www.verde.co.in

Transition from ISO/IEC 27001:2005to ISO/IEC 27001:2013

Transition Guide

Inspiring Excellence

about the e-book

This e-book has been prepared to show changes introduced in ISMS standard ISO 27001:2013 with respect to ISO 27001:2005.

In ISO 27001:2013, few controls has been removed due to ambiguity and duplication with other controls. Few controls are added newly and some existing controls are segregated as separate domain. In ISO 27001:2005, there were 133 controls and 11 domains. ISO 27001:2013 is revised with 114 controls with 14 domains.

www.verde.co.in

Inspiring Excellence

ISO 27001:2005

www.verde.co.in

ISO 27001:2013

plan your transition today

Inspiring Excellence

New ISO 27001:2013

WHAT HAS CHANGED?

www.verde.co.in

Comparison

Number of sections in Annexure A

Number of controls in Annexure A

11

133

ISO 27001:2005 ISO 27001:2013

Number of sections in Annexure A

Number of controls in Annexure A

14

114

Requirements

New Requirements

• Risk Owners (6.1.2c)

• Interested Parties (4.2)

Old Requirements

• Preventive Action

• Document Control

• Annex B

• Annex C

Information Security Management System

Inspiring Excellence

MAJOR

• Interested Parties

• Objectives, Monitoring & Measurement

• Risk Assessment and Treatment

MODERATE

• ISMS Scope

• Information Security Policy

• Communication

• Document Management

• Annex A Control

SMALL

• Leadership and Commitment

• Statement of Applicability

• Human Resource Management

• Internal Audit

• Management Review

• Corrective Action

Degree of Change New Security Controls

• Information Security in project managementA.6.1.5

• Security Development policy14.2.1

• Security System Engineering Principle14.2.5

• Security Development Environment14.2.6

• System Security Testing14.2.8

• Assessment of and Decision on Information Security Events16.1.4

• Availability of Information Processing Facilities17.2.1

www.verde.co.in

Inspiring Excellence

The transition to ISO 27001:2013 is in accordance with Annex SL. Annex SL defines the framework for a generic management system. All new ISO management system standards (e.g. ISO 22301) adhere to this framework, and all current management system standards will migrate to it at next revision (e.g. ISO 9001 & ISO 14001 in 2015).

Another reason for the change is to remove the ambiguity between standards. It will give all the standards the same ‘look and feel’ (with the exception of Section 8 Operations, which remains product specific).

This should ensure consistency and compatibility, especially for clients with more than one management system. A major benefit is that less time may be required during certification for organization with multiple management systems fully integrated.

WHY THE CHANGE?

ISO 27001:2013

www.verde.co.in

Inspiring Excellence

ISO 27001:2005 Mandatory

Clauses

Clause 0-3

Provide background and

definitions

Clause 4-8

Provide mandatory

requirements

ISO 27001:2013 Mandatory

Clauses

Clause 0-3

Provide background and

definitions

Clause 4-10

Provide mandatory

requirements

Clause 4: Information security management systemClause 5: Management ResponsibilityClause 6: Internal ISMS auditClause 7: Management reviewClause 8: ISMS improvement

Clause 4: Context of the organizationClause 5:LeadershipClause 6: PlanningClause 7: SupportClause 8: OperationClause 9:Performance EvaluationClause 10:ISMS Improvement

Change in the clauses www.verde.co.in

Inspiring Excellence

Mapping the clauses

1 Scope of the standard

2 Normative references

3 Terms and definitions

4 Context of organization

5 Leadership

6 Planning

7 Support

8 Operation

9 Performance evaluation

10 Improvement

1 Scope of the standard

2 Normative references

3 Terms and definitions

4.2.1.a Define the scope & boundaries.

5.1 Management Commitment

4.2.1.b Objectives ; 4.2.1.c Risk Assessment

5.2 Resource Management ; 4.3 Documentation Requirements

4.2.2 Implement and operate the ISMS ; 4.2.3 Monitor and Review the ISMS

6 Internal Audits ; 7 Management Review

8 ISMS Improvement

www.verde.co.in

ISO 27001:2013 ISO 27001:2005

Inspiring Excellence

Steps for Transition

Make a proper Transition Plan

Do a gap analysis

Document all interested parties (internal & external)

Revisit your scope statement

Align business and security objectives

Review information security policy, add roles and responsibilities

Review risk management procedure; identify risk owners

Revisit risk assessment and get approval of treatment from risk owners

Revisit your Statement of Applicability (SoA)

Review required documentation – new document may be required, old document can be retired

Revisit your metrics and measures

Need help?

EMAIL US:connect@verde.co.in

For organization currently certified to

2005 version, you have time till

September 2015 for transition to the new

standard ISO 27001:2013

www.verde.co.in

Inspiring Excellence

Comply with business, legal, contractual and regulatory requirementsAdopt a risk-based approach that informs senior-level decision-makingWin new business opportunities / retain your existing customer-baseAvoid large financial penalties – both regulatory fines and contractualSafeguard your own / your client’s valuable intellectual property rightsBuild trust & confidence that encourages your business partners & customers to entrust confidential data with the companySupport a continuous process of improvement throughout the organisation

www.verde.co.in

Do you need help in transition to

the new ISO 27001:2013 standard?

Do you need help

in transitionto the new ISO

27001:2013standard?

Call: +91 98311 45556

Inspiring Excellence

•Awareness course on ISMS•Foundation course on ISMS•Internal Auditor course on ISMS•Transition course for ISO 27001:2013

www.verde.co.in

Need Training?Do you want to

arrange a

customized training for

your organization?

Call: +91 98311 45556

Email: connect@verde.co.in

Inspiring Excellencewww.verde.co.in

This is a

knowledge

initiative

Do you need help intransition to the new

ISO 27001:2013 standard?

Do you need help in

transition to the

new ISO 27001:2013standard?

Do you need help in

fresh certification to

the new ISO

27001:2013 standard?Do you want to

arrange a

customized training for your

organization?

One place for all your solutions

Call us: +91 98311 45556 | Email us: connect@verde.co.in

Inspiring Excellence

What Verde does?

Verde is an international advisory firm involved in the field of Responsible Business, Business Excellence and Risk Management.

1Assessment

Identifying the gaps in a system against standard(s) and requirement. to meet compliance and facilitate improvement.

2Consulting

Supporting & handholding organisations to solve their problems and to meet the gaps identified during the assessment or any other audit.

3Training

Empowering people to perform their duties effectively and efficiently.

4Assurance

& Certification

Ensuring that a process, product, or service meets relevant technical standardsand fulfils relevant requirements.

www.verde.co.in

Verde services in

Information Communication Technology

• Business Impact Assessment

• Information Security Management System

• Business Continuity Management

• Data Centre Conformity Assessment

• IT Service Management

• Vulnerability and Penetration Testing (VAPT)

Safety, Health & Environment

People ExcellenceFood Safety

Social Compliance

Quality & Business Excellence

Information Security

Sustainability

RiskManagement