ISO 27001: 2013 was released in September 2013

Here are some of the high-impact changes:

Change 1 – Standard is closer to enterprise risk management. The fact that information protection cannot remain aloof from organisation risk is well articulated in the new standard and is reflected in almost each management section clauses.

Change 2 – There is an insistence on understanding information from a business perspective. References of enterprise ‘context’ in the new standard means that you see information from a business success or failure. Equally important is identification of external and internal issues in the success and failure of information security management.

Change 3 – Scope definition is derived from organisation context rather than merely  a physical or a logical boundary. In the iso 27001 – 2005  standard you could chose a subset of the organisation as a scope (such as Information technology team) but in the new standard merely picking up a team for scope may be difficult as thus has to be aligned with business strategy. Leaving a strategic team facing customer may not therefore be easy and therefore MUST be included in the scope statement.

Change 4 – Replacement of ‘Management commitment’ with ‘ Leadership’ – again an alignment with ISO 31000. In the past certain organizations have has CIOs signing the information security policy, this would be a thing of the past with the new standard.

Change 5 – Risk assessment and risk treatment – the foundation of the subject – are clearer, elaborate and more objective. A section of information security objectives is very specific:

‘When planning how to achieve its information security objectives, the organization shall determine:

what will be done
what resources will be required
who will be responsible
when it will be completed
how the results will be evaluated

Change 6 – clause 9 – performance evaluation covers three essential topics, namely

9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review

The alignment of this three issues is unique and gives more teeth to the implementation. For clause 9.1 the organisation needs to define what they need to measure and monitor as the management system level. Clause 9.2 – internal audit then focuses on those specific measurements, and clause 9.3 – management review is further aligned to review the performance based on the  audit results.

Change 7 – Changes in domains, control objectives and detail controls

In Annex A there will be 14 domains, 35 control objectives and 114 detail controls. The number of domains have increased however the total number of controls have reduced, the latter is an optimisation effort. The grouping of earlier clauses seems to make a lot more sense.

Some of the main clauses which are either new or are more specific in the new standard:

A.6.1.4 Information security in project management – this is a new clause, consider security every time you do a project;
A.6.2.1 Mobile device policy – more specific in ISO 27001: 2013 compared to ISO 27001: 2005
A.8.3.3 Physical media transfer – more specific in ISO 27001: 2013 compared to ISO 27001: 2005
A.9.2.1 User registration and de-registration – more specific in ISO 27001: 2013
A.9.2.3 Management of secret authentication information of users – this focuses on handling sensitive authentication data such as a password
A.9.2.5 Removal or adjustment of access rights – considers ‘adjustment’ of access
A.9.3.1 Use of secret authentication information – insistence on a procedure and awareness
A.9.4.4 Use of privileged utility programs – new name to the older clauses ‘use of system utilities’ in the previous standard
A.13.2.1 Information transfer policies and procedures – new name to the older clause ‘policy on exchange of information’
A.14.1.1 Security requirements analysis and specification – more elaborate clause description compared to the previous standard
A.14.1.2 Securing applications services on public networks – more specific in ISO 27001: 2013 compared to ISO 27001: 2005
A.14.1.3 Protecting application services transactions – more specific in ISO 27001: 2013 compared to ISO 27001: 2005
A.14.2.1 Secure development policy – seeks to cover security in the entire development lifecycle, clearer more specific
A.14.2.6 Secure development environment – this is a new clause
A.14.2.8 System security testing – this is a new clause
A.15 Supplier relationships – this is a new domain
A.15.1.1 Information security policy for supplier relationships – this is a new clause
A.15.1.2 Addressing security within supplier agreements – this is a new clause
A.15.1.3 ICT supply chain – this is a new clause
A.16.1.4 Assessment and decision of information security events – part of incident management this section is clearer
A.16.1.5 Response to information security incidents – part of incident management this section is more specific to an escalation procedure
A.17.1 Information security continuity – removes the ambiguity of the previous standard – clearly focuses on protection during continuity
A.17.2.1 Availability of information processing facilities – part of A.17 Redundancy clause – this is a new requirement


Some of the major changes seem to be ‘alignment with business strategy’, a comprehensive ‘measurable framework’, ‘inclusion of supply chain management’, ‘secure development life cycle’ and a focused incident response process.

ISO 27001: 2013 is released in September 2013, consider migrating for implementing the best practices. If you are currently certified to iso 27001 – 2005 you have time till September 2015 to migrate.

Hope this helps!

Considering migrating to iso 27001 – 2013?

Author : Probal C