What are the differences between ISO27001:2005 and ISO27001:2013?

By Justin Fimlaid

The new version of ISO27001 is coming out soon. This is the first revision of ISO27001:2005.  This is exciting to me, and means a couple things:

1. our industry is maturing and
2. we have a new platform for growth and guidance.

There's some much needed changes in ISO27001:2013, and I'll attempt to enumerate them here, the summary change is highlighted in Red.

Here's our 10 Clauses:

• 0 Introduction
• 1 Scope
• 2 Normative references
• 3 Terms and definitions
• 4 Context of the organization
• 5 Leadership
• 6 Planning
• 7 Support
• 8 Operation
• 9 Performance evaluation
• 10 Improvement

Clause 0: Introduction

This section has been shortened quite a bit. The references to Plan-Check-Do-Act (PCDA) has been removed. The main catalyst for this is giving the implementer the flexibility to choose which improvement methodology they are most comfortable with to satisfy Clause 10.

Clause 0 Summary of Change:

Plan Do Check Act (PDCA) reference removed

Clause 1: Scope

This section has also been shortened quite a bit. Sections 1.1 (General), and 1.2 (Applications) are merged into Section 1 Scope text.

Clause 1 Summary of Change:

Negligible changes. This section is a little more streamlined.

Clause 2: Normative References

The only reference is to ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Clause 2 Summary of Change:

None.

Clause 3: Terms and definitions

Terms and definitions have been removed from this section. You are pointed back to ISO 27000 for updated terms and definitions. The big point here, you need an 2013 updated version of ISO27000 to correctly map terminology back to ISO27001:2013. If you use an old version of ISO27000 the terminology won't match up.

Clause 3 Summary of Change:

Terms and definitions have been removed. You can the updated terms and definitions in the new version of ISO27000.

Clause 4: Context of the organization

We have some changes in this section. First the name has changed from Information Security Management System (in 2005) to Context of the Organization (in 2013). This is a big change, and a good change in my opinion. This change requires the implementer to consider internal and external influences when scoping the Information Security Management System (ISMS). The term "issue" also changes and takes on more meaning. In the 2005 version, "issue" meant a problem remediated by a preventative action. In 2013 it also could mean a important topic with respect to the ISMS.

Section 4.1 has changed a bit too, and requires the implementer or auditor to understand the business. ISO31000 also makes a new appearance here. Section 4.2 was named "Establishing and Managing the ISMS" and will now be titled "Understanding the needs and expectations of interested parties", this will require that you list all parties you've considered in designing the ISMS (keeping the theme of the context aware ISMS).

Section 4.2.1 A through J (titled "Establish the ISMS") was rolled into Section 6.1 (titled "Actions to address risks and opportunities"). There are some very significant changes to assessing risk and treatment of risk. The idea of Assets, Vulnerabilities, Threats is gone. The implementer is only required to consider risks related confidentiality, integrity, availability. This could be a good or bad change good because it gives the risk assessor a little more flexibility in determining sources of risk, potentially bad because the assessment of assets, vulnerabilities, threats has been a leading practice for quite a while. The term of "asset owner" is now "risk owner", which changes the audience of the ISMS.

Section 4.3 is now titled "Documented Information" (was titled "Documentation Requirements"). The idea of "documents" and "records" are now merged, creating "documented information".

Clause 4 Summary of Change:

Clause 4 - Titled "Context to the Organization"

Section 4.1 - Requires implementer to consider internal and external influences.

Section 4.2 - Titled "Understanding the needs and expectations of third parties". Implementer needs to document what third parties/influences were considered.

Section 4.2.1 - Rolled into Section 6.1 "Actions to address risks and opportunities", Assets, Vulnerabilities, Threats are no longer the basis for assessing risk.

Section 4.3 - Titled "Documented Information". Combines the concept of "documents" and "records".

Clause 5: Leadership

Is now titled "Leadership" (was titled "management responsibility"). The new 2013 version puts more requirements on "top management". It requires that leadership commitment is demonstrated by leading from the top. Section 5.3 was added, titled "Organizational roles, responsibilities, and authorities."

Clause 5 Summary of Change:

Clause 5 - Titled "Leadership"Section

5.1 - Titled "Leadership and commitment"Section

5.2 - Titled "Policy", this is where the ISMS policy is referenced.Section

5.3 - new, titled "Organizational roles, responsibilities, and authorities".

Clause 6: Planning

Is now titled "Planning" (was titled "Internal ISMS audits"). Referenced to Plan, Check, Do, Act is completely removed. Clause 6.1.1, this works in tandem with Clauses 4.1 and 4.2 to complete the new way of dealing with preventative actions. Clause 6.1.2, this is now the section where information security risk is assessed (see my note on clause 4 above). Statement of Applicability is still required. A risk treatment plan is required and now must be approved.

Clause 6 Summary of Change:

Clause 6 - Titled "Planning", References to Plan, Do, Check, Act (PDCA) are removed. The basis of assessing risk based on the methodology of Assets, Vulnerability, Threats is removed, and now requires the implementor/assessor to consider internal/external influences to the business. The term "asset owner" is now "risk owner".

Clause 7: Support

Parts of this section are new. This section covers the requirement that organizations shall provide necessary resources to establish, implement, maintain, and continually improve their ISMS. Section 7.4 is new, all requirements are summarized to include what needs to communicated, when, by whom, via which communication channel. There is also a turn of focus to the business side, the ISMS isn't just an IT Security problem and that information spans the whole business.

Clause 7 Summary of Changes:

Clause 7 - Titled "Support".

Clause 7.4 is new and requires you document the how, who, when, what to communication.

Clause 8: Operations

This new section is an expanded version of the "DO" phase of PDCA. It deals with the execution of the plans and processes. Clause 8.1 deals with the execution/achievement of information security objectives. Clause 8.2 deals with the performance of information security risk assessments at planned intervals or when significant changes occur to the ISMS. Clause 8.3 deals with the Risk Treatment Plan.

Clause 8 Summary of Changes:

This section significantly expands on the "DO" of the PDCA in ISO27001:2005.

Clause 9: Performance Evaluation

9.1 This is clause is expanded from the 2005 version. There's more content on Monitoring and Measuring, but only considers monitoring systems/processes in the ISMS scope.9.2 This is the Internal Audit section, similar to that in ISO27001:2005. The requirement holding management responsible for ensuring that audit actions are taken without undue delay has been removed and is covered in Clause 10.9.3 Management review requirements of at least once per year has been removed.

Clause 9 Summary of Changes:

This section is new in ISO27001:2013, but it is the expanded "CHECK" phase of what was formally the PDCA in ISO27001:2005.

Clause 10: Improvement

ISO27001:2013 has a new way of handling preventative actions, so there are no preventative action requirements in this section. There is a new requirement to cover the suitability and adequacy of the ISMS as well as effectiveness.

Clause 10 Summary of Changes:

This section is new in ISO27001:2013. Although the concept of preventative action has evolved, the requirement to consider potential non-conformities still exists. Implementers must extend improvement methodologies to cover the suitability, adequacy, and effectiveness of the ISMS.

Annex A is now "Reference control objectives and controls". Controls are from ISO27002:2013 (Note ISO27002 has a new revision too). The number of ISO27002 controls have been reduced from 133 controls to 114 controls but the number of clauses has been expanded from 11 to 14.

It appears that there are some positive changes in the new ISO27001:2013 revision. It will be interesting to see how some of the new risk assessment changes play out, but I suppose folks can still fall back to the Assets, Vulnerabilities, Threats methodology.