need to know differences between ISO/IEC 27001:2005 and ISO/IEC 27001:2013?


I am working on a research, can you help me with the detailed differences between  ISO/IEC 27001:2005 and ISO/IEC 27001:2013, I need to know what is there and what is not there in terms of controls?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sir LearnalotCommented:
Hello! Hope this helps, if it does please mark it as the solution. Thank you and good luck :)

ISO 27001:2013 is an information security standard that was published on the 25th September 2013.[1] It cancels and replaces ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.[2] It is a specification for an information security management system (ISMS). Organisations which meet the standard may be accredited by an independent accreditor.
- Wikipedia

According to Wikipedia:

The new standard puts more emphasis on measuring and evaluating how well an organisation's ISMS is performing,[6] and there is a new section on outsourcing, which reflects the fact that many organisations rely on third parties to provide some aspects of IT.[7] It does not emphasise the Plan-Do-Check-Act cycle that 27001:2005 did. Other continuous improvement processes like Six Sigma's DMAIC method can be implemented.[8] More attention is paid to the organisational context of information security, and risk assessment has changed.[9] Overall, 27001:2013 is designed to fit better alongside other management standards such as ISO 9000 and ISO 20000, and it has more in common with them.[10]

New controls:

    A.6.1.5 Information security in project management
    A.12.6.2 Restrictions on software installation
    A.14.2.1 Secure development policy
    A.14.2.5 Secure system engineering principles
    A.14.2.6 Secure development environment
    A.14.2.8 System security testing
    A.15.1.1 Information security policy for supplier relationships
    A.15.1.3 Information and communication technology supply chain
    A.16.1.4 Assessment of and decision on information security events
    A.16.1.5 Response to information security incidents
    A.17.2.1 Availability of information processing facilities

Transition Guide:

More info:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
A couple of the major changes to the standard are:
-Annex A has been revised and restructured, there are now 114 controls under 14 categories rather than the previous 133 controls under 11 categories
-The plan-do-check-act cycle (PDCA) is no longer mandated

Quickest overview mean is access the link and grab the pdf to see the what is and is not in side by side comparison (with implications for transition). One example below

ISO 27001:2005 Structure - The specification is spread across 5 clauses, which approach the ISMS from a managerial perspective.
4. Information security management system
5. Management responsibility
6. Internal ISMS audits
7. Management review of the ISMS
8. ISMS improvement

ISO 27001:2013 Structure - The specification is spread across 7 clauses, which do not have to be followed in the order they are listed.
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

The most obvious feature of the new structure is the addition of ‘Context of the organisation’. The 2013 edition of the standard now ensures that the ISMS is aligned with the organisation’s business objectives and processes, as well as ensuring that the ISMS fulfils the business, regulatory and contractual obligations from the very beginning. Furthermore, the content of the standard provides greater focus on communication, spreading the responsibility for information security further across the enterprise and business partners.

Another I find very useful for another sanity checks is from this blog and well established author whom has many rich articles on iso 27000x - check out some of the popular links too (at the side)
btanExec ConsultantCommented:
importantly also note the 27002 changes as they are closely aligned

New controls – here are a few controls that are new:

14.2.1 Secure development policy – rules for development of software and information systems
14.2.5 Secure system engineering principles – principles for system engineering
14.2.6 Secure development environment – establishing and protecting development environment
14.2.8 System security testing – tests of security functionality
16.1.4 Assessment of and decision on information security events – this is part of incident management
17.2.1 Availability of information processing facilities – achieving redundancy
Controls that are gone – finally, here are some of the controls that do not exist anymore:

6.2.2 Addressing security when dealing with customers
10.4.2 Controls against mobile code
10.7.3 Information handling procedures
10.7.4 Security of system documentation
10.8.5 Business information systems
10.9.3 Publicly available information
11.4.2 User authentication for external connections
11.4.3 Equipment identification in networks
11.4.4 Remote diagnostic and configuration port protection
11.4.6 Network connection control
11.4.7 Network routing control
12.2.1 Input data validation
12.2.2 Control of internal processing
12.2.3 Message integrity
12.2.4 Output data validation
11.5.5 Session time out
11.5.6 Limitation of connection time
11.6.2 Sensitive system isolation
12.5.4 Information leakage
14.1.2 Business continuity and risk assessment
14.1.3 Developing and implementing business continuity plans
14.1.4 Business continuity planning framework
15.1.5 Prevention of misuse of information processing facilities
15.3.2 Protection of information systems audit tools

Since the structure of ISO 27002 is completely aligned with controls from ISO 27001, all these changes are also valid for new ISO 27001 Annex A.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

besmile4everAuthor Commented:
thanks to you all. Can I have a map of the controls that are there and that are not? to make sure that my information is accurate 100%

btanExec ConsultantCommented:
btanExec ConsultantCommented:
The question asked for "detailed differences" is covered in below.
ID: 40299417
ID: 40300060
ID: 40300072
The follow up query for mapping is also address in the shared "BSI-ISO27001-mapping-guide-UK-EN.pdf" in below
ID: 40303279

For consideration on above as solution
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.