Changes to ISO 27001 Requirements
- Martin Perou
- Kayley Crawford
- Alan Gordon
- Martin Eland
ID | RM179 |
|---|---|
Version | 1.1.0 |
Type | Roadmap Item |
Contracting Vehicle(s) |
Description | A change to ensure continued Supplier certification to the current version of the ISO/IEC 27001 standard. |
|---|---|
Date Added | Oct 10, 2023 |
Standards and Capabilities | Information Governance, Business Continuity and Disaster Recovery, Hosting & Infrastructure |
Change Route | Managed Capacity - Other |
Change Type | Uplift |
Status | Published |
Publication Date | Nov 27, 2024 |
Effective Date | May 27, 2025 |
Incentives / Funding | No |
Incentive / Funding Dates | N/A |
Background
The Business Continuity and Disaster Recovery, Hosting and Infrastructure and Information Governance Standards each contain a requirement for a valid ISO 27001 certificate from a UKAS-registered accreditation organisation, or International Accreditation Forum (IAF) registered accreditation organisation in exceptional circumstances.
Information Governance is the most appropriate Standard to house the requirement. The Information Security team will be taking responsibility for the related assurance. The level of this requirement will be upgraded from a SHOULD to a MUST requirement.
Requirement BCDR-2 in the Business Continuity and Disaster Recovery Standard has been identified as a duplicate requirement. Therefore, the duplicate requirement will be removed from the Business Continuity and Disaster Recovery Standard.
Requirement ES4.0 in the Hosting and Infrastructure Standard is not always a duplicate of the requirement in Information Governance, as this mandates that the hosting provider holds a valid ISO 27001 certificate. If the Solutionās infrastructure is hosted by a third party, a separate ISO 27001 certificate may be required in addition to that produced as evidence in the Information Governance Standard. This requirement will also be upgraded from a SHOULD to a MUST requirement.
Outline Plan
All Suppliers must be fully compliant by the Effective Date. Suppliers must have completed the Solution Assurance by NHSE.
Summary of Change
Information Governance: Requirement GP-IG-16-2 updated |
Applicable Contracting Vehicle(s) | Requirement ID | Requirement Text | Level |
|---|---|---|---|
All | GP-IG-16-2 | ISO/IEC 27001 Accreditation A valid ISO 27001 Certificate is required from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances. | SHOULD MUST |
Ā
Business Continuity and Disaster Recovery: Requirement BC-DR-2 removed |
Contracting Vehicle(s) | Requirement ID | Requirement Text | Level |
|---|---|---|---|
All | BC-DR-2 | BCMS - Information Security aspects of Business Continuity Management A valid ISO 27001 Certificate is required from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances. | SHOULD |
Ā
Hosting and Infrastructure: Requirement ES4.0 updated |
Applicable Framework(s) | Req. ID | Standard | Name | Description | Level | Evidence |
|---|---|---|---|---|---|---|
All | ES4.0 | ISO/IEC 27001 | ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature. Note: This requirement is only applicable to Suppliers whose Solution is hosted by a non-pre-accredited third party. | SHOULD must | ISO/IEC 27001 Accreditation |
Full Specification
Assurance Approach
Suppliers to provide updated TMs for review by the Compliance SMEs for the applicable Standards.