New ISO 27001:2013

The International Register of Certificated Auditors (IRCA) publishes INform, an online magazine. Their July 2013 issue summarized the changes expected in the new ISO 27001:2013 edition of the information security standard.

The INform article states that the requirement for all ISO management system standards to adhere to Annex SL has not been a difficult revision for ISO 27001, since it was already a risk-based standard.

The changes to the ISO 27001:2005 standard are highlighted below using the new clause structure of ISO 27001:2013. The change descriptions are based on the article by Colin MacNee.

Clause Changes

1. Scope. 
The Scope of the standard, although reworded and reordered, remains fundamentally the same.

2. Normative references. 
This clause contains the reference to ISO 27000 (see 3, below).

3. Terms and definitions. 
This clause now only contains the reference to ISO 27000. The 16 terms in ISO 27001:2005 have been replaced (in ISO 27000:2012) by 26 unchanged, 16 modified, 4 deleted and 39 new items. The modifications to previous terms are mainly the addition of notes to items such as control and risk. A 2013 edition of ISO 27000 is expected later this year.

4. Context of the organization. 
The determination of external and internal issues (with a new note that reinforces the importance of ISO 31000 risk management), and the needs and expectations of interested parties, are new. The boundaries and applicability of an Information Security Management System (ISMS) now drive the scope. There is no longer an explicit requirement for the process used for the ISMS to be based on the Plan-Do-Check-Act (PDCA) model.

5. Leadership. 
This clause expands the role of top management. No longer is it sufficient for them to be involved with the ISMS policy, objectives and plans, providing resources, and conducting reviews. They have to also align the policy and objectives with the strategic direction of the organization, and direct and support people to contribute to the effectiveness of the ISMS.

6. Planning. 
In addition to the baseline (Annex SL common text) addressing risks and opportunities, the familiar risk assessment and risk treatment (including the Statement of Applicability) content from the 2005 edition appears here.

7. Support. 
This is an accumulation of all supporting activities and the familiar topics of resource provision, competence, and awareness at this clause. The need to communicate internally and externally is new. Although documentation is still here, gone are “documents” and “records”, which have been replaced by “documented information”.

8. Operation. 
The performance of risk assessment and implementation of risk treatment plan is in addition to the baseline information security processes. It is now explicit and clear that risk assessments have to be performed at planned intervals or when something significant either is planned or occurs (a clarification from the 2005 edition).

9. Performance evaluation. 
This clause covers the familiar topics of internal audit and management review. The requirements from 4.2.3 Monitor and Review the ISMS have also moved to this clause.

10. Improvement. 
This clause addresses Corrective Action (8.2 in the old edition). However, gone is the need for a documented procedure. Clause 10 also addresses Continual Improvement (8.1 in the old edition). Preventive Action has been dropped due to the new Planning clause 6 with its focus on risks and opportunities.

Annex Changes

Annex A in ISO 27001:2013 has been changed significantly in layout, and ISO 27002:2013 has been revised to reflect these changes. Although there were only 11 categories of controls in the ISO 27001:2005 edition (clauses 5 to 15, with 39 sub-categories) the annex covered 131 controls. In the 2013 edition, the number of categories has increased to 14 (clauses 5 to 18, with 35 sub-categories), but the number of controls has decreased to 114.


The author, Colin MacNee , concludes his article by saying the requirements of ISO 27001:2005 have been restructured and reordered into the Annex SL framework. He says the standard now has a more logical and evenly balanced layout. The two discipline-specific items (risk assessment and risk treatment) are clear and obvious additions to the generic clauses of 6 (Planning) and 8 (Operation).

The FDIS versions of ISO 27001 and ISO 27002 were published in July. The new 2013 editions are targeted for release on 10/19/13. For more information on the ISO 27001:2013 changes, see the INform article at this IRCA web page.