ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


A first look at the new ISO 27001

'By 'Dejan Kosutic on January 28, 2013

Update 2013-09-25: This blog post was updated according to the final version of ISO 27001:2013 that was published on September 25, 2013.

When I heard the news that the DIS (draft) version of ISO 27001:2013 is available, I was very impatient to read it. When compared to the old ISO/IEC 27001 from 2005, the changes are actually not too drastic – here are the main differences I found:

The structure

As expected, the new ISO 27001 is compliant with Annex SL of ISO/IEC Directives, in order to be aligned with all the other management standards – this is already evident in ISO 22301, the new business continuity management standard. So, here are the main clauses that you will see in all the management standards:

0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement

Naturally, Annex A is still here in the new ISO 27001 – this is where all the controls are listed (click here to see new controls). The quite useless Annex B from the old standard is gone, while there is no need for Annex C anymore.

Interested parties

The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.

This is definitely an excellent way of defining key inputs into the ISMS.

Documented information

The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.

The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.

Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone – there is no central list of required documents.

Risk assessment and treatment

Assets, vulnerabilities and threats are not the basis of risk assessment anymore! It is only required to identify the risks associated with the confidentiality, integrity and availability – although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified; however, I assume that the assets-vulnerabilities-threats methodology will remain as a best practice for a long time.

The concept of determining the level of risk based on consequences and likelihood remains the same.

The concept of asset owner is gone – a new term is used: “risk owners” – so the responsibility is pushed to a higher level.

Objectives, monitoring and measurement

A big change here: these are not mentioned within some other requirements, but now there are separate clauses with very concrete rules. The rules are that you need to set clear objectives, you need to define who will measure them and when, and you need to define who should analyze and evaluate those results. Further, comprehensive plans need to be developed that will describe how the objectives will be achieved.

This is definitely something that will bring ISMS closer to other management processes in a company. Hopefully, it will push information security onto the management agenda because – once you have very clear figures as to how your security performs – you cannot turn your head away from it.

Corrective & preventive actions

The biggest change is there are no preventive actions anymore, at least not at first sight – they are basically merged in risk assessment and treatment, where they naturally belong.

Further, a distinction is made between corrections that are made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity. This way another ambiguity from the old standard is resolved.


This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an “IT thing” or “security thing” – the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection.

What will this mean for the implementation?

I must admit I like all these changes – not only will the new ISO 27001 be easier to integrate with other management standards like ISO 9001, ISO 22301, ISO 20000 and others, but it also allows more freedom for companies (especially smaller ones) to scale the ISMS to their real needs and thereby avoid unnecessary overhead. But this may also turn out to be the greatest weakness of this new standard – because of its loose definitions, some companies may try to focus on satisfying the minimum instead of focusing on increasing security.

In other words, companies that mean well and really want to increase their level of security will find it easier to comply with this standard; however, the companies that not so positive and are looking for loopholes to implement it only for the sake of certification will see this standard as an opportunity.

To learn how to transition to the new revision see free white paper Twelve-step transition process from ISO 27001 2005 revision to 2013 revision.

  • Andy Rose

    You say “ don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions” and “Risk Assessment Methodology does not need to be documented”.

    Is this not a terrifying deviation from the existing standard, and one that will enable firms to continue with haphazard, ad-hoc processes that produce inconsistent output? The fact that the output is dealt with within a defined process is largely irrelevant – ‘garbage in garbage out’ and all that?

    What have I missed that makes you not so concerned about this?

  • Dejan Kosutic

    It is not such a huge difference compared to the old standard because for risk assessment companies will still have to define the risk assessment process in advance, and they will need to document the outcome of this process. So basically if the process was not well defined, the outcome will be bad as well. And the same thing is for internal audits and corrective actions.

    However, I agree with you there is risk that some companies will take this opportunity in a negative way – as I noted in my post, some will try to satisfy the minimum, instead of trying to maximize the level of security.

  • Zyd

    when is the release of this new version?

  • Dejan Kosutic

    Zyd, it is expected that new revision of ISO 27001/ISO 27002 will be published in the second half of 2013

  • Aniket

    thanks Dejan Kosutic for sharing changes with us

  • Shreyas

    Thank you so much Dejan for the insight. Please keep us posted about the new version release. In my opinion the biggest change and most welcomed one was the change in CAPA. I am sure that will help a lot of organisations implementing ISO 27001.

  • Dejan Kosutic

    Thank you, Shreyas – yes, let’s hope this will help smoother implementation.

  • ISO 27001 Certification

    A genuine competitive advantage –ISO 27001 Certification can instantly improve your reputation, opening up new markets, and with QMS’s support you can obtain maximum marketing from your achievement.

  • Atif

    Should we go for 27001:2005 Lead implementer certification in June 2013, when the new one is just around the corner.

  • Dejan Kosutic

    If you’re not in a big hurry, I guess it would be better to wait.

  • Lee

    I’d add that there must be evidence of this ‘defined’ process, meaning that it is not simply a case of doing a risk assessment ad-hoc and producing a risk assessment report to be able to tick a box. The organization will still have to provide evidence that the process has been defined by competent persons, and approved, and is being systematically implemented to comply with the standard’s requirements – this will anyway lead to a paper trail in most cases covering things like assessment planning, analysis of the risks, management’s attitude to risk and risk acceptance, the criteria for evaluating risk,consultation with risk owners, etc, etc all aligned to business objectives and the ISMS policy.

    I agree that some might see this as being prone to loop holes, but ultimately if an organization is not committed to security and/or utilizes unqualified people for the task it is doomed anyway, regardless of there being a documented methodology at hand.

    As far as certification goes and having confidence in the management system of the certified company, that’s when we have to look to the reputation of the certification body to ensure that audits are indeed being carried out by competent auditors. I have to admit, those certification bodies are few and far between, evidenced by the number of certified companies with IT scopes and little in the way of effective information security management as a result. However, I guess this is only an issue when we care about security management in an organization other than our own.

    I guess the point is, documenting something is not necessarily the right answer for every organization. This just makes the standard a little more flexible, probably mostly for the benefit of smaller setups. At the end of the day, if I think something needs to be documented in order for it to be effectively implemented and managed, I’ll document it.

    As with any aspect of the requirement, what you actually do should be based on good judgement and business needs and not simply implemented because ‘the standard say so’.

  • Dejan Kosutic

    Excellent comment! Thanks, Lee.

  • Mohit Gupta



    May I request for the draft version to be shared with us as well and if it is convinient, kindly mail me at

    Many thanks in advance.

    Thanks & Regards

    Mohit Gupta

    Lead Auditor ISO 9001 (QMS)

    Lead Auditor ISO 27001 (ISMS)

    Auditor ISO 20000 (ITSM)

    Auditor ISO 14001 (EMS)

    Auditor OHSAS 18001

    SEI-CMMI Practitioner

    COPC Practitioner

    ITIL V3 Certified

    Author of book on ISO 9001:2008 [ISBN 978-3-8473-0517-0]

  • Gary Williams

    What are your thoughts on ISO 27001:2013 regarding 7.2 Competence.
    Does this mean that auditors will be looking at the skills of the individuals as part of audit?

  • Dejan Kosutic

    Gary, requirements in ISO 27001:2013 regarding competences are the same as in 2005 revision, therefore the audit methods will be the same – the auditor needs to verify whether the employees have the skills and knowledge to perform information security activities. And yes – for this purpose the auditor will be looking at skills of particular individuals in an organization.

  • Gary Williams

    Yep 5.2.2 of the old standards kinda reflect new 7.2. But it is good that it is stands out a little more. I think that (b) “ensure that these persons are competent on the basis of appropriate education, training , or experience” comes across a lot stronger

  • Dejan Kosutic

    Yes, you’re right!

  • Harshit Chandel


    What kind of major changes you expect in the risk assessment because of the change in aproach, which is now CIA based rather than asset based.



  • Dejan Kosutic

    Harshit, I don’t expect some bigger changes, at least not in next couple of years – I think assets-vulnerabilities-threats will remain the main methodology, although some smaller companies will be probably the first to start replacing that methodology with something simpler.

  • Harshit Chandel

    How different will this assessment be from the current method? Can you help with few examples?

  • Dejan Kosutic

    Hardly a topic for a blog comment :) – I’ll probably write an article about it.

  • Harshit Chandel

    Will be waiting for that article :)