PREPARING TO

TRANSITION TO
ISO27001:2013
January 2015

IT Governance Green Paper

PREPARING FOR
ISO27001:2013
Introduction

3. Terms and definitions

4. Information security management
system
5. Management responsibility
6. Internal ISMS audits
7. Management review of the ISMS
8. ISMS improvement
Annex A Control objectives and
controls

ISO/IEC 27001 the international standard

for information security management
systems was recently updated to match
current best practice and to recognise the
changing threats to information security.
For some organisations, adapting their
ISMS to the new requirements will be a
trivial matter, while others will need to
engage in a more thorough examination.

This has been replaced with the following

structure in ISO 27001:2013:

This green paper highlights the significant

changes to ISO/IEC 27001, and offers a few
points of advice to aid in preparing. It
should be noted that the release of the new
standard does not negate or weaken any
existing certification, and all organisations
will have time to update their ISMS in line
with the standard for recertification.

0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
Annex A Reference control objectives
and controls

Structure
The structure of the standard has changed,
which is a direct result of some core
changes in the recommended process for
developing the ISMS.
While ISO 27001:2005 specified that the
process used in the implementation of the
ISMS was PDCA (Plan Do Check Act),
the 2013 update removes this point. This is
not to say that the PDCA process is no
longer valid; rather, it opens the process up
to alternative methodologies and processes
that may be more suited to the
organisation.

This structure no longer based on

development through PDCA. The flow is
entirely compatible with the PDCA process,
however, so existing ISMS workflows need
not change unless alternative
methodologies are more appropriate.

ISO 27001:2005 used the following

structure:

The terms and definitions are no longer

supplied in ISO 27001:2013. Instead,
clause 3 refers the reader to ISO/IEC
27000, which has become a cent ralised
reference for all 27000-series standards.

Terms and definitions

0. Introduction
1. Scope
2. Normative references

IT Governance Ltd 2015

Preparing for ISO 27001:2013

27001-update-v2.2

IT Governance Green Paper

line with the rest of the business, rather

than standing apart.

Clause deletions and new clauses

Governance and management

The majority of clauses from 27001:2005

still exist or have been slightly modified.
Several, however, have been removed
entirely, and some new clauses have
appeared.

The previous standard was clearly focused

on a strong sense of oversight from the
board and a high level of interaction
between the board and management. The
new edition, however, strips this back to
clarify where governance (board
actions/interests) lie as distinct from
leadership (management actions/interest).

While compliance with the redundant

clauses is no longer necessary to
achieve/maintain certification of an ISMS,
there may be little harm in allowing them to
remain in your organisations
implementation.

There are also several more requirements

for communication, which spreads the
responsibility for information security
across more of the organisation. This can
only be a good thing a workforce that is
invested in information security will be
more effective in the day-to-day operation
of the ISMS.

New clauses, however, must be complied

with where relevant to your organisation.
The new clauses cover a number of new
features or increased focus within the
ISMS.

Risk assessment and treatment

Key changes

This aspect of the ISMS receives some of

the most significant changes, and is easier
to explain as a brief process:

Context of the organisation

The ISMS is approached from the start
by understanding the organisation and its
context (business model, industry, etc.).
This clause forms the foundation of the
whole ISMS and reflects the new focus
upon making it work for the organisation,
rather than imposing a potentially rigid
structure.

This approach feeds into other new aspects,

such as the changes to the risk assessment
process. By recognising the organisations
various responsibilities and ensuring that
they are incorporated into the ISMS from
the start, the whole system become more
robust and more reflective of the
organisation.

Continual improvement

ISO 27001:2013 does not mandate the use

of the Plan-Do-Check-Act (PDCA) process.
The organisation is free to implement and
manage the ISMS using whichever
continual improvement process they prefer.
Many organisations may have existing
processes (based on COBIT or ITIL for
example), and can now manage the ISMS
using the same system. The clear
advantage here is bringing t he ISMS into

IT Governance Ltd 2015

Risk is now defined as effect of

uncertainty on objectives, which
may be positive or negative.
Select controls (from anywhere) to
manage the risks associated with
your organisations business,
contractual and regulatory
obligations. These can be
considered baseline controls.
Conduct a risk assessment by
identifying risks to your
organisations information. This
does not have to be an asset-based
assessment.
Each risk is assigned to a Risk
Owner.
Select controls (from anywhere) to
manage the risks.
Compare the baseline controls and
those you have selected to those in
Annex A.

It is significant to note that the controls are

selected before consulting Annex A. This
minor change allows the organisation to
choose the controls that are the best fit for

Preparing for ISO 27001:2013

27001-update-v2.2

IT Governance Green Paper

the organisation first, rather than getting

bogged down trying to shoehorn the Annex
A controls where they may not be ideal.

A11. Access control

A12. Information systems acquisition,
development and maintenance

The standard recommends looking into

ISO/IEC 31000 for guidance in
implementing your risk management
process.

A13. Information security incident

management
A14. Business continuity management
A15. Compliance

Documentation

The controls have been restructured thusly

in ISO 27001:2013:

There is no longer a distinction between

documents and records. The upshot of this
is that the ISMS can simply use one method
of document control and information
handling procedure. This aligns well with
other systems, especially quality
management systems based on ISO/IEC
9001.

A5. Information security policies

A6. Organisation of information security
A7. Human resource security
A8. Asset management

Measuring effectiveness

A9. Access control

While the 2005 edition of the standard

required the organisation to identify their
own methods and practices for measuring
the effectiveness of the ISMS, the new
edition provides explicit guidance. This is
clearly useful for organisations looking for
certification, as it removes part of the
uncertainty that comes with the external
scrutiny of the ISMS the standard quite
literally tells you what is required, in
suitable detail.

A10. Cryptography
A11. Physical and environmental security
A12. Operations security
A13. Communications security
A14. System acquisition, development
and maintenance
A15. Supplier relationships
A16. Information security incident
management
A17. Information security aspects of
business continuity management

Annex A controls
Like the clauses in the main body of the
standard, the controls in Annex A have
been restructured, and some controls have
either disappeared or been subsumed into
other controls, and new controls have
emerged. The general trend has been to
make it clearer how each control
contributes to the ISMS.

A18. Compliance
As can be seen, the controls have been
distributed across a slightly broader range
of categories. The controls have a more
clearly delineated role within the ISMS, but
a blend of controls is still necessary to
provide the defence in depth. In addition to
this, there are now 114 controls, down from
133 in ISO 27001:2005.

The previous structure of Annex A was:

A5. Security policy
A6. Organisation of information security

Solutions

A7. Asset management

IT Governance Ltd has prepared a number

of tools and documents to help prepare
your organisation for the transition to
ISO/IEC 27001:2013. For organisations
with experience of an ISO 27001 ISMS, the
most useful of these will be the ISO
27001:2013 Conversion Tool, which

A8. Human resources security

A9. Physical and environmental security
A10. Communications and operations
management

IT Governance Ltd 2015

Preparing for ISO 27001:2013

27001-update-v2.2

IT Governance Green Paper

contains all the information you need to

begin updating your ISMS.

Of course, a complete ISMS is still a

daunting prospect. To ease the way to
compliance and certification, IT Governance
has a range of toolkits, including the option
to continue with an ISMS based on ISO
27001:2005.

We have also published a number of books

and green papers on the topic, which have
been updated to take the latest edition into
account. These books include introductions
to the topic, such as the Introduction to
Information Security and ISO 27001 and
ISO 27001/ISO27002 Pocket Guide.

IT Governance Ltd 2015

Preparing for ISO 27001:2013

27001-update-v2.2

Useful Resources
IT Governance offers a unique range of products and services, including books, standards,
pocket guides, training courses, staff awareness solutions and professional consultancy
services.

ISO27001 Packaged Solutions

ISO 27001:2013 implementation packages
IT Governances packaged ISO27001 implementation solutions will enable you to
implement an ISO 27001:2013-compliant ISMS at a speed and for a budget
appropriate to your individual needs and preferred project approach. Each fixedprice solution is a combination of products and services that can be accessed
online and deployed by any company in the world.
www.itgovernance.co.uk/iso27001-solutions.aspx

Standards
ISO/IEC 27001:2013 and ISO/IEC 27002:2013
Includes both the new (autumn 2013) editions of ISO/IEC 27001 and ISO/IEC
27002. Is made up of both new International Standards that have been
updated to reflect international best practice for information security.
www.itgovernance.co.uk/shop/p-1445-iso-iec-27001-2013-and-iso-iec-27002-2013.aspx

Books

Introduction to Information Security and ISO 27001

Most organisations implementing an information security management regime
opt for systems based on the international standard, ISO/IEC 27001. This
approach ensures that the systems they put in place are effective, reliable and
auditable.
www.itgovernance.co.uk/shop/p-357-an-introduction-to-information-security-and-iso27001-2013-a-pocket-guide-second-edition.aspx

ISO 27001/ISO27002 Pocket Guide

Information is one of your organisations most important resources. Keeping it
secure is therefore vital to your business.
www.itgovernance.co.uk/shop/p-720-iso27001iso27002-a-pocket-guidesecond-edition.aspx

Nine Steps to Success - An ISO 27001(2013) Implementation Overview

The original no-nonsense guide to successful ISO27001 certification. Ideal for

IT Governance Ltd 2015

Preparing for ISO 27001:2013

27001-update-v2.2

anyone tackling ISO27001 for the first time, Nine Steps to Success outlines the nine
essential steps to an effective ISMS implementation.

www.itgovernance.co.uk/shop/p-963-nine-steps-to-success-an-iso-270012013implementation-overview-second-edition.aspx

Consultancy

ISO27001 Transition Consultancy

Meet the requirements of ISO/IEC 27001:2013 by transitioning with the
expert guidance and support of our ISO27001 implementation specialists,
for a one-off fixed price.
www.itgovernance.co.uk/shop/p-1675-iso27001-2013-transitionconsultancy.aspx

IT Governance Solutions
IT Governance source, create and deliver products and services to meet the evolving IT
governance needs of today's organisations, directors, managers and practitioners.
IT Governance is your one-stop-shop for corporate and IT governance information, books,
tools, training and consultancy. Our products and services are unique in that all elements are
designed to work harmoniously together so you can benefit from them individually and also
use different elements to build something bigger and better.
Books
Through our website, http://www.itgovernance.co.uk/, we sell the most sought after
publications covering all areas of c orporate and IT governance. We also offer all appropriate
standards documents.
In addition, our publishing team develops a growing collection of titles written to provide
practical advice for staff taking part in IT Governance projects, suitable for all le vels of staff
knowledge, responsibility and experience.
Toolkits
Our unique documentation toolkits are designed to help small and medium organisations adapt
quickly and adopt best management practice using pre-written policies, forms and documents.
Visit http://www.itgovernance.co.uk/ to view and trial all of our available toolkits.
Training
We offer training courses from staff awareness and foundation courses, through to advanced
programmes for IT Practitioners and Certified Lead Implementers and Auditors.
Our training team organises and runs in-house and public training courses all year round,
covering a growing number of IT governanc e topics.
Visit http://www.itgovernance.co.uk for more information.
Through our website, you can also browse and book training course s throughout the UK that
are run by a number of different suppliers.
Consultancy

IT Governance Ltd 2015

Preparing for ISO 27001:2013

27001-update-v2.2

Our company is an acknowledged world leader in our field. We can use our experienced
consultants, with multi-sector and multi-standard knowledge and experience to help you
accelerate your IT GRC (governance, risk, compliance) projects.
Visit http://www.itgovernance.co.uk/consulting.aspx for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in mind,
make information security risk management straightforward and affordable for all, enabling
organisations worldwide to be ISO27001-compliant.
Visit http://www.itgovernance.co.uk/software.aspx for more information.

Contact us:

+ 44 (0) 845 070 1750

www.itgovernance.co.uk

servicecentre@itgovernance.co.uk

IT Governance Ltd 2015

Preparing for ISO 27001:2013

27001-update-v2.2