Wednesday, 06 November 2013 18:41

ISO/IEC 27001:2013

ISO 27001:2013 is an information security standard that was published on the 25 September 2013.[1] It cancels and replaces ISO 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is a specification for an information security management system (ISMS). Organisations which meet the standard may be accredited by an independent accreditor.


Structure of the standard


The official title of the standard is "Information technology— Security techniques — Information security management systems — Requirements".


27001:2013 has ten short clauses, plus a long annex, which cover:


1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organisational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action
Annex A: List of controls and their objectives.


This structure mirrors the structure of other new management standards such as ISO 22301 (business continuity management);[2] this helps organisations who aim to comply with multiple standards, to improve their IT from different perspectives.[3] Annexes B and C of 27001:2005 have been removed.[4]


Changes from the 2005 standard



The new standard puts more emphasis on measuring and evaluating how well an organisation's ISMS is performing,[5] and there is a new section on outsourcing, which reflects the fact that many organisations rely on third parties to provide some aspects of IT.[6] It does not emphasise the Plan-Do-Check-Act cycle that 27001:2005 did.[7] More attention is paid to the organisational context of information security, and risk assessment has changed.[8] Overall, 27001:2013 is designed to fit better alongside other management standards such as ISO 9000 and ISO 20000, and it has more in common with them.[9]


New controls:


  • A.6.1.5 Information security in project management
  • A.12.6.2 Restrictions on software installation
  • A.14.2.1 Secure development policy
  • A.14.2.5 Secure system engineering principles
  • A.14.2.6 Secure development environment
  • A.14.2.8 System security testing
  • A.15.1.1 Information security policy for supplier relationships
  • A.15.1.3 Information and communication technology supply chain
  • A.16.1.4 Assessment of and decision on information security events
  • A.16.1.5 Response to information security incidents
  • A.17.2.1 Availability of information processing facilities




Clause 6.1.3 describes how an organisation can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. These controls, and control objectives, are listed in Annex A, although it is also possible in principle for organisations to pick other controls elsewhere. There are now 114 controls in 14 groups; the old standard had 133 controls in 11 groups.[10]


  • A.5: Information security policies
  • A.6: Organization of information security
  • A.7: Human resource security (controls that are applied before, during, or after employment)
  • A.8: Asset management
  • A.9: Access control
  • A.10: Cryptography
  • A.11: Physical and environmental security
  • A.12: Operations security
  • A.13: Communications security
  • A.14: System acquisition, development and maintenance
  • A.15: Supplier relationships
  • A.16: Information security incident management
  • A.17: Information security aspects of business continuity management
  • A.18: Compliance (with internal requirements, such as policies, and with external requirements, such as laws)


The new and updated controls reflect changes to technology affecting many organisations - for instance, the Cloud.[11]




  1. Jump up ^ "ISO/IEC FDIS 27001". ISO. Retrieved 25 September 2013.
  2. Jump up ^ "ISO 27001 Information Security Management". Nanyang Technological University. Retrieved 2 July 2013.
  3. Jump up ^ "Security updates: The upcoming revision of ISO/IEC 27001". DNV Business Assurance. Retrieved 2 July 2013.
  4. Jump up ^ Kosutic, Dejan. "A first look at the new ISO 27001 (2013 draft version)". Retrieved 2 July 2013.
  5. Jump up ^ "More changes ahead…..ISO 27001:2005 Information Security Management Standard". QSL. Retrieved 2 July 2013.
  6. Jump up ^ "ISO 27001 update is around the corner". British Assessment Bureau. Retrieved 2 July 2013.
  7. Jump up ^ "Update to ISO 27001 Planned for 2013". Dionach. Retrieved 2 July 2013.
  8. Jump up ^ "BS ISO/IEC DIS 27001 (Draft ISO27001 2013)". IT Governance. Retrieved 2 July 2013.
  9. Jump up ^ "ISO 27001:2013 – Understanding the New Standard". The Pragmatic Auditor. Retrieved 2 July 2013.
  10. Jump up ^ "The new versions of ISO/IEC 27001 and 27002 are now Final Draft International Standards". Gamma. Retrieved 2 July 2013.
  11. Jump up ^ "Security updates: The upcoming revision of ISO/IEC 27001". DNV Business Assurance. Retrieved 2 July 2013.
Published in Management consulting
Wednesday, 06 November 2013 18:29

ISO/IEC 27001 - Information security management

The ISO 27000 family of standards helps organizations keep information assets secure.

Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).


What is an ISMS?

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

It can help small, medium and large businesses in any sector keep information assets secure.


Preview ISO/IEC 27001:2013

You can preview the freely available sections of ISO 27001:2013 on our Online Browsing Platform. To purchase the standard please visit the ISO Store.


Certification to ISO/IEC 27001

Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO does not perform certification.

Read more about certification to ISO’s management system standards.

Many organizations around the world are certified to ISO/IEC 27001. To find out more, visit the ISO Survey.

Published in Management consulting