Transition to ISO/IEC 27001:2013


With this news communication, RvA introduces its transition policy towards the implementation of this new standard.

Per October 1, 2013, ISO published the new ISO/IEC27001: 2013. Based on this event, IAF in its meeting in Seoul, resolved as follows:

“IAFResolution 2013–13 – (Agenda Item 8) Endorsement of ISO/IEC 27001:2013 - TheGeneral Assembly, acting on the recommendation of the Technical Committee,resolved to endorse ISO/IEC 27001:2013 Information technology - Securitytechniques - Information security management systems – Requirements, as anormative document.

The General Assembly further agreed that the deadline for conformance to ISO/IEC 27001:2013 will be two years from the date of publication. One year after publication of ISO/IEC 27001:2013, all new accredited certifications issued shall be to ISO/IEC 27001:2013.

Note: As the date of publication was 1 October 2013, the deadline for Certification Bodies to conform will be 1 October 2015.”

Considering the nature of the changes, the CB’s who have already been accredited by RvA for certification in accordance with ISO/IEC 27001: 2005, may apply this new standard under accreditation per direct (i.e. without prior approval by RvA).The RvA will, during the first regular surveillance or re-assessment give extra attention to the introduction of the new standard. The following points will receive specific focus:

  • Did the CB adequately train her auditors with respect to the new requirements ofthe standard;
  • Did the CB adequately adapt its competence requirements (ánd evaluation) tothe new standard (extra attention will be given to “technical area” competence);
  • Did the CB establish a transition plan for its clients, which ensures that all newcertifications, issued after October 1, 2014, shall be issued to the newstandard, and that also ensures that all existing certificates have beentransferred to the new standard before October 1, 2015;
  • Did the CB adapt its working methods (instructions, templates, checklists) to the new requirements;
  • During witness assessments, special attention will be given to an appropriate methodof assessing the “risk analysis”, the“statement of applicability” and the “ISMS Policy”.
The specific accreditation protocol (RvA SAP-C010) is revised with this transition policy.