The new ISO/IEC 27001:2013 standard

The internationally acclaimed standard for information security management (ISO/IEC 27001) and accompanying ISO/IEC 27002, ‘Code of practice for information security management controls’ was revised in October 2013. If you still have an ISO/IEC 27001:2005 management system in place, you can work with us to update your system and get an ISO/IEC 27001:2013 certificate that is UKAS accredited. 

What are the main differences between ISO/IEC 27001:2005 and ISO/IEC 27001:2013?

  • The 2013 standard has been written using the new high level structure, which is common to all new management systems standards. This will make integration straightforward when implementing more than one management system
  • Terminology changes have been made and some definitions have been removed or relocated
  • Risk assessment requirements have been aligned with BS ISO 31000
  • Management commitment requirements have a focus on “leadership”
  • Preventive action has been replaced with “actions to address, risks and opportunities”
  • SOA  requirements are similar, with more clarity on the need to determine controls by the risk treatment process
  • Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have also been added around cryptography and security in supplier relationships.
  • Greater emphasis is on setting objectives, monitoring performance and metrics

ISO/IEC 27001:2013 transition resources

Resources to help you make your transition