A new version of the standard, ISO 27001:2013, was published on the 25th of September 2013. The new version replaces the older version, ISO 27001:2005. There will be a transition period for organisations to align their ISMS with the new standard and become certified against ISO 27001:2013.
The new standard looks different from its predecessor, however, organisations already certified against ISO 27001:2005 should be able to easily migrate to the new standard. The reason for the changes was to make all management system standards look the same, to align ISO 27001 with the Risk Management family of standards (ISO 31000) and update the controls in Annex A.
In this blog post we will look at how ISO 27001:2013 controls defined in Annex A map to ISO 27001:2005 controls.
The following table shows how the controls defined in Annex A of ISO 27001:2013 standard maps to controls defined in ISO 27001:2005.
| ISO 27001:2013 Control | ISO 27001:2005 Control | Comments |
| A.5 Information security policies | ||
| A.5.1 Management direction for information security |
||
| A.5.1.1 Policies for information security |
A.5.1.1 Information security policy document | The control has not changed. |
| A.5.1.2 Review of the policies for information security | A.5.1.2 Review of the information security policy | The control has not changed. |
| A.6 Organization of information security | ||
| A.6.1 Internal organization | ||
| A.6.1.1 Information security roles and responsibilities |
A.6.1.3 Allocation of information security responsibilities |
The control has not changed. |
| A.6.1.2 Segregation of responsibilities and duties |
A.10.1.3 Segregation of duties |
The control has been moved from the communications and operations management section; however, it has not changed. |
| A.6.1.3 Contact with authorities |
A.6.1.6 Contact with authorities |
The control has not changed. |
| A.6.1.4 Contact with special interest groups |
A.6.1.7 Contact with special interest groups |
The control has not changed. |
| A.6.1.5 Information security in project management |
This is a new control which requires information security to be integrated into project management to ensure that risks are addressed and identified. | |
| A.6.2 Mobile devices and teleworking |
||
| A.6.2.1 Mobile device policy |
A.11.7.1 Mobile computing and communications |
The control has been moved from the access control section; however, it has not changed. |
| A.6.2.2 Teleworking |
A.11.7.2 Teleworking |
The control has been moved from the access control section; however, it has not changed. |
| A.7 Human resource security | ||
| A.7.1 Prior to employment |
||
| A.7.1.1 Screening |
A.8.1.2 Screening |
The control has not changed. |
| A.7.1.2 Terms and conditions of employment |
A.8.1.3 Terms and conditions of employment |
The control has not changed. |
| A.7.1.2 During employment |
||
| A.7.2.1 Management responsibilities |
A.8.2.1 Management responsibilities |
The control has not changed. |
| A.7.2.2 Information security awareness, education and training |
A.8.2.2 Information security awareness, education and training |
The control has not changed. |
| A.7.2.3 Disciplinary process |
A.8.2.3 Disciplinary process |
The control has not changed. |
| A.7.3 Termination and change of employment |
||
| A.7.3.1 Termination or change of employment responsibilities |
A.8.3.1 Termination responsibilities |
The control has not changed but It is now more clearly explained and also covers contractors and third parties. The control requires contracts to clearly define security responsibilities that are still valid after termination of employment. |
| A.8 Asset management | ||
| A.8.1 Responsibility for assets |
||
| A.8.1.1 Inventory of assets |
A.7.1.1 Inventory of assets |
The control has not changed. |
| A.8.1.2 Ownership of assets |
A.7.1.2 Ownership of assets |
The control has not changed. |
| A.8.1.3 Acceptable use of assets |
A.7.1.3 Acceptable use of assets |
The control has not changed. |
| A.8.1.4 Return of assets |
A.8.3.2 Return of assets |
The control has been moved from the human resources security section; however, it has not changed. |
| A.8.2 Information classification |
||
| A.8.2.1 Classification of information |
A.7.2.1 Classification guidelines |
Even though the title of the control has changed, the actual control has not. |
| A.8.2.2 Labelling of information |
A.7.2.2 Information labelling and handling |
The control has now been split into A.8.2.2 and A.8.2.3. This control addresses information labelling |
| A.8.2.3 Handling of assets |
A.7.2.2 Information labelling and handling |
This control addresses assets handling procedures. |
| A.8.3 Media handling |
||
| A.8.3.1 Management of removable media |
A.10.7.1 Management of removable media |
The control has been moved from the communications and operations management section; however, it has not changed. |
| A.8.3.2 Disposal of media |
A.10.7.2 Disposal of media |
The control has been moved from the communications and operations management section; however, it has not changed. |
| A.8.3.3 Physical media transfer |
A.10.8.3 Physical media in transit |
The control has been moved from the communications and operations management section; however, it has not changed. |
| A.9 Access control | ||
| A.9.1Business requirements of access control | ||
| A.9.1.1 Access control policy |
A.11.1.1 Access control policy |
The control has not changed. |
| A.9.1.2 Policy on the use of network services |
A.11.4.1 Policy on use of network services |
The control has not changed. |
| A.9.2 User access management |
||
| A.9.2.1 User registration and de-registration |
A.11.2.1 User registration |
The control has now been split into A.9.2.1 and A.9.2.2. This control addresses registration and de-registration. |
| A.9.2.2 User access provisioning |
A.11.2.1 User registration |
This control addresses the assignment and removal of access rights. |
| A.9.2.3 Management of privileged access rights |
A.11.2.2 Privilege management |
The control has not changed. |
| A.9.2.4 Management of secret authentication information of users |
A.11.2.3 User password management |
The control has not changed. |
| A.9.2.5 Review of user access rights |
A.11.2.4 Review of user access rights |
The control has not changed. This is now the responsibility of asset owners. |
| A.9.2.6 Removal or adjustment of access rights |
A.8.3.3 Removal of access rights |
The control has been moved from the human resources security section; however, it has not changed. |
| A.9.3 User responsibilities |
||
| A.9.3.1 Use of secret authentication information |
A.11.3.1P assword use |
The control has not changed but it now includes all types of authentication information and not just passwords. |
| A.9.4 System and application access control |
||
| A.9.4.1 Information access restriction |
A.11.6.1 Information access restriction |
The control has not changed. |
| A.9.4.2 Secure log-on procedures |
A.11.5.1 Secure log-on procedures |
The control has not changed but it now covers both systems and applications. |
| A.9.4.3 Password management system |
A.11.5.3 Password management system |
The control has not changed. |
| A.9.4.4 Use of privileged utility programs |
A.11.5.4 Use of system utilities |
The control has not changed. |
| A.9.4.5 Access control to program source code |
A.12.4.3 Access control to program source code |
The control has been moved from the information systems acquisition, development and maintenance section; however, it has not changed. |
| A.10 Cryptography | ||
| A.10.1 Cryptography controls |
||
| A.10.1.1 Policy on the use of cryptographic controls |
A.12.3.1 Policy on the use of cryptographic controls |
The control has been moved from the information systems acquisition, development and maintenance section; however, it has not changed. |
| A.10.1.2 Key management |
A.12.3.2 Key management |
The control has been moved from the information systems acquisition, development and maintenance section and in addition to the previous requirements the control now requires the development of a key management policy. |
| A.11 Physical and environmental security | ||
| A.11.1 Secure areas |
||
| A.11.1.1 Physical security perimeter |
A.9.1.1 Physical security perimeter |
The control has not changed. |
| A.11.1.2 Physical entry controls |
A.9.1.2 Physical entry controls |
The control has not changed. |
| A.11.1.3 Securing offices, rooms and facilities |
A.9.1.3 Securing offices, rooms and facilities |
The control has not changed. |
| A.11.1.4 Protecting against external and environmental threats |
A.9.1.4 Protecting against external and environmental threats |
The control has not changed. |
| A.11.1.5 Working in secure areas |
A.9.1.5 Working in secure areas |
The control has not changed. |
| A.11.1.6 Delivery and loading areas |
A.9.1.6 Public access, delivery and loading areas |
The control has not changed. |
| A.11.2 Equipment |
||
| A.11.2.1 Equipment siting and protection |
A.9.2.1 Equipment siting and protection |
The control has not changed. |
| A.11.2.2 Supporting utilities |
A.9.2.2 Supporting utilities |
The control has not changed. |
| A.11.2.3 Cabling security |
A.9.2.3 Cabling security |
The control has not changed. |
| A.11.2.4 Equipment maintenance |
A.9.2.4 Equipment maintenance |
The control has not changed. |
| A.11.2.5 Removal of assets |
A.9.2.7 Removal of property |
The control has not changed. |
| A.11.2.6 Security of equipment and assets off-premises |
A.9.2.5 Security of equipment off-premises |
The control has not changed. |
| A.11.2.7 Secure disposal or reuse of equipment |
A.9.2.6 Secure disposal or re-use of equipment |
The control has not changed. |
| A.11.2.8 Unattended user equipment |
A.11.3.2 Unattended user equipment |
The control has been moved from the access control section; however, it has not changed. |
| A.11.2.9 Clear desk and clear screen policy |
A.11.3.3 Clear desk and clear screen policy |
The control has been moved from the access control section; however, it has not changed. |
| A.12 Operations security | ||
| A.12.1 Operational procedures and responsibilities |
||
| A.12.1.1 Documented operating procedures |
A.10.1.1 Documented operating procedures |
The control has not changed. |
| A.12.1.2 Change management |
A.10.1.2 Change management |
The control now covers all changes in the organisation which could affect security. |
| A.12.1.3 Capacity management |
A.10.3.1 Capacity management |
The control has not changed. |
| A.12.1.4 Separation of development, testing and operational environments |
A.10.1.4 Separation of development, test and operational facilities |
The control has not changed. |
| A.12.2 Protection from malware |
||
| A.12.2.1 Controls against malware |
A.10.4.1 Controls against malicious code |
The control has not changed. |
| A.12.3 Backup |
||
| A.12.3.1 Information backup |
A.10.5.1 Information back-up |
The control has not changed. |
| A.12.4 Logging and monitoring |
||
| A.12.4.1 Event logging |
A.10.10.1 Audit logging A.10.10.2 A.10.10.5 |
The controls have been merged into one control. |
| A.12.4.2 Protection of log information |
A.10.10.3 Protection of log information |
The control has not changed. |
| A.12.4.3 Administrator and operator logs |
A.10.10.4 Administrator and operator logs |
The control has not changed. |
| A.12.4.4 Clock synchronisation |
A.10.10.6 Clock synchronization |
The control has not changed. |
| A.12.5 Control of operational software |
||
| A.12.5.1 Installation of software on operational systems |
A.12.4.1 Control of operational software |
The control has been moved from the information systems acquisition, development and maintenance section; however, it has not changed. |
| A.12.6 Technical vulnerability management |
||
| A.12.6.1 Management of technical vulnerabilities |
A.12.6.1 Control of technical vulnerabilities |
The control has been moved from the information systems acquisition, development and maintenance section; however, it has not changed. |
| A.12.6.2 Restrictions on software installation |
This is a new control which requires restrictions that would prevent users from installing unauthorised software. | |
| A.12.7 Information systems audit considerations |
||
| A.12.7.1 Information systems audit controls |
A.15.3.1 Information systems audit controls |
The control has been moved from the compliance section; however, it has not changed. |
| A.13 Communications security | ||
| A.13.1 Network security management |
||
| A.13.1.1 Network controls |
A.10.6.1 Network controls |
The control has not changed. |
| A.13.1.2 Security of network services |
A.10.6.2 Security of network services |
The control has not changed. |
| A.13.1.3 Segregation in networks |
A.11.4.5 Segregation in networks |
The control has been moved from the access control section; however, it has not changed. |
| A.13.2 Information transfer |
||
| A.13.2.1 Information transfer policies and procedures |
A.10.8.1 Information exchange policies and procedures |
The control has not changed. |
| A.13.2.2Agreements on information transfer | A.10.8.2 Exchange agreements |
The control has not changed. |
| A.13.2.3 Electronic messaging |
A.10.8.4 Electronic messaging |
The control has not changed. |
| A.13.2.4 Confidentiality or nondisclosure agreements |
A.6.1.5 Confidentiality agreements |
The control has been moved from the organization of information security section; however, it has not changed. |
| A.14 System acquisition, development and maintenance | ||
| A.14.1 Security requirements of information systems |
||
| A.14.1.1 Information security requirements analysis and specification |
A.12.1.1 Security requirements analysis and specification |
The control has not changed. |
| A.14.1.2 Securing application services on public networks |
A.10.9.1 Electronic commerce |
The control has been moved from the communications and operations management section and expanded to include all applications on public networks. |
| A.14.1.3 Protecting application services transactions |
A.10.9.2 On-line transactions |
The control has been moved from the communications and operations management section; however, it has not changed. |
| A.14.2 Security in development and support processes |
||
| A.14.2.1 Secure development policy |
This a new control which requires a secure development policy that identifies guidelines and best practices to be followed in development practices. | |
| A.14.2.2 System change control procedures |
A.12.5.1 Change control procedures |
The control has not changed. |
| A.14.2.3 Technical review of applications after operating platform changes |
A.12.5.2 Technical review of applications after operating system changes |
The control has not changed. |
| A.14.2.4 Restrictions on changes to software packages |
A.12.5.3 Restrictions on changes to software packages |
The control has not changed. |
| A.14.2.5 Secure system engineering principles |
This is a new control which required guidelines and best practices for engineering secure systems to be defined and implemented. | |
| A.14.2.6 Secure development environment |
This is a new control which requires the establishment of a secure development environment. | |
| A.14.2.7 Outsourced development |
A.12.5.5 Outsourced software development |
The control has not changed. |
| A.14.2.8 System security testing |
This is a new control which requires security testing to be carried on systems during development. | |
| A.14.2.9 System acceptance testing |
A.10.3.2 System acceptance |
The control has been moved from the communications and operations management section; however, it has not changed. |
| A.14.3 Test data |
||
| A.14.3.1 Protection of test data |
A.12.4.2 Protection of system test data |
The control has not changed. |
| A.15 Supplier relationships | ||
| A.15.1 Information security in supplier relationships |
||
| A.15.1.1 Information security policy for supplier relationships |
A.6.2.1 Identification of risks related to external parties |
The control has not changed. |
| A.15.1.2 Addressing security within supplier agreements |
A.6.2.3 Addressing security in third party agreements |
The control has not changed. |
| A.15.1.3 Information and communication technology supply chain |
This is a new control that addresses risks associated with suppliers outsourcing some or all of the provided IT services. | |
| A.15.2 Supplier service delivery management |
||
| A.15.2.1 Monitoring and review of supplier services |
A.10.2.2 Monitoring and review of third party services |
The control has been moved from the communications and operations management section; however, it has not changed. |
| A.15.2.2 Managing changes to supplier services |
A.10.2.3 Managing changes to third party services |
The control has been moved from the communications and operations management section; however, it has not changed. |
| A.16 Information security incident management | ||
| A.16.1 Management of information security incidents and improvements |
||
| A.16.1.1 Responsibilities and procedures |
A.13.2.1 Responsibilities and procedures |
The control has not changed. |
| A.16.1.2 Reporting information security events |
A.13.1.1 Reporting information security events |
The control has not changed. |
| A.16.1.3 Reporting information security weaknesses |
A.13.1.2 Reporting security weaknesses |
The control has not changed. |
| A.16.1.4 Assessment of and decision on information security events |
This is a new control which addresses the identification and classification of security incidents. | |
| A.16.1.5 Response to information security incidents |
This is a new control which requires organisations to establish and apply security incidents response procedures. | |
| A.16.1.6 Learning from information security incidents |
A.13.2.2 Learning from information security incidents |
The control has not changed. |
| A.16.1.7 Collection of evidence |
A.13.2.3 Collection of evidence |
The control has not changed. |
| A.17 Information security aspects of business continuity management | ||
| A.17.1 Information security continuity |
||
| A.17.1.1 Planning information security continuity |
A.14.1.1 Including information security in the business continuity management process |
The control has not changed. |
| A.17.1.2 Implementing information security continuity |
A.14.1.3 Developing and implementing continuity plans including information security |
The control has not changed. |
| A.17.1.3 Verify, review and evaluate information security continuity |
A.14.1.5 Testing, maintaining and reassessing business continuity plans |
The control has not changed. |
| A.17.2 Redundancies |
||
| A.17.2.1 Availability of information processing facilities |
This is a new control which addresses information systems availability requirements. | |
| A.18 Compliance | ||
| A.18.1 Compliance with legal and contractual requirements |
||
| A.18.1.1 Identification of applicable legislation and contractual requirements |
A.15.1.1 Identification of applicable legislation |
The control has not changed. |
| A.18.1.2 Intellectual property rights |
A.15.1.2 Intellectual property rights (IPR) |
The control has not changed. |
| A.18.1.3 Protection of records |
A.15.1.3 Protection of organizational records |
The control has not changed. |
| A.18.1.4 Privacy and protection of personally identifiable information |
A.15.1.4 Data protection and privacy of personal information |
The control has not changed. |
| A.18.1.5 Regulation of cryptographic controls |
A.15.1.6 Regulation of cryptographic controls |
The control has not changed. |
| A.18.2 Information security reviews |
||
| A.18.2.1 Independent review of information security |
A.6.1.8 Independent review of information security |
The control has been moved from the organisation of information security section; however, it has not changed. |
| A.18.2.2 Compliance with security policies and standards |
A.15.2.1 Compliance with security policies and standards |
The control has not changed. |
| A.18.2.3 Technical compliance review |
A.15.2.2 Technical compliance checking |
The control has not changed. |