need to know differences between  ISO/IEC 27001:2005 and ISO/IEC 27001:2013?

Posted on 2014-09-01
Last Modified: 2016-07-15

I am working on a research, can you help me with the detailed differences between  ISO/IEC 27001:2005 and ISO/IEC 27001:2013, I need to know what is there and what is not there in terms of controls?

Question by:besmile4ever
    LVL 5

    Accepted Solution

    Hello! Hope this helps, if it does please mark it as the solution. Thank you and good luck :)

    ISO 27001:2013 is an information security standard that was published on the 25th September 2013.[1] It cancels and replaces ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.[2] It is a specification for an information security management system (ISMS). Organisations which meet the standard may be accredited by an independent accreditor.
    - Wikipedia

    According to Wikipedia:

    The new standard puts more emphasis on measuring and evaluating how well an organisation's ISMS is performing,[6] and there is a new section on outsourcing, which reflects the fact that many organisations rely on third parties to provide some aspects of IT.[7] It does not emphasise the Plan-Do-Check-Act cycle that 27001:2005 did. Other continuous improvement processes like Six Sigma's DMAIC method can be implemented.[8] More attention is paid to the organisational context of information security, and risk assessment has changed.[9] Overall, 27001:2013 is designed to fit better alongside other management standards such as ISO 9000 and ISO 20000, and it has more in common with them.[10]

    New controls:

        A.6.1.5 Information security in project management
        A.12.6.2 Restrictions on software installation
        A.14.2.1 Secure development policy
        A.14.2.5 Secure system engineering principles
        A.14.2.6 Secure development environment
        A.14.2.8 System security testing
        A.15.1.1 Information security policy for supplier relationships
        A.15.1.3 Information and communication technology supply chain
        A.16.1.4 Assessment of and decision on information security events
        A.16.1.5 Response to information security incidents
        A.17.2.1 Availability of information processing facilities

    Transition Guide:

    More info:
    LVL 60

    Assisted Solution

    A couple of the major changes to the standard are:
    -Annex A has been revised and restructured, there are now 114 controls under 14 categories rather than the previous 133 controls under 11 categories
    -The plan-do-check-act cycle (PDCA) is no longer mandated

    Quickest overview mean is access the link and grab the pdf to see the what is and is not in side by side comparison (with implications for transition). One example below

    ISO 27001:2005 Structure - The specification is spread across 5 clauses, which approach the ISMS from a managerial perspective.
    4. Information security management system
    5. Management responsibility
    6. Internal ISMS audits
    7. Management review of the ISMS
    8. ISMS improvement

    ISO 27001:2013 Structure - The specification is spread across 7 clauses, which do not have to be followed in the order they are listed.
    4. Context of the organisation
    5. Leadership
    6. Planning
    7. Support
    8. Operation
    9. Performance evaluation
    10. Improvement

    The most obvious feature of the new structure is the addition of ‘Context of the organisation’. The 2013 edition of the standard now ensures that the ISMS is aligned with the organisation’s business objectives and processes, as well as ensuring that the ISMS fulfils the business, regulatory and contractual obligations from the very beginning. Furthermore, the content of the standard provides greater focus on communication, spreading the responsibility for information security further across the enterprise and business partners.

    Another I find very useful for another sanity checks is from this blog and well established author whom has many rich articles on iso 27000x - check out some of the popular links too (at the side)
    LVL 60

    Assisted Solution

    importantly also note the 27002 changes as they are closely aligned

    New controls – here are a few controls that are new:

    14.2.1 Secure development policy – rules for development of software and information systems
    14.2.5 Secure system engineering principles – principles for system engineering
    14.2.6 Secure development environment – establishing and protecting development environment
    14.2.8 System security testing – tests of security functionality
    16.1.4 Assessment of and decision on information security events – this is part of incident management
    17.2.1 Availability of information processing facilities – achieving redundancy
    Controls that are gone – finally, here are some of the controls that do not exist anymore:

    6.2.2 Addressing security when dealing with customers
    10.4.2 Controls against mobile code
    10.7.3 Information handling procedures
    10.7.4 Security of system documentation
    10.8.5 Business information systems
    10.9.3 Publicly available information
    11.4.2 User authentication for external connections
    11.4.3 Equipment identification in networks
    11.4.4 Remote diagnostic and configuration port protection
    11.4.6 Network connection control
    11.4.7 Network routing control
    12.2.1 Input data validation
    12.2.2 Control of internal processing
    12.2.3 Message integrity
    12.2.4 Output data validation
    11.5.5 Session time out
    11.5.6 Limitation of connection time
    11.6.2 Sensitive system isolation
    12.5.4 Information leakage
    14.1.2 Business continuity and risk assessment
    14.1.3 Developing and implementing business continuity plans
    14.1.4 Business continuity planning framework
    15.1.5 Prevention of misuse of information processing facilities
    15.3.2 Protection of information systems audit tools

    Since the structure of ISO 27002 is completely aligned with controls from ISO 27001, all these changes are also valid for new ISO 27001 Annex A.

    Author Comment

    thanks to you all. Can I have a map of the controls that are there and that are not? to make sure that my information is accurate 100%

    LVL 60

    Assisted Solution

    LVL 60

    Expert Comment

    The question asked for "detailed differences" is covered in below.
    ID: 40299417
    ID: 40300060
    ID: 40300072
    The follow up query for mapping is also address in the shared "BSI-ISO27001-mapping-guide-UK-EN.pdf" in below
    ID: 40303279

    For consideration on above as solution

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Title # Comments Views Activity
    Low-cost /freeware IOC tools 4 42
    Opinions on email encryption & Voltage 3 49
    Cloud Infrastructure Security 3 48
    PCI standards 5 35
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now