ISO/IEC 27001:2013 will be released on 1 October, but what are the major changes to the standard?

So I have just learnt that new ISO/IEC 27001:2013 standard will be released on 1st October. The question is, what are the major changes between the 2005 edition and 2013 edition of the standard?

The 2013 edition of ISO/IEC 27001 is substantially different to the 2005 edition of the standard. The 2013 edition of the standard has been developed using Annex SL, part of a document published by ISO which provides a common approach and structure for management system standards. Since ISO/IEC 27001:2013 adopts Annex SL it more easily lends itself to integration with other management system standards.

Whereas the 2005 edition of the standard specified the Plan-Do-Check-Act (PDCA) cycle as the method for developing and continually improving an ISMS, the 2013 edition does not mandate this approach. Instead the 2013 edition of the standard allows you to use either PDCA or other approaches.

The terms and definitions that appeared in the 2005 edition of the standard have now been removed, and instead ISO/IEC 27000:2012 is referenced as the source for terms and definitions; the terminology in the standard has also been updated.

There is an increased focus on setting objectives, assessing performance and metrics in ISO/IEC 27001:2013. Additionally, the risk assessment requirements in the standard are less prescriptive and are aligned with ISO 31000 – the international standard for risk management.

The requirements for management commitment have been overhauled and are largely contained in the Leadership clause. Furthermore, the requirements for a statement of applicability in the 2013 edition have been enhanced, and the risk treatment process makes it easier to adopt control frameworks other than Annex A.

Finally, Annex B has been deleted, and Annex A has also been revised and restructured. There are now 114 controls under 14 categories as opposed to the 133 under 11 headings in the 2005 edition of the standard.

As you can see, ISO/IEC 27001:2013 is a substantially different standard to the 2005 edition. You can now pre-order ISO/IEC 27001:2013 with ISO/IEC 27002:2013 on the IT Governance Webshop.


  1. Jan 26th September 2013
    • James Warren 26th September 2013
  2. Akram 7th October 2013
  3. Jan 8th October 2013