ISM is a division of Pondergrove Ltd.

Home >ISO 27001:2013

ISO 27001:2013

The 2013 version of ISO 27001 was published at the end of September 2013, replacing the 2005 version. In the intervening 8 years use of IT, threats to information security, tools, methods etc have changed enormously and the Standard therefore needed to be brought up to date. The changes themselves are relatively minor, which is a tribute to the farsightedness and expertise of those who wrote the 2005 standard.

Like the 2005 version ISO 27001:2013 comprises a set of mandatory requirements and an Annex defining a set of ‘controls’ (reduced to 114 from 133), some of which organisations can designate as ‘not applicable’. ISO 27002:2013 is the ‘Code of Practice’ which provides detailed guidance on each control listed in the Annex.

The Standard and Code of Practice are available from BSI and ISO as well as other sources. The BSI website also includes additional guidance on the changes.

The main changes are as follows:

  • The mandatory clauses now follow a structure (defined in ISO ‘Annex SL’) which will become common to all international standards for management systems.
  • The Plan-Do-Check-Act model is no longer mandatory although a method for continual improvement is still fundamental (and required).
  • There is more flexibility on how to conduct the risk assessment although the importance of the risk assessment now has more emphasis.
  • The requirements for objectives and measurement are more detailed.
Organisations who already have a 2005 certificate have until 1 October to transition to the 2013 standard. Most Certification Bodies are proposing that transition should be accomplished as part of a periodic assessment visit (i.e. at no additional cost to the organisation). For those organisations that have used ISM’s Guide to achieving ISO 27001 certification and/or followed Pondergrove’s principles of management systems the transition is very straightforward. The Statement of Applicability simply needs to be reorganised to conform to the structure of the 2013 standard. A template is available from our website. If you need a username and password just email us or complete the form below.

Complete your details below and claim your complimentary guide!


Required fields in bold

Privacy & disclaimer >


If you have received a username and password, LOGIN now to download your copy of the Guide

At a Glance

Understand what we mean by Information Security and why it is important

See how we can help your organisation manage information security through our Masterclasses, Toolkits and Consultants.

Read our latest newsletter: current information security issues and what to do about them

Automatically receive our newsletter by add your name to ISM's distribution list

Call us now
+44 (0) 1635 817309

Contact ISM to find out more

Please fill in your details


Required fields in bold

Privacy & disclaimer >