Update: Two years on, and this short blog post is still visited frequently. For an updated comparison of ISO 27001:2005 and ISO 27001:2013 – please view our ‘ISO 27001:2013 – Technical guidance for transitioning from ISO 27001:2005′ green paper.
Over the course of the last two weeks, there has been a thick cloud of questions gathering over ISO27001:2013 and how it differs from the previous version of the standard, ISO27001:2005.
For those who are already certified to ISO 27001:2005, finding out the key differences between the two standards is vital. By knowing what these key differences are, organisations will be able to prepare themselves for the transition to the new standard whilst minimising the chance of costly mistakes.
A couple of the major changes to the standard are:
- Annex A has been revised and restructured, there are now 114 controls under 14 categories rather than the previous 133 controls under 11 categories
- The plan-do-check-act cycle (PDCA) is no longer mandated
To equip yourself with a better understanding of these changes and the many other changes, I recommend that you download IT Governance’s free green paper – Comparing ISO 27001:2005 to ISO 27001:2013 which provides a side-by-side comparison of the 2005 and 2013 versions.
As well as this green paper, I also recommend that you take a look through IT Governance’s free ISO 27001:2013 resources.