Need to edge out the competition for your dream job? Train for certifications today.
a) Documented information
‘Documented information’ is a new term that applies to what the 2005 version of the standard referred to as ‘documents’ and ‘records’. In transitioning to ISO/IEC 27001:2013, simply replace the terms ‘documents’ and ‘records’ with the term 'documented information’.
b) Terms of reference for top management
A change may be required to accommodate the specific responsibilities given in Clauses 5.1 a) to h).
A change may be required to accommodate the specific responsibilities given in Clauses 5.3 a) and b).
A change may be required to accommodate the requirements of Clause 7.4 as the process of creating awareness may be regarded as a form of communication
e) The Statement of Applicability
Annex A has been updated to reflect the controls that are now described in ISO/IEC 27002:2013. Whilst organizations are no longer required to select controls from Annex A, it is still used to determine whether any necessary controls have been omitted (see Clause 6.1.3 c)) and organizations are required to produce a SOA. The format of
an ISO/IEC 27002:2013 conformant SOA doesn’t need to be different from the previous standard. However, the control set is different, and therefore organizations will be required to update their SOAs. When doing so, be careful to ensure that control
implementation strictly conforms to the wording given in Annex A.
f) Actions to address risks and opportunities – general
Existing preventive action procedures will need to be revised or replaced to ensure conformance with Clauses 4.1, 4.2 and 6.1.1.
g) Monitoring, measurement, analysis and evaluation
The requirements of Clause 9.1 are more detailed and exact than the requirements for the ISMS and control effectiveness in ISO/IEC 27001:2005. From the perspective of transition it may be best to start with a clean sheet of paper
Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.
However, there are other documented information requirements in
ISO/IEC 27001:2013 that an organization may consider to be matters
of policy, and therefore should be included in its ‘ISMS’ policy. These
1 The criteria for performing information security risk assessments
(see Clause 6.1.2 a) 2));
2 The organization’s policy towards releasing its information
security policy to interested parties (see Clause 5.2 g)); and
3 The organization’s policy regarding external communications (see
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Please enter a first name
Please enter a last name
Must be at least 4 characters long.
Join and Comment
From novice to tech pro — start learning today.
Premium members can enroll in this course at no extra cost.