The 2013 standard puts more emphasis on measuring and evaluating how well an organization's ISMS is performing, and there is a new section on outsourcing, which reflects the fact that many organizations rely on third parties to provide some aspects of IT. It does not emphasize the "Plan-Do-Check-Act cycle that 27001:2005 did. Other continuous improvement processes like "Six Sigma's "DMAIC method can be implemented. More attention is paid to the organizational context of information security, and risk assessment has changed. Overall, 27001:2013 is designed to fit better alongside other management standards such as "ISO 9000 and "ISO/IEC 20000, and it has more in common with them.
Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. A very important but little understood change in the new version of ISO 27001 is that there is now no requirement to use the Annex A controls to manage the information security risks. The previous version insisted ("shall") that controls identified in the risk assessment to manage the risks must have been selected from Annex A. Thus almost every risk assessment ever completed under the old version of ISO 27001 used Annex A controls but an increasing number of risk assessments in the new version do not use Annex A as the control set. This enables the risk assessment to be simpler and much more meaningful to the organization and helps considerably with establishing a proper sense of ownership of both the risks and controls. This is the main reason for this change in the new version.
There are now 114 controls in 14 groups and 35 control objectives; the 2005 standard had 133 controls in 11 groups.
The new and updated controls reflect changes to technology affecting many organizations - for instance, cloud computing - but as stated above it is possible to use and be certified to ISO/IEC 27001:2013 and not use any of these controls.