Powered by
Share this page on
Article provided by Wikipedia

See also: "ISO/IEC 27001:2005

The 2013 standard puts more emphasis on measuring and evaluating how well an organization's ISMS is performing,[6] and there is a new section on outsourcing, which reflects the fact that many organizations rely on third parties to provide some aspects of IT.[7] It does not emphasize the "Plan-Do-Check-Act cycle that 27001:2005 did. Other continuous improvement processes like "Six Sigma's "DMAIC method can be implemented.[8] More attention is paid to the organizational context of information security, and risk assessment has changed.[9] Overall, 27001:2013 is designed to fit better alongside other management standards such as "ISO 9000 and "ISO/IEC 20000, and it has more in common with them.[10]

New "controls:


Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. A very important but little understood change in the new version of ISO 27001 is that there is now no requirement to use the Annex A controls to manage the information security risks. The previous version insisted ("shall") that controls identified in the risk assessment to manage the risks must have been selected from Annex A. Thus almost every risk assessment ever completed under the old version of ISO 27001 used Annex A controls but an increasing number of risk assessments in the new version do not use Annex A as the control set. This enables the risk assessment to be simpler and much more meaningful to the organization and helps considerably with establishing a proper sense of ownership of both the risks and controls. This is the main reason for this change in the new version.

There are now 114 controls in 14 groups and 35 control objectives; the 2005 standard had 133 controls in 11 groups.[11]

The new and updated controls reflect changes to technology affecting many organizations - for instance, cloud computing - but as stated above it is possible to use and be certified to ISO/IEC 27001:2013 and not use any of these controls.[4]


  1. ^ "ISO/IEC 27001:2013 - Information technology -- Security techniques -- Information security management systems -- Requirements". "International Organization for Standardization. Retrieved 27 January 2015. 
  2. ^ "ISO - ISO Standards - ISO/IEC JTC 1/SC 27 - IT Security techniques". "International Organization for Standardization. Retrieved 27 January 2015. 
  3. ^ Zhou, James (March 2011). "ISO 27001 Information Security Management". "Nanyang Technological University. Retrieved 27 January 2015. 
  4. ^ a b Breslin, Paul (14 March 2014). "Security updates: The upcoming revision of ISO/IEC 27001". DNV Business Assurance. Retrieved 27 January 2015. 
  5. ^ "ISO/IEC 27001:2013(en) Table of Contents". ISO.org. ISO. Retrieved 11 December 2015. 
  6. ^ Herbert, Chantall (3 June 2014). "More changes ahead…..ISO 27001:2005 Information Security Management Standard". QSL. Retrieved 27 January 2015. 
  7. ^ "ISO 27001 update is around the corner". British Assessment Bureau. 14 May 2013. Retrieved 27 January 2015. 
  8. ^ "Update to ISO 27001 Planned for 2013". Dionach. 25 January 2011. Retrieved 27 January 2015. 
  9. ^ "BS ISO/IEC DIS 27001 (Draft ISO27001 2013)". IT Governance. Archived from the original on 1 May 2013. Retrieved 2 July 2013. 
  10. ^ Mackie, Ryan (2 April 2013). "ISO 27001:2013 – Understanding the New Standard". The Pragmatic Auditor. Retrieved 27 January 2015. 
  11. ^ "The new versions of ISO/IEC 27001 and 27002 are now Final Draft International Standards". Gamma. Retrieved 27 January 2015. 
) )