Changes to ISO 27001: What’s new in the 2013 ISO 27001 update?

ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee. It is a specification for an information security management system (ISMS).

The recent standard ISO 27001:2013 replaced the ISO 27001:2005 standard.

Mentioned below are the significant changes:

Section 4: Context of the Organisation

  • More importance has been laid on the Internal and external factors which affect the organization’s ability to achieve security objectives

 Section 5: leadership

  • Enhanced rigorous expectation from management
  • Top Management needs to ensure integration of ISMS requirements into the organization’s processes for various functions

Section 8: Operations           

  • Risk assessment simplified and aligned to ISO 31000
  • Risk can now be determined based on process ,technology etc. without mapping them with assets, threats and vulnerabilities

General Changes

  • More emphasis on measuring and evaluating how good organisations ISMS is performing
  • Preventive action is now part of PLAN phase and integrated with IS risk assessment
  • Controls in Annex A have been modified to reflect the changing threat scenarios, duplications removed and are better grouped
  • Separate section for cryptography
  • More emphasis on outsourcing. Thus a new section on Supplier relationship

  Annex A – New Controls

  • A.6.1.5 Information security in project management
  • A.12.6.2 Restrictions on software installation
  • A.14.2.1 Secure development policy
  • A.14.2.5 Secure system engineering principles
  • A.14.2.6 Secure development environment
  • A.14.2.8 System security testing
  • A.15.1.1 Information security policy for supplier relationships
  • A.15.1.3 Information and communication technology supply chain
  • A.16.1.4 Assessment of and decision on information security events
  • A.16.1.5 Response to information security incidents
  • A.17.2.1 Availability of information processing facilities

ISO 27001:2013 – Birds Eye View

2013 ISO 27001 Updates overview

Image Courtesy:

Deepesh Kumar

An information security Risk management professional backed by knowledge of ITIL, ISO/IEC 27001 & 27002, ISO 22301,ISO 29100,CISSP,PMP,COBIT,CHFI and IS/IT Audits. Working in ANZ as a Security Consultant and CISSP, PMP, CHFI, ISO 27001 LA certified.

Share your comment

%d bloggers like this: