ISO/IEC 27001:2013 is an information security standard that was published in September 2013 It supersedes "ISO/IEC 27001:2005, and is published by the "International Organization for Standardization (ISO) and the "International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, "ISO/IEC JTC 1/SC 27. It is a specification for an "information security management system (ISMS). Organizations that meet the standard may be certified compliant by an independent and accredited certification body on successful completion of a formal compliance "audit.
The official title of the standard is: "Information technology — Security techniques — Information security management systems — Requirements"
ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:
This structure mirrors other management standards such as ISO 22301 (business continuity management); this helps organizations comply with multiple management systems standards if they wish. Annexes B and C of 27001:2005 have been removed.
The 2013 standard puts more emphasis on measuring and evaluating how well an organization's ISMS is performing, and there is a new section on "outsourcing, which reflects the fact that many organizations rely on third parties to provide some aspects of IT. It does not emphasize the "Plan-Do-Check-Act cycle that 27001:2005 did. Other continuous improvement processes like "Six Sigma's "DMAIC method can be implemented. More attention is paid to the organizational context of information security, and risk assessment has changed. Overall, 27001:2013 is designed to fit better alongside other management standards such as "ISO 9000 and "ISO/IEC 20000, and it has more in common with them.
Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. A very important but little understood change in the new version of ISO 27001 is that there is now no requirement to use the Annex A controls to manage the information security risks. The previous version insisted ("shall") that controls identified in the risk assessment to manage the risks must have been selected from Annex A. Thus almost every risk assessment ever completed under the old version of ISO 27001 used Annex A controls but an increasing number of risk assessments in the new version do not use Annex A as the control set. This enables the risk assessment to be simpler and much more meaningful to the organization and helps considerably with establishing a proper sense of ownership of both the risks and controls. This is the main reason for this change in the new version.
There are now 114 controls in 14 groups and 35 control objectives; the 2005 standard had 133 controls in 11 groups.
The new and updated controls reflect changes to technology affecting many organizations - for instance, "cloud computing - but as stated above it is possible to use and be certified to ISO/IEC 27001:2013 and not use any of these controls.