the maintenance of accredited certification to ISO/IEC 27001:2005 to remain valid audits against that criteria are required. Where unaccredited certificates have been issued, CBs should carry out a review of each case once accreditation has been achieved to ensure that the certification is still valid. This review shall take into account any changes to the CB's systems resulting form the transition process.

UKAS will not accept any further applications of accreditation for certification to ISO/IEC 27001:2005 after 1st January 2014. Scope extensions for existing ISMS accredited CBs that have not yet achieved transition will be accepted up until the end of April 2015.

As stated in the IAF resolution, CBs should not issue any new accredited certificates to ISO/IEC 27001: 2005 after the end of September 2014. Recertification’s can continue to be issued until the transition deadline but noting that, as stated above, CBs should look to transition their clients promptly and carrying out transition audits at the next scheduled visit to each certified client,UKAS Transition Assessment Process

The UKAS transition assessments will be carried out at the Certification Body’s site, whether this be the head office or another location responsible for ISMS.

Prior to the assessment, as part of the planning process, the CB will be asked to provide information regarding how they have ascertained the nature of the changes in the new version of the standard and how they have planned and undertaken implementation.

Evidence of implementation must include all locations from which the CB is offering UKAS accredited ISMS certification including overseas locations.

The UKAS assessment process will include, but not be limited to: -

  • Review of implementation evidence as above and supporting records
  • Review of the updated competence definitions taking account of the 2013 standard.
  • Review of competence demonstration
  • Review of available resource to deliver certification to ISO/IEC 27001: 2013

As part of the transition assessment UKAS will interview a sample of contract reviewers, auditors and decision makers in order to verify the effectiveness of the competence system. Such interviews may be carried out face to face, by video conference or telephone conference from the CB head office. Interviews will determine the person’s knowledge of the requirements of ISO/IEC 27001:2013 as well as its implementation in the relevant sectors/scopes.

If you have any queries regarding this bulletin, please contact the UKAS Technical Manager - Kevin Belson at kevin.belson@ukas.com