•  Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  •  London: +44 (0)203 5983740 
  •  New York: +1 646-781-7580 
  • Dubai: +971 (0)4 427 0429

ISO 27001:2013 Transition

You are here

01

Jun

ISO 27001:2013 Transition

A new version of the standard, ISO 27001:2013, was published on the 25th of September 2013. The new version replaces the older version, ISO 27001:2005. There will be a transition period for organisations to align their ISMS with the new standard and become certified against ISO 27001:2013.

The new standard looks different from its predecessor, however, organisations already certified against ISO 27001:2005 should be able to easily migrate to the new standard. The reason for the changes was to make all management system standards look the same, to align ISO 27001 with the Risk Management family of standards (ISO 31000) and update the controls in Annex A.

In this blog post we will look at how ISO 27001:2013 controls defined in Annex A map to ISO 27001:2005 controls.

The following table shows how the controls defined in Annex A of ISO 27001:2013 standard maps to controls defined in ISO 27001:2005.

 

ISO 27001:2013 Control ISO 27001:2005 Control Comments
A.5 Information security policies
A.5.1
Management direction for information security
A.5.1.1
Policies for information security
A.5.1.1 Information security policy document The control has not changed.
A.5.1.2 Review of the policies for information security A.5.1.2 Review of the information security policy The control has not changed.
A.6 Organization of information security
A.6.1 Internal organization
A.6.1.1
Information security roles and responsibilities
 A.6.1.3
Allocation of information security responsibilities
The control has not changed.
A.6.1.2
Segregation of responsibilities and duties
A.10.1.3
Segregation of duties
The control has been moved from the communications and operations management section; however, it has not changed.
A.6.1.3
Contact with authorities
A.6.1.6
Contact with authorities
The control has not changed.
A.6.1.4
Contact with special interest groups
A.6.1.7
Contact with special interest groups
The control has not changed.
A.6.1.5
Information security in project management
  This is a new control which requires information security to be integrated into project management to ensure that risks are addressed and identified.
A.6.2
Mobile devices and teleworking
A.6.2.1
Mobile device policy
A.11.7.1
Mobile computing and communications
The control has been moved from the access control section; however, it has not changed.
A.6.2.2
Teleworking
A.11.7.2
Teleworking
The control has been moved from the access control section; however, it has not changed. 
A.7 Human resource security
A.7.1
Prior to employment
A.7.1.1
Screening
A.8.1.2
Screening
The control has not changed. 
A.7.1.2
Terms and conditions of employment
A.8.1.3
Terms and conditions of employment
The control has not changed. 
A.7.1.2
During employment
A.7.2.1
Management responsibilities
A.8.2.1
Management responsibilities
The control has not changed. 
A.7.2.2
Information security awareness, education and training
A.8.2.2
Information security awareness, education and training
The control has not changed. 
A.7.2.3
Disciplinary process
A.8.2.3
Disciplinary process
The control has not changed.  
A.7.3
Termination and change of employment
A.7.3.1
Termination or change of employment responsibilities
A.8.3.1
Termination responsibilities
The control has not changed but It is now more clearly explained and also covers contractors and third parties.  The control requires contracts to clearly define security responsibilities that are still valid after termination of employment.
A.8 Asset management
A.8.1
Responsibility for assets
A.8.1.1
Inventory of assets
A.7.1.1
Inventory of assets
The control has not changed. 
A.8.1.2
Ownership of assets
A.7.1.2
Ownership of assets
The control has not changed. 
A.8.1.3
Acceptable use of assets
A.7.1.3
Acceptable use of assets
The control has not changed. 
A.8.1.4
Return of assets
A.8.3.2
Return of assets
The control has been moved from the human resources security section; however, it has not changed.
A.8.2
Information classification
A.8.2.1
Classification of information
A.7.2.1
Classification guidelines
Even though the title of the control has changed, the actual control has not.
A.8.2.2
Labelling of information
A.7.2.2
Information labelling and handling
The control has now been split into A.8.2.2 and A.8.2.3. This control addresses information labelling
A.8.2.3
Handling of assets
A.7.2.2
Information labelling and handling
This control addresses assets handling procedures.
A.8.3
Media handling
A.8.3.1
Management of removable media
A.10.7.1
Management of removable media
The control has been moved from the communications and operations management section; however, it has not changed.
A.8.3.2
Disposal of media
A.10.7.2
Disposal of media
The control has been moved from the communications and operations management section; however, it has not changed. 
A.8.3.3
Physical media transfer
A.10.8.3
Physical media in transit
The control has been moved from the communications and operations management section; however, it has not changed. 
A.9 Access control
A.9.1Business requirements of access control
A.9.1.1
Access control policy
A.11.1.1
Access control policy
The control has not changed.
A.9.1.2
Policy on the use of network services
A.11.4.1
Policy on use of network services
The control has not changed. 
A.9.2
User access management   
A.9.2.1
User registration and de-registration
A.11.2.1
User registration
The control has now been split into A.9.2.1 and A.9.2.2. This control addresses registration and de-registration.
A.9.2.2
User access provisioning
A.11.2.1
User registration 
This control addresses the assignment and removal of access rights.
A.9.2.3
Management of privileged access rights
A.11.2.2
Privilege management
The control has not changed. 
A.9.2.4
Management of secret authentication information of users
A.11.2.3
User password management
The control has not changed.  
A.9.2.5
Review of user access rights
A.11.2.4
Review of user access rights
The control has not changed. This is now the responsibility of asset owners.
A.9.2.6
Removal or adjustment of access rights
A.8.3.3
Removal of access rights
The control has been moved from the human resources security section; however, it has not changed.
A.9.3
User responsibilities
A.9.3.1
Use of secret authentication information
A.11.3.1P
assword use
The control has not changed but it now includes all types of authentication information and not just passwords.
A.9.4
System and application access control   
A.9.4.1
Information access restriction
A.11.6.1
Information access restriction
The control has not changed.
A.9.4.2
Secure log-on procedures
A.11.5.1
Secure log-on procedures
The control has not changed but it now covers both systems and applications.
A.9.4.3
Password management system
A.11.5.3
Password management system
The control has not changed. 
A.9.4.4
Use of privileged utility programs
A.11.5.4
Use of system utilities
The control has not changed. 
A.9.4.5
Access control to program source code
A.12.4.3
Access control to program source code
The control has been moved from the information systems acquisition, development and maintenance section; however, it has not changed.
A.10 Cryptography
A.10.1
Cryptography controls
A.10.1.1
Policy on the use of cryptographic controls
A.12.3.1
Policy on the use of cryptographic controls
The control has been moved from the information systems acquisition, development and maintenance section; however, it has not changed.
A.10.1.2
Key management
A.12.3.2
Key management
The control has been moved from the information systems acquisition, development and maintenance section and in addition to the previous requirements the control now requires the development of a key management policy.
A.11 Physical and environmental security
A.11.1
Secure areas
A.11.1.1
Physical security perimeter
A.9.1.1
Physical security perimeter
The control has not changed.
A.11.1.2
Physical entry controls
A.9.1.2
Physical entry controls
The control has not changed. 
A.11.1.3
Securing offices, rooms and facilities
A.9.1.3
Securing offices, rooms and facilities
The control has not changed. 
A.11.1.4
Protecting against external and environmental threats
A.9.1.4
Protecting against external and environmental threats
The control has not changed. 
A.11.1.5
Working in secure areas
A.9.1.5
Working in secure areas
The control has not changed. 
A.11.1.6
Delivery and loading areas
A.9.1.6
Public access, delivery and loading areas
The control has not changed. 
A.11.2
Equipment
A.11.2.1
Equipment siting and protection
A.9.2.1
Equipment siting and protection
The control has not changed. 
A.11.2.2
Supporting utilities
A.9.2.2
Supporting utilities
The control has not changed. 
A.11.2.3
Cabling security
A.9.2.3
Cabling security
The control has not changed. 
A.11.2.4
Equipment maintenance
A.9.2.4
Equipment maintenance
The control has not changed. 
A.11.2.5
Removal of assets
A.9.2.7
Removal of property
The control has not changed. 
A.11.2.6
Security of equipment and assets off-premises
A.9.2.5
Security of equipment off-premises
The control has not changed.  
A.11.2.7
Secure disposal or reuse of equipment
A.9.2.6
Secure disposal or re-use of equipment
The control has not changed.  
A.11.2.8
Unattended user equipment
A.11.3.2
Unattended user equipment
The control has been moved from the access control section; however, it has not changed.
A.11.2.9
Clear desk and clear screen policy
A.11.3.3
Clear desk and clear screen policy
The control has been moved from the access control section; however, it has not changed. 
A.12 Operations security
A.12.1
Operational procedures and responsibilities
A.12.1.1
Documented operating procedures
A.10.1.1
Documented operating procedures
The control has not changed.
A.12.1.2
Change management
A.10.1.2
Change management
The control now covers all changes in the organisation which could affect security.
A.12.1.3
Capacity management
A.10.3.1
Capacity management
The control has not changed. 
A.12.1.4
Separation of development, testing and operational environments
A.10.1.4
Separation of development, test and operational facilities
The control has not changed. 
A.12.2
Protection from malware
A.12.2.1
Controls against malware
A.10.4.1
Controls against malicious code
The control has not changed.
A.12.3
Backup
A.12.3.1
Information backup
A.10.5.1
Information back-up
The control has not changed. 
A.12.4
Logging and monitoring
A.12.4.1
Event logging
A.10.10.1
Audit logging

A.10.10.2
Monitoring system use

A.10.10.5
Fault logging

The controls have been merged into one control.
A.12.4.2
Protection of log information
A.10.10.3
Protection of log information
The control has not changed. 
A.12.4.3
Administrator and operator logs
A.10.10.4
Administrator and operator logs
The control has not changed.  
A.12.4.4
Clock synchronisation
A.10.10.6
Clock synchronization
The control has not changed.  
A.12.5
Control of operational software
A.12.5.1
Installation of software on operational systems
A.12.4.1
Control of operational software
The control has been moved from the information systems acquisition, development and maintenance section; however, it has not changed.
A.12.6
Technical vulnerability management
A.12.6.1
Management of technical vulnerabilities
A.12.6.1
Control of technical vulnerabilities
The control has been moved from the information systems acquisition, development and maintenance section; however, it has not changed.
A.12.6.2
Restrictions on software installation
  This is a new control which requires restrictions that would prevent users from installing unauthorised software.
A.12.7
Information systems audit considerations
A.12.7.1
Information systems audit controls
A.15.3.1
Information systems audit controls
The control has been moved from the compliance section; however, it has not changed.
A.13 Communications security
A.13.1
Network security management
A.13.1.1
Network controls
A.10.6.1
Network controls
The control has not changed.
A.13.1.2
Security of network services
A.10.6.2
Security of network services
The control has not changed. 
A.13.1.3
Segregation in networks
A.11.4.5
Segregation in networks
The control has been moved from the access control section; however, it has not changed.
A.13.2
Information transfer
A.13.2.1
Information transfer policies and procedures
A.10.8.1
Information exchange policies and procedures
The control has not changed.
A.13.2.2Agreements on information transfer A.10.8.2
Exchange agreements
The control has not changed. 
A.13.2.3
Electronic messaging
A.10.8.4
Electronic messaging
The control has not changed. 
A.13.2.4
Confidentiality or nondisclosure agreements
A.6.1.5
Confidentiality agreements
The control has been moved from the organization of information security section; however, it has not changed.
A.14 System acquisition, development and maintenance
A.14.1
Security requirements of information systems
A.14.1.1
Information security requirements analysis and specification
A.12.1.1
Security requirements analysis and specification
The control has not changed.
A.14.1.2
Securing application services on public networks
A.10.9.1
Electronic commerce
The control has been moved from the communications and operations management section and expanded to include all applications on public networks.
A.14.1.3
Protecting application services transactions
A.10.9.2
On-line transactions
The control has been moved from the communications and operations management section; however, it has not changed.
A.14.2
Security in development and support processes
A.14.2.1
Secure development policy
  This a new control which requires a secure development policy that identifies guidelines and best practices to be followed in development practices.
A.14.2.2
System change control procedures
A.12.5.1
Change control procedures
The control has not changed.
A.14.2.3
Technical review of applications after operating platform changes
A.12.5.2
Technical review of applications after operating system changes
The control has not changed. 
A.14.2.4
Restrictions on changes to software packages
A.12.5.3
Restrictions on changes to software packages
The control has not changed. 
A.14.2.5
Secure system engineering principles
  This is a new control which required guidelines and best practices for engineering secure systems to be defined and implemented.
A.14.2.6
Secure development environment
  This is a new control which requires the establishment of a secure development environment.
A.14.2.7
Outsourced development
A.12.5.5
Outsourced software development
The control has not changed.
A.14.2.8
System security testing
  This is a new control which requires security testing to be carried on systems during development.
A.14.2.9
System acceptance testing
A.10.3.2
System acceptance
The control has been moved from the communications and operations management section; however, it has not changed.
A.14.3
Test data
A.14.3.1
Protection of test data
A.12.4.2
Protection of system test data
The control has not changed.
A.15 Supplier relationships
A.15.1
Information security in supplier relationships
A.15.1.1
Information security policy for supplier relationships
A.6.2.1
Identification of risks related to external parties
The control has not changed.
A.15.1.2
Addressing security within supplier agreements
A.6.2.3
Addressing security in third party agreements
The control has not changed.
A.15.1.3
Information and communication technology supply chain
  This is a new control that addresses risks associated with suppliers outsourcing some or all of the provided IT services.
A.15.2
Supplier service delivery management
A.15.2.1
Monitoring and review of supplier services
A.10.2.2
Monitoring and review of third party services
The control has been moved from the communications and operations management section; however, it has not changed.
A.15.2.2
Managing changes to supplier services
A.10.2.3
Managing changes to third party services
The control has been moved from the communications and operations management section; however, it has not changed.
A.16 Information security incident management
A.16.1
Management of information security incidents and improvements
A.16.1.1
Responsibilities and procedures
A.13.2.1
Responsibilities and procedures
The control has not changed.
A.16.1.2
Reporting information security events
A.13.1.1
Reporting information security events
The control has not changed.
A.16.1.3
Reporting information security weaknesses
A.13.1.2
Reporting security weaknesses
The control has not changed.
A.16.1.4
Assessment of and decision on information security events
  This is a new control which addresses the identification and classification of security incidents.
A.16.1.5
Response to information security incidents
  This is a new control which requires organisations to establish and apply security incidents response procedures.
A.16.1.6
Learning from information security incidents
A.13.2.2
Learning from information security incidents
The control has not changed.
A.16.1.7
Collection of evidence
A.13.2.3
Collection of evidence
The control has not changed.
A.17 Information security aspects of business continuity management
A.17.1
Information security continuity
A.17.1.1
Planning information security continuity
A.14.1.1
Including information security in the business continuity management process
The control has not changed.
A.17.1.2
Implementing information security continuity
A.14.1.3
Developing and implementing continuity plans including information security
The control has not changed.
A.17.1.3
Verify, review and evaluate information security continuity
A.14.1.5
Testing, maintaining and reassessing business continuity plans
The control has not changed.
A.17.2
Redundancies
A.17.2.1
Availability of information processing facilities
  This is a new control which addresses information systems availability requirements.
A.18 Compliance
A.18.1
Compliance with legal and contractual requirements
A.18.1.1
Identification of applicable legislation and contractual requirements
A.15.1.1
Identification of applicable legislation
The control has not changed.
A.18.1.2
Intellectual property rights
A.15.1.2
Intellectual property rights (IPR)
The control has not changed.
A.18.1.3
Protection of records
A.15.1.3
Protection of organizational records
The control has not changed.
A.18.1.4
Privacy and protection of personally identifiable information
A.15.1.4
Data protection and privacy of personal information
The control has not changed.
A.18.1.5
Regulation of cryptographic controls
A.15.1.6
Regulation of cryptographic controls
The control has not changed.
A.18.2
Information security reviews
A.18.2.1
Independent review of information security
A.6.1.8
Independent review of information security
The control has been moved from the organisation of information security section; however, it has not changed.
A.18.2.2
Compliance with security policies and standards
A.15.2.1
Compliance with security policies and standards
The control has not changed.
A.18.2.3
Technical compliance review
A.15.2.2
Technical compliance checking
The control has not changed.

 

Posted by Ray

6 Comments - ISO 27001:2013 Transition

Stuart Barker (not verified) May 07, 2014

Reply
Great summary of the changes. Have you had any subsequent implementation experience?

Bil May 15, 2014

Reply
Hi Stuart, yes we have. Feel free to contact us if you want pointers or help.

Miguel Soares (not verified) September 19, 2014

Reply
Great work you did. Shouldn't Control A.8.1.1 ISO 27001:2005 be map in ISO 27001:2013 A.6.1.1 ? Thank you, Miguel Ângelo Saragoça Soares

Ray November 27, 2014

Reply
A.8.1.1 was considered a duplicate of A.6.1.3 and as such was removed from the new standard. Thus, the new A.6.1.1 maps to A.6.1.3 in the old standard.

Anonymous (not verified) January 29, 2015

Reply
From your mapping of A14.1.1; are you suggesting that organisation that had E-commerce of out scope (SOA A.10.9.1, A.10.9.2, A.10.9.3) of its ISO/IEC 27001:2005 certification can also take A.14.1.1 out of scope as well? Putting in mind that the 2005 revision uses the word "E-commerce" while 2013 uses "application services". If yes, can A.14.1.3 be out of scope? E commerce from Oxford dictionary:Commercial transactions conducted electronically on the Internet.

Bil February 04, 2015

Reply
A.14.1.1 applies to information security requirements for all types of information systems, not just online commercial applications, so in my opinion A.14.1.1 would be applicable to the vast majority of ISMSs. Additionally, A.14.1.2 has been expanded to cover more than just online commercial transactions, and includes all application services passing over public networks; I've updated A.14.1.2 above to reflect this. A.14.1.3 doesn't specify applications on the internet, however if you don't have any applications in scope that involve transactions then A.14.1.3 may not be applicable. ISO 27002:2013 has some very good guidance for these sections.

Leave a comment