Background
In the Business Continuity and Disaster Recovery, Hosting and Infrastructure and Information Governance Standards, there are requirements for a valid ISO 27001 certificate from a UKAS-registered accreditation organisation, or International Accreditation Forum (IAF) registered accreditation organisation in exceptional circumstances.
Previous versions of the Standard stated that the level of this requirement is a ‘SHOULD’, but in fact this needs to be corrected to ‘MUST.’
This Roadmap Item covers the changes required for Business Continuity and Disaster Recovery and Hosting and Infrastructure. The change required for Information Governance is covered in RM183.
Outline Plan
All Suppliers must be fully compliant by the Effective Date. Suppliers must have completed the Solution Assurance by NHSE.
Summary of Change
Business Continuity and Disaster Recovery: Requirement BC-DR-2 updated |
Applicable Contracting Vehicle(s) | Requirement ID | Requirement Text | Level |
---|---|---|---|
All | BC-DR-2 | BCMS - Information Security aspects of Business Continuity Management A valid ISO 27001 Certificate is required from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances. |
MUST |
Hosting and Infrastructure: Requirement ES4.0 updated |
Applicable Contracting Vehicle(s) | Req. ID | Standard | Name | Description | Level | Evidence |
---|---|---|---|---|---|---|
All | ES4.0 | ISO/IEC 27001 | ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature. |
MUST | ISO/IEC 27001 Accreditation |
Full Specification
The updated Standards will be added at a later date. Proposed changes can be viewed in the Summary of Change above.
Assurance Approach
Assurance is subject to review of the uplifted Traceability Matrix (TM) by the Compliance SMEs for the applicable Standards.