Update to ISO 27001 Planned for 2013

There is an update to ISO 27001 planned for 2013 whereby the management system standards will be harmonised, the dropping of Plan Do Check Act model etc.


I went to the UK User Group Consultation at BSI on 25th January. This provided the attendees to get an overview of the changes and comment on them. The update for ISO 27001 is currently on the 4th working draft, however Annex A was not available in this draft as ISO 27002 is also being updated. There may be an opportunity for a User Group Consultation on ISO 27002 or ISO 27001 Annex A in the Autumn (2011), but this is far from definite. This would be good as this is certainly the interesting part from my perspective. The estimate for publications for updates to ISO 27001 and ISO 27002 is 2013.


The changes in this draft are as follows, although this can change, as it’s still in draft:

Harmonization of the nine or so management system (MS) standards, with common text betweent them. It was surprising how much of the draft was labelled as common text, so obviously a lot of time has been spent on this area for the benefit of organisations with multiple standards, for example ISO 20000, ISO 9001 and ISO 27001.

Part of this harmonization is restructuring the headings, which will now be: Introduction, Normative References, Terms and Definitions, Context of the Organisation, Leadership, Planning, Support, Operation, Performance Evaluation, and Improvement.


Much of the original text and requirements are still there, over 80%, even though much has been moved around to fit with the new headings. For example, the risk assessment is pretty much identical.

The risk treatment section has been expanded and aligned to ISO 31000.


The term Statement of Applicability is dropped, but it’s requirements in terms of cross-reference and justifications are still largely there.


The Plan Do Check Act model is dropped, however continual improvement is still there. (There goes the only diagram in the standard, now only text!)


There’s a new Outsourcing section which states some common sense in that you are still responsible for the ISMS whoever does different parts.


There are other changes too to the detail, however given most of the standard is the same (pending changes to Annex A), at this stage I don’t perceive that there will be a great deal of change for people migrating from 27001:2005 to the updated standard (possibly 27001:2013); certainly not as much as was from BS 7799 to ISO 27001.


Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]
Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call