ISO 27001: 2013 differences from ISO 27001:2008

ISO 27001: 2013 differences from ISO 27001:2008

In October 2013 ISO launched the new edition of the 27001 Information security management standard. The major change of the Information Security Management standard is the structure. The new ISO/IEC 27001:2013 has been developed in accordance with Annex SL of the ISO directives which provides a standardized text suitable for all management system standards. The new structure of the standard is to become common to all management system standards. The goal is to have a common terminology and requirements for General management system requirements. Despite the fact that the new standard has more sections than the old one, it is for the implementers. It is logically more conceivable. The summary comparison between the structures of the old and new versions is presented in the table:

27001:2005 (Old) 27001:2013 (New)
 0. Introduction  0. Introduction
 1. Scope  1. Scope
 2. Normative References  2. Normative References
 3. Terms and definitions  3. Terms and definitions
 4. Information security management system  4. Context of the Organization
 5. Management responsibility  5. Leadership
 6. Internal ISMS Audit  6. Planning
 7. Management review of the ISMS  7. Support
 8. ISMS improvement  8. Operation
Annex A(normative) Control Objectives and controls  9. Performance Evaluation
Annex B (informative) OECD principles and this international Standard 10. Improvement
Annex C (informative) Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard Annex A (normative) Control Objectives and controls


What are the ISO27001:2013 Key Changes?

The key changes and main differences between standards are:

  • The cycle of Plan-Do-Check-Act has been changed compared to 27001:2005,
  • The Section of Terms and definitions has been removed and the definitions that are still relevant have been transferred to 27000,
  • There are some general changes in terminology: for instance Information security policy is used instead of ISMS policy though the original requirements still persist,
  • The requirements for Commitments have been reviewed and included in the Leadership Clause which summarizes the requirements specific to top management roles in the ISMS,
  • A Planning section has been added which relates to establishment of Information security objectives and guiding principles for the ISMS. The organization information security objectives must be clearly defined with plans in place to achieve them,
  • The term Preventive Action 8.3 has been removed and instead a new clause has been added “Actions to address risks and opportunities” which describes the actions needed for prevention.
  • The requirements of risk assessment are more brief and generalized and become closer to ISO 31000. The changes are designed to make it easier for organizations to choose a methodology from the wide range.
  • The new standard refers to documented information rather than documents and records and requires that they be retained as evidence of competence. There is no longer a list of documents the organizations must provide or particular names those must be given. The new standard emphasizes the content but not the name,
  • Greater attention to the objectives, monitoring of performance and metrics. The new requirements for the measurement of effectiveness are more specific and differ from the 2005 which referred to effectiveness of controls,
  • The logical grouping of controls in the Annex A are modified and some more controls have been added. The added controls are following:

o   A.6.1.5 Information Security in project management

o   A.12.6.2 Restrictions on software installation

o   A.14.2.5 Secure development policy

o   A.14.2.6 Secure development environment

o   A.14.2.8 System security testing

o   A.15.1.1 Information security policy for supplier relationships

o   A.15.1.3 Information and communication technology supply chain

o   A.16.1.4 Assessment of and decision on information security events

o   A.16.1.5 Response to information security incidents

o   A.17.2.1 Availability of information processing facilities

Leave a Reply

    Twitter not configured.