Comparing ISO/IEC 27001:2013 with ISO/IEC 27001:2005
ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. First and foremost, the revision has taken account of practical experience of using the standard: there are now over 17,000 registrations worldwide. However, there have been two other major influences on the revision. The first is an ISO requirement that all new and revised management system standards must conform to the high level structure and identical core text defined in Annex SL to Part 1 of the ISO/IEC Directives. Conformance to these requirements will have a tendency to make all management system standards look the same, with the intention that management system requirements that are not discipline-specific are identically worded in all management system standards. This is good news for organizations that operate integrated management systems, i.e. management systems that conform to several standards, such as ISO 9001 (quality), ISO 22301 (business continuity) as well as ISO/IEC 27001. The second influence was a decision to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). Again, this is good news for integrated management systems as now an organization may apply the same risk assessment methodology across several disciplines.
The result is that structurally ISO/IEC 27001:2013 look very different to ISO/IEC 27001:2005.In addition, there are no duplicate requirements, and the requirements are phrased in a way, which allows greater freedom of choice on how to implement them. A good example of this is that the identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks. The standard now makes it clearer that controls are not to be selected from Annex A, but are determined through the process of risk treatment. Nevertheless, Annex A continues to serve as a cross-check to help ensure that no necessary controls have been overlooked.
New concepts have been introduced (or updated) as follows:
| New/updated concept | Explanation |
|
Context of the organization |
The environment in which the organization operates |
|
Issues, risks and opportunities |
Replaces preventive action |
|
Interested parties |
Replaces stakeholders |
|
Leadership |
Requirements specific to top management |
|
Communication |
There are explicit requirements for both internal and external communications |
|
Information security objectives |
Information security objectives are now to be set at relevant functions and levels |
|
Risk assessment |
Identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks |
|
Risk owner |
Replaces asset owner |
|
Risk treatment plan |
The effectiveness of the risk treatment plan is now regarded as being more important than the effectiveness of controls |
|
Controls |
Controls are now determined during the process of risk treatment, rather than being selected from Annex A |
|
Documented information |
Replaces documents and records |
|
Performance evaluation |
Covers the measurement of ISMS and risk treatment plan effectiveness |
|
Continual improvement |
Methodologies other than Plan-Do-Check-Act (PDCA) may be used |