[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

need to know differences between  ISO/IEC 27001:2005 and ISO/IEC 27001:2013?

Posted on 2014-09-01
8
Medium Priority
?
148 Views
Last Modified: 2016-07-15
Hi

I am working on a research, can you help me with the detailed differences between  ISO/IEC 27001:2005 and ISO/IEC 27001:2013, I need to know what is there and what is not there in terms of controls?

cheers
0
Comment
Question by:besmile4ever
  • 4
6 Comments
 
LVL 6

Accepted Solution

by:
Sir Learnalot earned 500 total points
ID: 40299417
Hello! Hope this helps, if it does please mark it as the solution. Thank you and good luck :)

ISO 27001:2013 is an information security standard that was published on the 25th September 2013.[1] It cancels and replaces ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.[2] It is a specification for an information security management system (ISMS). Organisations which meet the standard may be accredited by an independent accreditor.
- Wikipedia

According to Wikipedia:

The new standard puts more emphasis on measuring and evaluating how well an organisation's ISMS is performing,[6] and there is a new section on outsourcing, which reflects the fact that many organisations rely on third parties to provide some aspects of IT.[7] It does not emphasise the Plan-Do-Check-Act cycle that 27001:2005 did. Other continuous improvement processes like Six Sigma's DMAIC method can be implemented.[8] More attention is paid to the organisational context of information security, and risk assessment has changed.[9] Overall, 27001:2013 is designed to fit better alongside other management standards such as ISO 9000 and ISO 20000, and it has more in common with them.[10]

New controls:

    A.6.1.5 Information security in project management
    A.12.6.2 Restrictions on software installation
    A.14.2.1 Secure development policy
    A.14.2.5 Secure system engineering principles
    A.14.2.6 Secure development environment
    A.14.2.8 System security testing
    A.15.1.1 Information security policy for supplier relationships
    A.15.1.3 Information and communication technology supply chain
    A.16.1.4 Assessment of and decision on information security events
    A.16.1.5 Response to information security incidents
    A.17.2.1 Availability of information processing facilities


Transition Guide:
http://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISO27001-transition-guide-UK-EN-pdf.pdf

More info:
https://en.wikipedia.org/wiki/ISO/IEC_27001:2013
https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1500 total points
ID: 40300060
A couple of the major changes to the standard are:
-Annex A has been revised and restructured, there are now 114 controls under 14 categories rather than the previous 133 controls under 11 categories
-The plan-do-check-act cycle (PDCA) is no longer mandated

Quickest overview mean is access the link and grab the pdf to see the what is and is not in side by side comparison (with implications for transition). One example below
http://www.itgovernance.co.uk/information-security-iso27001-green-papers.aspx

ISO 27001:2005 Structure - The specification is spread across 5 clauses, which approach the ISMS from a managerial perspective.
4. Information security management system
5. Management responsibility
6. Internal ISMS audits
7. Management review of the ISMS
8. ISMS improvement

ISO 27001:2013 Structure - The specification is spread across 7 clauses, which do not have to be followed in the order they are listed.
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

The most obvious feature of the new structure is the addition of ‘Context of the organisation’. The 2013 edition of the standard now ensures that the ISMS is aligned with the organisation’s business objectives and processes, as well as ensuring that the ISMS fulfils the business, regulatory and contractual obligations from the very beginning. Furthermore, the content of the standard provides greater focus on communication, spreading the responsibility for information security further across the enterprise and business partners.

Another I find very useful for another sanity checks is from this blog and well established author whom has many rich articles on iso 27000x - check out some of the popular links too (at the side)
http://www.iso27001standard.com/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1500 total points
ID: 40300072
importantly also note the 27002 changes as they are closely aligned
http://www.iso27001standard.com/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/

New controls – here are a few controls that are new:

14.2.1 Secure development policy – rules for development of software and information systems
14.2.5 Secure system engineering principles – principles for system engineering
14.2.6 Secure development environment – establishing and protecting development environment
14.2.8 System security testing – tests of security functionality
16.1.4 Assessment of and decision on information security events – this is part of incident management
17.2.1 Availability of information processing facilities – achieving redundancy
Controls that are gone – finally, here are some of the controls that do not exist anymore:

6.2.2 Addressing security when dealing with customers
10.4.2 Controls against mobile code
10.7.3 Information handling procedures
10.7.4 Security of system documentation
10.8.5 Business information systems
10.9.3 Publicly available information
11.4.2 User authentication for external connections
11.4.3 Equipment identification in networks
11.4.4 Remote diagnostic and configuration port protection
11.4.6 Network connection control
11.4.7 Network routing control
12.2.1 Input data validation
12.2.2 Control of internal processing
12.2.3 Message integrity
12.2.4 Output data validation
11.5.5 Session time out
11.5.6 Limitation of connection time
11.6.2 Sensitive system isolation
12.5.4 Information leakage
14.1.2 Business continuity and risk assessment
14.1.3 Developing and implementing business continuity plans
14.1.4 Business continuity planning framework
15.1.5 Prevention of misuse of information processing facilities
15.3.2 Protection of information systems audit tools

Since the structure of ISO 27002 is completely aligned with controls from ISO 27001, all these changes are also valid for new ISO 27001 Annex A.
1
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:besmile4ever
ID: 40303198
thanks to you all. Can I have a map of the controls that are there and that are not? to make sure that my information is accurate 100%


cheers.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1500 total points
ID: 40303279
0
 
LVL 65

Expert Comment

by:btan
ID: 41712749
The question asked for "detailed differences" is covered in below.
ID: 40299417
ID: 40300060
ID: 40300072
The follow up query for mapping is also address in the shared "BSI-ISO27001-mapping-guide-UK-EN.pdf" in below
ID: 40303279

For consideration on above as solution
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Experts Exchange expands question security options for members.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question