Consulting‎ > ‎

ISO 27001 Consulting

Transition from ISO 27001:2005 to 27001:2013
A new version of the standard, ISO 27001:2013, was published on the 25th of September 2013. The new version replaces the older version, ISO 27001:2005. There will be a transition period for organisations to align their ISMS with the new standard and become certified against ISO 27001:2013.

The new standard looks different from its predecessor, however, organisations already certified against ISO 27001:2005 should be able to easily migrate to the new standard. The reason for the changes was to make all management system standards look the same, to align ISO 27001 with the Risk Management family of standards (ISO 31000) and update the controls in Annex A.

In terms of ISMS controls, the ISO/IEC 27001:2005 Version had 133 controls classified under 11 domains. The New ISO/IEC 27001:2013 Version consists of 114 Controls classified under 14 domains. Refer Annex A of the ISO 27001:2013 standard for ISO 27001 domains.

In terms of the management clauses, the ISO/IEC 27001:2005 had eight main clauses.

The new ISO 27001 : 2013 has 10 Main Clauses which are as below:
  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement
(Courtesy: ISO)

ISO 27001:2013 Mandatory documents
Following are the Mandatory documents that are required by ISO 27001:2013 ISMS standard:
  1. Scope of the ISMS (clause 4.3)
  2. Information security policy and objectives (clauses 5.2 and 6.2)
  3. Risk assessment and risk treatment methodology (clause 6.1.2)
  4. Statement of Applicability (clause 6.1.3 d)
  5. Risk treatment plan (clauses 6.1.3 e and 6.2)
  6. Risk assessment report (clause 8.2)
  7. Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
  8. Inventory of assets (clause A.8.1.1)
  9. Acceptable use of assets (clause A.8.1.3)
  10. Access control policy (clause A.9.1.1)
  11. Operating procedures for IT management (clause A.12.1.1)
  12. Secure system engineering principles (clause A.14.2.5)
  13. Supplier security policy (clause A.15.1.1)
  14. Incident management procedure (clause A.16.1.5)
  15. Business continuity procedures (clause A.17.1.2)
  16. Statutory, regulatory, and contractual requirements (clause A.18.1.1)

ISO 27001:2013 Mandatory Records
The mandatory records that are required by the ISO 27001:2013 standard are as below:
  1. Records of training, skills, experience and qualifications (clause 7.2)
  2. Monitoring and measurement results (clause 9.1)
  3. Internal audit program (clause 9.2)
  4. Results of internal audits (clause 9.2)
  5. Results of the management review (clause 9.3)
  6. Results of corrective actions (clause 10.1)
  7. Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)