ISO/IEC 27001:2013

ISO/IEC 27001:2013 Information Security ImageThe internationally acclaimed standard for information security management (ISO/IEC 27001) and accompanying ISO/IEC 27002:2013, ‘Code of practice for information security management controls’ have been revised. Following the publication of an initial draft international standard (DIS) and extensive public consultation, both ISO/IEC 27001 and ISO/IEC 27002 have passed their final draft standard (FDIS) ballots and  proceeded to final publication.



What are the main changes?

  • The revised standard has been written using the new high level structure, which is common to all new management systems standards. This will allow easy integration when implementing more than one management system
  • Terminology changes have been made and some definitions have been removed or relocated
  • Risk assessment requirements have been aligned with BS ISO 31000
  • Management commitment requirements have a focus on “leadership” 
  • Preventive action has been replaced with “actions to address, risks and opportunities”
  • SOA  requirements are similar, with more clarity on the need to determine controls by the risk treatment process
  • Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have also been added around cryptography and security in supplier relationships
  • Greater emphasis is on setting objectives, monitoring performance and metrics

I’m currently certified to ISO/IEC 27001 – what do I need to do?

We are here to make sure that as an existing ISO/IEC 27001:2005 certification customer you have all the information and tools that you need to understand the changes to the standard. We will work with you to transition over the next two years as part of your planned certification surveillance visits.

A free transition guide is available, giving you an overview of the main differences and proving pointers on key aspects you should consider.