1. 1
November 2013
New releases of ISO 27001:2013 and ISO 27002:2013
The new versions of ISO 27001 Information Security Management System (ISMS requirements)
and ISO 27002 Code of Practice for Information Security Controls (aids the implementation of
ISO 27001) were published in September 2013. An effectively implemented ISMS can improve the
state of information security in an organisation. Organisations already ISO certified are allowed a
period of two years to meet the requirements of the new ISO version.
Changes in ISO 27002:2013
The revised Annex SL format has a new set of chapters and structure, as illustrated in the
image in the Appendix.
The new structure is intended to standardise terminology and requirements to all management
system standards, such as ISO 9000 Quality Management and ISO 20000 Information
Technology – Service Management.
The Information Security Management System (ISMS) is renamed as Context of the
Organisation.
The new version of the standard requires clear demonstration of leadership. Leadership and
management are now clearly defined as two requirements. Leaders need to demonstrate
commitment by defining strategic goals and ensuring that sufficient resources are available to
implement information security correctly. Management is defined as the implementation and
day to day running of the systems.
Organisations will now have the flexibility to implement the requirements in the most suitable
way for them, since the new standard is less prescriptive.
A noticeable change is the withdrawal of the Plan-Do-Check-Act (PDCA) model which was an
important section of the standard. The 2013 version uses a model in the mandatory clauses;
however it is not a dedicated section.
The importance of interested parties is recognised in the new standard, where a separate clause
is included which requires all interested parties to be listed under “Understanding the needs
and expectations of interested parties”, along with their requirements.
Chapters on Risk Assessment and Risk Treatment were removed. The documentation of a Risk
Management Methodology is not required and the assets-vulnerabilities-threats are not the
basis of the risk assessment. Only risks associated with confidentiality, integrity and availability
need to be identified. Also, the new concept of risk owners is introduced instead of asset
owners.
The new standard includes 114 controls in 14 security control clauses (categories), whereas the
2005 standard had 133 controls in 11 security control clauses.
Two new categories are added – “Cryptography” and “Supplier Relationships” and the existing
category “Communications and operations management” is split into two categories–
“Operations Security” and “Communications Security”.
Many controls included in the standard are not altered while some controls are deleted or
merged together. Additionally, some new controls are added and the guidance text is
accordingly updated.
The tables below illustrate the security control clauses (categories) included in ISO
27002:20013 and ISO 27001:2005.
ISO 27002:2013 ISO 27002:2005
5 Information Security Policies Security Policy
6 Organisation of Information Security Organisation of Information Security
7 Human Resource Security Asset Management
8 Asset Management Human Resource Security
9 Access Control Physical and Environmental Security
2. Risk Assurance Consulting (RAC) November 2013
2
ISO 27002:2013 ISO 27002:2005
10 Cryptography Communications and Operations
Management
11 Physical and Environmental Security Access Control
12 Operations Security Information Systems Acquisition,
Development and Maintenance
13 Communications Security Information Security Incident Management
14 System acquisition, Development and
Maintenance
Business Continuity Management
15 Supplier Relationships Compliance
16 Information Security Incident Management
17 Information Security Aspects of Business
Continuity Management
18 Compliance
New controls proposed in the ISO 27002:2013 release
Controls added in 27002:2013
A.6.1.5 Information security in project management
A.12.6.2 Restrictions on software installation
A.14.2.1 Secure development policy
A.14.2.5 System development procedures
A.14.2.6 Secure development environment
A.14.2.8 System security testing
A.15.1.1 Information security policy for supplier relationships
A.15.1.3 Information and Communication Technology supply chain
A.16.1.4 Assessment and decision of information security events
A.16.1.5 Response to information security incidents
A.17.1.2 Implementing information security continuity
A.17.2.1 Availability of information processing facilities
ISO 27002:2005 controls deleted
27001:2005 control deleted in ISO 27001:2013
A.6.1.1 Management commitment to information security
A.6.1.2 Information security coordination
A.6.1.4 Authorisation process for information processing facilities
A.6.2.1 Identification of risks related to external parties
A.6.2.2 Addressing security when dealing with customers
A.10.2.1 Service delivery
A.10.7.4 Security of system documentation
A.10.8.5 Business Information Systems
A.10.10.2 Monitoring system use
A.10.10.5 Fault logging
A.11.4.2 User authentication for external connections
A.11.4.3 Equipment identification in networks
A.11.4.4 Remote Diagnostic and configuration port protection
A.11.4.6 Network Connection control
A.11.4.7 Network routing control
A.11.6.2 Sensitive system isolation
3. Risk Assurance Consulting (RAC) November 2013
3
27001:2005 control deleted in ISO 27001:2013
A.12.2.1 Input data validation
A.12.2.2 Control of internal processing
A.12.2.3 Message integrity
A.12.2.4 Output data validation
A.12.5.4 Information leakage
A.14.1.1 Including information security in the business continuity
management process
A.14.1.3 Developing and implementing continuity plans including
formation security.
A.14.1.4 Business continuity planning framework
A.15.1.5 Prevention of misuse of information processing facilities
A.15.3.2 Protection of information systems audit tools
We would be pleased to meet with you and provide you with any clarifications and / or additional
information on matters raised.