Professional Documents
Culture Documents
ISO/IEC 27001:2005
to
ISO/IEC 27001:2013
What has
changed?
Structural Changes
ISO/IEC 27001:2005
ISO/IEC 27001:2013
Management
Responsibility
Context of the
Organization
Management Review
Leadership
Establish
ISMS
Improve
ISMS
Planning
Implemen
t ISMS
Monitor
ISMS
Doc.
Req.
Internal
Audit
Mgmt.
Review
Improveme
nt
Structure simplified
ISMS
Improve
Operation
Performan
ce
Evaluation
Support
Change highlights
Structure change is part of harmonization effort from ISO
Better alignment with business objectives
More emphasis on:
Risk management
Planning
Measurement
Communication
Summary of changes
ISO/IEC 27001:2005
132 shall statements
(section 4-8)
Annexure A
11 clauses
39 categories
133 controls
ISO/IEC 27001:2013
125 shall statements
(section 4-10)
Annexure A
14 clauses
35 categories
114 controls
Number of requirements
reduced
49
56
New
Changed
No Change
20
Total : 125
13
38
New
Changed
No Change
50
Total : 114
Interested
parties
- Customers,
Shareholders,
Regulatory
agencies
4.1
Understanding
the organization
and its context
Biz risks,
opportuniti
es
4.2
Understanding
the need and
expectation of
interested
parties
Interested parties
relevant to ISMS
Requirements relevant
to ISMS
Regulatory
requirements
4.3 Determine
scope of the
ISMS
ISMS
requiremen
ts
4.4
ISMS
5.0 Leadership
6.0 Planning
7.0 Support
8.0 Operation
10.0 Improvement
Grouping of controls
#
Clauses
A.5
A.6
A.7
A.8
Asset management
A.9
Access control
A.10
Cryptography
A.11
A.12
Operations security
A.13
Communications security
A.14
A.15
Supplier relationships
A.16
A.17
A.18
Compliance
Objectiv
A.6.1 Internal organization
e
Objective: To establish a management framework to initiate andexpand
control the implementation and operation of information security ed
A.9.2.2
New
A.9.2.6
Chang
ed
User registration
and
de-registration
Old control
A.11.2.1
Control
A formal user registration and deregistration process shall be
implemented to enable assignment of
access rights.
User access
provisioning
Control
A formal user access provisioning
process shall be implemented to assign
or revoke access rights for all user
types to all systems and services.
Removal or
adjustment
of access rights
Control
The access rights of all employees and
external party users to information and
information processing facilities shall be
removed upon termination of their
employment, contract or agreement, or
New
Control
Procedures shall be implemented to
control the installation of software
on operational systems.
Control
Rules governing the installation of
software by users shall be
established and implemented.
Control
Information involved in application
services passing over public networks
shall be protected from fraudulent
activity, contract dispute and
unauthorized disclosure and
modification.
A.14.1.3 Protecting
application
Chang
Old control
services
ed
A.10.9.2
transactions
Control
Information involved in application
service transactions shall be
protected to prevent incomplete
transmission, mis-routing,
unauthorized message alteration,
unauthorized disclosure, unauthorized
message duplication or replay.
A.14.2.1 Secure
New
development
policy
Control
Rules for the development of software
and systems shall be established and
applied to developments within the
organization.
Control
Principles for engineering secure
systems shall be established,
documented, maintained and applied
to any information system
implementation efforts.
A.14.2.6
Secure
New
development
environment
Control
Organizations shall establish and
appropriately protect secure
development environments for
A.14.2.9 System
acceptance
testing
Chang
ed
Old control
A.10.3.2
Control
Testing of security functionality shall
be carried out during development.
Control
Acceptance testing programs and
related criteria shall be established
for new information systems,
upgrades and new versions.
A.15.1.1 Information
security
policy for supplier
relationships
New
Control
Information security requirements for
mitigating the risks associated with
suppliers access to the organizations
assets shall be
agreed with the supplier and
documented.
Control
Agreements with suppliers shall
include requirements to address the
information security risks associated
with information and
communications technology services
and product supply chain.
Control
Information security events shall be
assessed and it shall be decided if
they are to be classified as
information security incidents.
A.16.1.5 Response to
New
information
security incidents
Control
Information security incidents shall be
responded to in accordance with the
documented procedures.
Control
Information processing facilities shall
be implemented with redundancy
sufficient to meet availability
requirements.
Helpful guidelines
ISO/IEC 27002:2013 Code of Practice for Information
Security Controls
ISO 31000:2009 Risk Management Principles and Guidelines
ISO 27005:2011 Information Security Risk Management
ISO 27004:2009 Information Security Management
Measurement
ISO 27003:2010 Information Security Management
Implementation Guidance
Transition timeline
Completion of
migration to
ISO/IEC
27001:2013
ISO/IEC
27001:2013
Released
10/01/2013
10/01/2014
10/01/2015
ISO/IEC
27001:2005
Sunset