Changes to ISO27001 Requirements
ID | RM179 |
|---|---|
Version | 1.0.0 |
Type | Roadmap Item |
Frameworks |
Description | A change to ensure continued Supplier certification to the current version of the ISO/IEC 27001 standard. |
|---|---|
Date Added | Oct 10, 2023 |
Standards and Capabilities | Business Continuity and Disaster Recovery, Hosting & Infrastructure |
Change Route | Managed Capacity - Other |
Change Type | Uplift |
Status | Draft |
Publication Date | TBC |
Effective Date | TBC |
Incentives / Funding | No |
Incentive / Funding Dates | N/A |
Background
In the Business Continuity and Disaster Recovery, Hosting and Infrastructure and Information Governance Standards, there are requirements for a valid ISO 27001 certificate from a UKAS-registered accreditation organisation, or International Accreditation Forum (IAF) registered accreditation organisation in exceptional circumstances.
Previous versions of the Standard stated that the level of this requirement is a ‘SHOULD’, but in fact this needs to be corrected to ‘MUST.’
This Roadmap Item covers the changes required for Business Continuity and Disaster Recovery and Hosting and Infrastructure. The change required for Information Governance is covered in RM183.
Outline Plan
All Suppliers must be fully compliant by the Effective Date. Suppliers must have completed the Solution Assurance by NHSE.
Summary of Change
Business Continuity and Disaster Recovery: Requirement BC-DR-2 updated |
Applicable Framework(s) | Requirement ID | Requirement Text | Level |
|---|---|---|---|
All | BC-DR-2 | BCMS - Information Security aspects of Business Continuity Management A valid ISO 27001 Certificate is required from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances. | SHOULD must |
Hosting and Infrastructure: Requirement ES4.0 updated |
Applicable Framework(s) | Req. ID | Standard | Name | Description | Level | Evidence |
|---|---|---|---|---|---|---|
All | ES4.0 | ISO/IEC 27001 | ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature. | SHOULD must | ISO/IEC 27001 Accreditation |
Full Specification
The updated Standards will be added at a later date. Proposed changes can be viewed in the Summary of Change above.
Assurance Approach
Assurance is subject to review of the uplifted Traceability Matrix (TM) by the Compliance SMEs for the applicable Standards.