2. Inspiring Excellence
about the e-book
This e-book has been prepared to show changes introduced
in ISMS standard ISO 27001:2013 with respect to ISO
27001:2005.
In ISO 27001:2013, few controls has been removed due to
ambiguity and duplication with other controls. Few controls
are added newly and some existing controls are segregated as
separate domain. In ISO 27001:2005, there were 133 controls
and 11 domains. ISO 27001:2013 is revised with 114 controls
with 14 domains.
www.verde.co.in
4. Inspiring Excellence
New ISO 27001:2013
WHAT HAS CHANGED?
www.verde.co.in
Comparison
Number of
sections in
Annexure A
Number of
controls in
Annexure A
11
133
ISO 27001:2005 ISO 27001:2013
Number of
sections in
Annexure A
Number of
controls in
Annexure A
14
114
Requirements
New
Requirements
• Risk Owners
(6.1.2c)
• Interested
Parties (4.2)
Old
Requirements
• Preventive
Action
• Document
Control
• Annex B
• Annex C
Information Security Management System
5. Inspiring Excellence
MAJOR
•Interested Parties
•Objectives, Monitoring & Measurement
•Risk Assessment and Treatment
MODER
ATE
•ISMS Scope
•Information Security Policy
•Communication
•Document Management
•Annex A Control
SMALL
•Leadership and Commitment
•Statement of Applicability
•Human Resource Management
•Internal Audit
•Management Review
•Corrective Action
Degree of Change New Security Controls
• Information Security in project
managementA.6.1.5
• Security Development policy14.2.1
• Security System Engineering
Principle14.2.5
• Security Development Environment14.2.6
• System Security Testing14.2.8
• Assessment of and Decision on
Information Security Events16.1.4
• Availability of Information Processing
Facilities17.2.1
www.verde.co.in
6. Inspiring Excellence
The transition to ISO 27001:2013 is in accordance with
Annex SL. Annex SL defines the framework for a generic
management system. All new ISO management system
standards (e.g. ISO 22301) adhere to this framework, and
all current management system standards will migrate to it
at next revision (e.g. ISO 9001 & ISO 14001 in 2015).
Another reason for the change is to remove the ambiguity
between standards. It will give all the standards the same
‘look and feel’ (with the exception of Section 8 Operations,
which remains product specific).
This should ensure consistency and compatibility,
especially for clients with more than one management
system. A major benefit is that less time may be required
during certification for organization with multiple
management systems fully integrated.
WHY THE CHANGE?
ISO
27001:
2013
www.verde.co.in
7. Inspiring Excellence
ISO 27001:2005
Mandatory
Clauses
Clause 0-3
Provide
background and
definitions
Clause 4-8
Provide
mandatory
requirements
ISO 27001:2013
Mandatory
Clauses
Clause 0-3
Provide
background and
definitions
Clause 4-10
Provide
mandatory
requirements
Clause 4:
Information security
management system
Clause 5:
Management
Responsibility
Clause 6:
Internal ISMS audit
Clause 7:
Management review
Clause 8:
ISMS improvement
Clause 4:
Context of the
organization
Clause 5:
Leadership
Clause 6:
Planning
Clause 7:
Support
Clause 8:
Operation
Clause 9:
Performance
Evaluation
Clause 10:
ISMS Improvement
Change in the clauses www.verde.co.in
8. Inspiring Excellence
Mapping the clauses
1 Scope of the standard
2 Normative references
3 Terms and definitions
4 Context of organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement
1 Scope of the standard
2 Normative references
3 Terms and definitions
4.2.1.a Define the scope & boundaries.
5.1 Management Commitment
4.2.1.b Objectives ; 4.2.1.c Risk Assessment
5.2 Resource Management ; 4.3 Documentation Requirements
4.2.2 Implement and operate the ISMS ; 4.2.3 Monitor and Review the ISMS
6 Internal Audits ; 7 Management Review
8 ISMS Improvement
www.verde.co.in
ISO 27001:2013 ISO 27001:2005
9. Inspiring Excellence
Steps for Transition
Make a proper Transition Plan
Do a gap analysis
Document all interested parties (internal & external)
Revisit your scope statement
Align business and security objectives
Review information security policy, add roles and
responsibilities
Review risk management procedure; identify risk owners
Revisit risk assessment and get approval of treatment
from risk owners
Revisit your Statement of Applicability (SoA)
Review required documentation – new document may
be required, old document can be retired
Revisit your metrics and measures
Need help?
EMAIL US:
connect@verde.co.in
For organization
currently certified to
2005 version, you
have time till
September 2015 for
transition to the new
standard ISO
27001:2013
www.verde.co.in
10. Inspiring Excellence
Comply with business, legal, contractual and
regulatory requirements
Adopt a risk-based approach that informs senior-level
decision-making
Win new business opportunities / retain your existing
customer-base
Avoid large financial penalties – both regulatory fines
and contractual
Safeguard your own / your client’s valuable intellectual
property rights
Build trust & confidence that encourages your
business partners & customers to entrust confidential
data with the company
Support a continuous process of improvement
throughout the organisation
www.verde.co.in
Do you need help in transition to
the new ISO 27001:2013
standard?
Do you need help
in transition
to the new ISO
27001:2013
standard?
Call: +91 98311 45556
11. Inspiring Excellence
•Awareness course on ISMS
•Foundation course on ISMS
•Internal Auditor course on ISMS
•Transition course for ISO 27001:2013
www.verde.co.in
Need Training?
Do you want to
arrange a
customized
training for
your organization?
Call: +91 98311 45556
Email: connect@verde.co.in
12. Inspiring Excellencewww.verde.co.in
This is a
knowledge
initiative
Do you need help in
transition to the new
ISO 27001:2013
standard?
Do you need help in
transition to the
new ISO 27001:2013
standard?
Do you need help in
fresh
certification to
the new ISO
27001:2013 standard?
Do you want to
arrange a
customized
training for your
organization?
One place for all your solutions
Call us: +91 98311 45556 | Email us: connect@verde.co.in
13. Inspiring Excellence
What Verde does?
Verde is an international advisory firm involved in the field of Responsible
Business, Business Excellence and Risk Management.
1
Assessment
Identifying the
gaps in a
system against
standard(s) and
requirement. to
meet
compliance and
facilitate
improvement.
2
Consulting
Supporting &
handholding
organisations
to solve their
problems and
to meet the
gaps identified
during the
assessment or
any other audit.
3
Training
Empowering
people to
perform their
duties
effectively and
efficiently.
4
Assurance
&
Certification
Ensuring that a
process,
product, or
service meets
relevant techni
cal standards
and fulfils
relevant
requirements.
www.verde.co.in
Verde services in
Information
Communication
Technology
• Business Impact Assessment
• Information Security
Management System
• Business Continuity
Management
• Data Centre Conformity
Assessment
• IT Service Management
• Vulnerability and Penetration
Testing (VAPT)
Safety,
Health &
Environment
People
ExcellenceFood Safety
Social
Compliance
Quality &
Business
Excellence
Information
Security
Sustainability
Risk
Management