The document discusses the key differences between ISO 27001:2013 and the previous 2005 version. Some major changes include a new structure aligned with other standards, expanded risk assessment requirements, greater focus on measurement and evaluation of ISMS performance, new requirements around outsourcing, and controls grouped in a more logical way. The 2013 version aims to better integrate with other management standards and focuses more on organizational context, leadership commitment, and risk-based thinking.

1. ISO 27001 : 2013
How it is different?

2. Structure of the Standard
Official Title:
"Information technology— Security techniques — Information
security management systems — Requirements".
Major Changes:
• This structure mirrors the structure of other new management standards such as
ISO 22301 (business continuity management)
• Helps organizations who aim to comply with multiple standards, to improve their IT
from different perspectives
• Annexes B and C of 27001:2005 have been removed.
• New term introduced of Risk Owners

3. 27001:2013 Standard
1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action
Annex A: List of controls and their objectives.
27001:2013 Standard has ten short clauses, plus a long Annex A

4. Generic Changes from ISO 27001:2005 standard
• Puts more emphasis on measuring and evaluating how well an organization's ISMS is
performing
• New section on Outsourcing
• Does not emphasize the Plan-Do-Check-Act cycle.
• More attention is paid to the organizational context of information security.
• Risk assessment has changed.
• It is designed to fit better alongside other management standards such as ISO 9000
and ISO 20000, and share many common features with them.

5. Important changes w.r.t ISO 27001:2005
• The revised standard has been written using the new high level structure, Annex SL
which is common to all new management systems standards. This will allow easy
integration when implementing more than one management system
• Risk assessment requirements have been aligned with BS ISO 31000
• Management commitment requirements have a focus on “leadership”
• Preventive action has been replaced with “actions to address, risks and
opportunities”
• SOA requirements are similar, with more clarity on the need to determine controls by
the risk treatment process
• Controls in Annex A have been modified to reflect changing threats, remove
duplication and have a more logical grouping.
• Stress on maintaining documented information, rather than information record
• Greater emphasis is on setting objectives, monitoring performance and metric

6. New controls – Annex A
•
•
•
•
•
•
•
•
•
•
•
A.6.1.5 Information security in project management
A.12.6.2 Restrictions on software installation
A.14.2.1 Secure development policy
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2.8 System security testing
A.15.1.1 Information security policy for supplier relationships
A.15.1.3 Information and communication technology supply chain
A.16.1.4 Assessment of and decision on information security events
A.16.1.5 Response to information security incidents
A.17.2.1 Availability of information processing facilities
Clause 6.1.3 describes how an organization can respond to risks with a risk treatment
plan; an important part of this is choosing appropriate controls.

7. New Concepts Introduced

8. In which clauses we need “Documented Information” ?

9. Mapping of clauses in ISO 27001 (2005 and 2013)

10. Mapping of clauses in ISO 27001 (2005 and 2013) (contd..)

11. Mapping of clauses in ISO 27001 (2005 and 2013) (contd..)

12. Control List – Annex A (A.5 – A.18) of ISO 27001:2013
A.5: Information security policies
A.6: Organization of information security
A.7: Human resource security
A.8: Asset management
A.9: Access control
A.10: Cryptography
A.11: Physical and environmental security
A.12: Operations security
A.13: Communications security
A.14: System acquisition, development and maintenance
A.15: Supplier relationships
A.16: Information security incident management
A.17: Information security aspects of business continuity management
A.18: Compliance
These controls, and control objectives, are listed in Annex A, although it is also possible
for organizations to pick other controls elsewhere.
There are now 114 controls in 14 groups; the old standard had 133 controls in 11 groups.

13. Questions to Brainstorm
Q1. Why do I need to implement ISMS?
Q2. What can ISMS offer me which I won’t get otherwise without implementation?
Q3. Why Context of Organization is important in ISO 27001:2013
Q4. What exactly do you mean by “requirement” mentioned in the standard?
Q5. Can I reduce the scope of ISMS implementation to certify a part of my organization?
Q6. What is difference between “achieving conformance” and “getting compliant”?
Q7. Can PDCA cycle can be used in 27001:2013 ?
Q8. Is asset based approach of risk assessment in 2013 version still applicable as it was
during 2005 standard? Can you elaborate?