Transitioning from

ISO/IEC 27001:2005
to
ISO/IEC 27001:2013

What has
changed?

Structural Changes
ISO/IEC 27001:2005

ISO/IEC 27001:2013

Management
Responsibility

Context of the
Organization

Management Review

Leadership

Establish
ISMS
Improve
ISMS

Planning

Implemen
t ISMS
Monitor
ISMS

Doc.
Req.

Internal
Audit

Mgmt.
Review

Improveme
nt

Structure simplified
ISMS
Improve

Operation
Performan
ce
Evaluation
Support

Change highlights
Structure change is part of harmonization effort from ISO
Better alignment with business objectives
More emphasis on:

Risk management
Planning
Measurement
Communication

The word documented procedure is replaced with

documented information in the body of the standard (4-10)

Summary of changes
ISO/IEC 27001:2005
132 shall statements
(section 4-8)
Annexure A
11 clauses
39 categories
133 controls

ISO/IEC 27001:2013
125 shall statements
(section 4-10)
Annexure A
14 clauses
35 categories
114 controls

Number of requirements
reduced

Summary of changes - Requirements

49

56

New
Changed
No Change

20

Total : 125

Summary of changes - Controls

13
38

New
Changed
No Change
50

Total : 114

4.0 Context of the organization

Interested
parties
- Customers,
Shareholders,
Regulatory
agencies

4.1
Understanding
the organization
and its context
Biz risks,
opportuniti
es

4.2
Understanding
the need and
expectation of
interested
parties

Interested parties
relevant to ISMS
Requirements relevant
to ISMS
Regulatory
requirements

4.3 Determine
scope of the
ISMS

Internal and external

issues
Requirements of
interested parties
Interface between
organizations

ISMS
requiremen
ts

4.4
ISMS

Determine external and

internal issues to its
purpose and relevant to
ISMS
May refer to ISO 31000

5.0 Leadership

6.0 Planning

7.0 Support

8.0 Operation

9.0 Performance evaluation

10.0 Improvement

Grouping of controls
#

Clauses

A.5

Information security policies

A.6

Organization of information security

A.7

Human resource security

A.8

Asset management

A.9

Access control

A.10

Cryptography

A.11

Physical and environmental security

A.12

Operations security

A.13

Communications security

A.14

System acquisition, development and maintenance

A.15

Supplier relationships

A.16

Information security incident management

A.17

Information security aspects of business continuity

management

A.18

Compliance

New and changed controls

A.6 Organization of information security

Objectiv
A.6.1 Internal organization
e
Objective: To establish a management framework to initiate andexpand
control the implementation and operation of information security ed

within the organization.

A.6.1.5
New

Information security Control

in project
Information security shall be
management
addressed in project management,
regardless of the type of the
project.

A.6.2 Mobile device and teleworking

Objective: To ensure the security of teleworking and use of mobile
devices.
A.6.2.1
Chang
ed

Mobile device policy Control

A policy and supporting security
Old control A.11.7.1
measures shall be adopted to
manage the risks introduced by
using mobile devices.

New and changed controls

A.9 Access control
A.9.2 User access management
Objective: To ensure authorized user access and to prevent
unauthorized access to systems and services.
A.9.2.1
Chang
ed

A.9.2.2
New

A.9.2.6
Chang
ed

User registration
and
de-registration
Old control
A.11.2.1

Control
A formal user registration and deregistration process shall be
implemented to enable assignment of
access rights.

User access
provisioning

Control
A formal user access provisioning
process shall be implemented to assign
or revoke access rights for all user
types to all systems and services.

Removal or
adjustment
of access rights

Control
The access rights of all employees and
external party users to information and
information processing facilities shall be
removed upon termination of their
employment, contract or agreement, or

Old control A. 8.3.3

New and changed controls

A.12 Operations security
A.12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
A.12.5.1 Installation of
software
on operational
New
systems

New

Control
Procedures shall be implemented to
control the installation of software
on operational systems.

A.12.6 Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities.
A.12.6.2 Restrictions on
software
installation
New

Control
Rules governing the installation of
software by users shall be
established and implemented.

New and changed controls

A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information system
Objective: To ensure that information security is an integral part
of
Objectiv
information systems across the entire lifecycle. This also includes
e
the requirements for information systems which provide services
expand
over public networks.
ed
A.14.1.2 Securing
application
services on public
Chang
Old control
networks
ed
A.10.9.1

Control
Information involved in application
services passing over public networks
shall be protected from fraudulent
activity, contract dispute and
unauthorized disclosure and
modification.

A.14.1.3 Protecting
application
Chang
Old control
services
ed
A.10.9.2
transactions

Control
Information involved in application
service transactions shall be
protected to prevent incomplete
transmission, mis-routing,
unauthorized message alteration,
unauthorized disclosure, unauthorized
message duplication or replay.

New and changed controls

A.14 System acquisition, development and maintenance
A.14.2 Security in development and support process
Objective: To ensure that information security is designed and
Objectiv
implemented within the development lifecycle of information e
expand
systems.
ed

A.14.2.1 Secure
New
development
policy

Control
Rules for the development of software
and systems shall be established and
applied to developments within the
organization.

A.14.2.5 Secure system

engineering
New
principles

Control
Principles for engineering secure
systems shall be established,
documented, maintained and applied
to any information system
implementation efforts.

A.14.2.6
Secure
New
development
environment

Control
Organizations shall establish and
appropriately protect secure
development environments for

New and changed controls

A.14 System acquisition, development and maintenance
A.14.2.8 System security
testing
New

A.14.2.9 System
acceptance
testing
Chang
ed

Old control
A.10.3.2

Control
Testing of security functionality shall
be carried out during development.
Control
Acceptance testing programs and
related criteria shall be established
for new information systems,
upgrades and new versions.

New and changed controls

A.15 Supplier relationship
A.15.1 Information security in supplier relationship
Objective: To ensure protection of the organizations assets that is
accessible by suppliers.
New

A.15.1.1 Information
security
policy for supplier
relationships
New

Control
Information security requirements for
mitigating the risks associated with
suppliers access to the organizations
assets shall be
agreed with the supplier and
documented.

A.15.1.3 Information and

communication
New
Technology supply
chain

Control
Agreements with suppliers shall
include requirements to address the
information security risks associated
with information and
communications technology services
and product supply chain.

New and changed controls

A.16 Information security incident management
A.16.1 Management of information security incidents and
improvements
Objective: To ensure a consistent and effective approach to the
management of information security incidents, including
Combined A13.1,
communication on security events and weaknesses.
A13.2
A.16.1.4 Assessment of
and
New
decision on
information
security events

Control
Information security events shall be
assessed and it shall be decided if
they are to be classified as
information security incidents.

A.16.1.5 Response to
New
information
security incidents

Control
Information security incidents shall be
responded to in accordance with the
documented procedures.

New and changed controls

A.17 Information security aspects of business continuity
management
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
A.17.2.1 Availability of
information
New
Processing
facilities

Control
Information processing facilities shall
be implemented with redundancy
sufficient to meet availability
requirements.

Helpful guidelines
ISO/IEC 27002:2013 Code of Practice for Information
Security Controls
ISO 31000:2009 Risk Management Principles and Guidelines
ISO 27005:2011 Information Security Risk Management
ISO 27004:2009 Information Security Management
Measurement
ISO 27003:2010 Information Security Management
Implementation Guidance

Transition timeline
Completion of
migration to
ISO/IEC
27001:2013

ISO/IEC
27001:2013
Released

10/01/2013

10/01/2014
10/01/2015

ISO/IEC
27001:2005
Sunset

Audit days required for transition

Stage 1 review is required to review readiness.
Audit days required for re-certification audit (per ISO 27006)
shall be used.
Organization can upgrade to the new standard during their
surveillance audit cycle.
Organizations must plan for their transition audit before
August 2015.