ISO 27001:2013 looks structurally and fundamentally different from ISO 27001:2005. The updated standard is based on the Annex SL, which is the main reason for this notable distinction [Int13]. ISO created Annex SL to provide a universal high-level structure and common terms for all management system standards, which make it easier for organisations to be consistent with more than one management system standard. For instance, ISO 22301:2012 on business continuity, ISO 9001 (quality management system) and ISO 27001:2013 (as mentioned) were published with conformance to Annex SL [HP11].
For the first part, the requirements for establishing, implementing, maintaining and continually improving an ISMS are defined in different sections of ISO 27001:2013. For conformity to ISO 27001:2013, Sections 4 to 10 is mandatory (cf. Table 2.1); while Annex A controls are selected based on the organisational security requirements. These requirements are defined in a way to provide a variety of choices for implementation. For
example, preparing an inventory of assets is no longer a requirement for risk assessment. The titles and the contents of Sections 4 to 10 in the updated standard are different from ISO 27001:2005 (cf. Table 2.1). Every section defines a document requirement, based on the definition and specifications of each section, for example, the document requirements
for Section 4 is “scope” and Section 8 is “the results of risk treatment plan”. Sections 4 to 7 specify requirements for establishing an ISMS, while Sections 8 to 10 identify the implementation requirements. In ISO 27001:2013, each requirement is mentioned only one time and there are no duplicate requirements (for instance preparing a list of documents is no more required).
The updated standard is not based on the PDCA (Plan-Do-Check-Act) cycle anymore [Int13]. The PDCA is an iterative four stage management model that is used for the control and continuous improvement of processes. Therefore, related phrases and concepts are changed, such as “continual improvement” instead of PDCA. In ISO 27001:2005, the terms and definitions were mentioned in the body of the standard and the normative reference (that is deriving from this standard) is ISO 27002:2005; While ISO
27000:2013 is mentioned as a normative reference for ISO 27001:2013.
Additionally, in ISO 27001:2013, ISO 31000:2009 is mentioned as a reference to determine the internal and external context of the organisation, which provides a framework for managing risk. Table 2.1 indicates the differences between the requirements sections of the two latest versions of ISO 27001 (2005 and 2013). Table 2.1 indicates the initial sections of 0: Introduction, 1: Scope, 2: Normative reference, and 3: Terms and definitions as they have not changed between the two latest versions of ISO 27001. However, the remaining sections are distinct based on the context and definitions as described so far. For the second part according to ISO 27001:2005, Annex A is a checklist to make sure all essential controls are considered and no necessary control is ignored by an organisation.
However, ISO 27001:2013 recommends that controls have to be selected in the risk treatment process. The risk treatment process defines the necessary controls that need to be implemented to protect an organisation from identified risks. ISO 27001:2013 is more flexible with different risk assessment methodologies [Fre07] as there is no prerequisite for identifying risk.
Besides that, the SOA (Statement of Applicability) contains the organisation’s information security control domains and controls. The SOA is one of the most important documents that explains the selected controls and the reasons for including or excluding each control domain from Annex A in the scope of an ISMS. In ISO 27001:2013, the SOA emphasises more on objectives, monitoring and measuring the implementation of
ISO 27001 [SG11]. Based on the ISO 27002:2013 guidelines referenced in [JM14], there is a connection between the implementation requirements of each control with other relevant controls. For example, the controls relevant to ownership of assets are supportive controls for implementing information security roles and responsibilities controls (cf. A).
For a transition to the updated version, there are some areas, which do not require any changes, such as control of documentation. Nevertheless, there are some other areas that require a rethink like objectives of the management system [HP11].
The next section describes the process of getting ISO 27001 certification as the last section of describing ISO 27001 development.