ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


Main changes in the new ISO 27002

'By 'Dejan Kosutic on February 11, 2013

Update 2013-09-25: This blog post was updated according to the final version of ISO 27002:2013 that was published on September 25, 2013

In my previous blog post I analyzed the changes between the old ISO 27001 (published in 2005) and the 2013 revision; naturally, controls from ISO 27001 Annex A cannot change without changing ISO 27002 because the essence of these two standards is to be aligned.

So, let’s take a look at the changes in ISO 27002. Here I’ll focus mainly on how the controls are structured, and not so much on their description – so here are the main differences:

Number of sections – as expected, the number of sections has increased – from 11 sections containing controls in the old standard to 14 in the new. This way, the problem in the old standard, where some controls were artificially inserted in certain areas where they did not belong, is now resolved.

Number of controls – surprisingly, the number of controls has decreased – from 133 to only 114! This is due to eliminating some controls that were too specific or outdated.

Structure of sections – Cryptography has become a separate section (#10) – it is (logically) not part of Information systems acquisition, development and maintenance any more. A similar thing has happened with Supplier relationships – as deserved, they have become a separate section (#15). Communications and operations management is divided now into Operations security (section 12), and Communications security (now section 13). Here is how the sections look now:

  • 5 Information security policies
  • 6 Organization of information security
  • 7 Human resource security
  • 8 Asset management
  • 9 Access control
  • 10 Cryptography
  • 11 Physical and environmental security
  • 12 Operations security
  • 13 Communications security
  • 14 System acquisition, development and maintenance
  • 15 Supplier relationships
  • 16 Information security incident management
  • 17 Information security aspects of business continuity management
  • 18 Compliance

Placement of security categories – categories have mixed a bit:

  • Mobile devices and teleworking, previously in Access control, is now 6.2 – part of section 6 Organization of information security.
  • Media handling was previously part of Communications and operations management, but now it is 8.3, part of 8 Asset management.
  • Operating system access control, and Application and information access control, have now merged into System and application access control (9.4), and have remained in section 9 Access control.
  • Control of operational software, previously a single control in Information System acquisition, development and maintenance, is now a separate category 12.5, part of the Operations security section.
  • Information systems audit considerations have moved from Compliance to 12.7, part of the Operations security section.
  • A Security category called Network access control is gone, and some of its controls have moved to section 13 Communications security.
  • Information transfer (previously called Exchange of information) is now 13.2, part of section 13 Communications security.
  • The controversial category Correct processing in applications (part of the old Information System acquisition, development and maintenance) is now gone.
  • Electronic commerce services does not exist as a separate category anymore, and controls are merged into 14.1 Security requirements of information systems.
  • Two categories from the section Information Security Incident Management are now merged into one.
  • The Business continuity section has received a new category – 17.2 Redundancies. Basically, this is about disaster recovery.

New controls – here are a few controls that are new:

  • 14.2.1 Secure development policy – rules for development of software and information systems
  • 14.2.5 Secure system engineering principles – principles for system engineering
  • 14.2.6 Secure development environment – establishing and protecting development environment
  • 14.2.8 System security testing – tests of security functionality
  • 16.1.4 Assessment of and decision on information security events – this is part of incident management
  • 17.2.1 Availability of information processing facilities – achieving redundancy

Controls that are gone – finally, here are some of the controls that do not exist anymore:

  • 6.2.2 Addressing security when dealing with customers
  • 10.4.2 Controls against mobile code
  • 10.7.3 Information handling procedures
  • 10.7.4 Security of system documentation
  • 10.8.5 Business information systems
  • 10.9.3 Publicly available information
  • 11.4.2 User authentication for external connections
  • 11.4.3 Equipment identification in networks
  • 11.4.4 Remote diagnostic and configuration port protection
  • 11.4.6 Network connection control
  • 11.4.7 Network routing control
  • 12.2.1 Input data validation
  • 12.2.2 Control of internal processing
  • 12.2.3 Message integrity
  • 12.2.4 Output data validation
  • 11.5.5 Session time out
  • 11.5.6 Limitation of connection time
  • 11.6.2 Sensitive system isolation
  • 12.5.4 Information leakage
  • 14.1.2 Business continuity and risk assessment
  • 14.1.3 Developing and implementing business continuity plans
  • 14.1.4 Business continuity planning framework
  • 15.1.5 Prevention of misuse of information processing facilities
  • 15.3.2 Protection of information systems audit tools

Since the structure of ISO 27002 is completely aligned with controls from ISO 27001, all these changes are also valid for new ISO 27001 Annex A.

At first sight, there are many changes… However, I don’t think most of these changes are really fundamental – many of them have actually corrected the incorrect structure of the old ISO 27002, and added the controls that were missing in the first place. Some things did change – like network security and development process – these areas are now more loosely described and thus more freedom is given to companies on how to implement them.

To conclude, I like these changes – it seems to me implementing this new standard is going to be easier.

  • ahmad

    good article

  • Slavcho Nenkov

    Hi, Dejan, For me A.6.1.4 is a new control too …

  • Dejan Kosutic

    Yes, I agree with you – A.6.1.4 is Information security in project management. Thanks, Slavcho!

  • Vlad Styran

    Dejan, thank you for the thorough analysis of upcoming changes.

  • oliver

    Dejan thank you for this article, but do you have some information when we can expect this ISO 27001:2013 to be official?

  • Dejan Kosutic

    New revisions of ISO 27001 and ISO 27002 should be published together – it should be in second half of 2013, but this isn’t sure yet.

  • Len Shingler

    Dejan, Thank you for the article, very concise. I am in the process of getting my firm to accreditation standard. The new versions may make it easier if I have followed the old 2005/ 2007 versions.
    Many Thanks

  • Peter

    Thanks for the post, Some changes are properly remove the outdated controls(90% companies will make those not applicable), but I have concerns on some specific network controls, application security, I think it won’t be clear how those are regrouped in the new version until we see the final release.

  • Dejan Kosutic

    Yes, let’s wait for the final release – when it is published, I’ll certainly comment on it.

  • Manoj Chandrasenan

    If I have to take the course and get certified should I do with the current version (2005) or should I wait for another 6 months and rather take the new version (2013)..?

  • Dejan Kosutic

    Manoj, ISO has announced it will publish a new revision of ISO 27001/27002 on October 19, 2013 – so I guess it would be better to wait for this revision and then take a course.

  • Manoj Chandrasenan

    Thanks Dejan.

  • Fadzril

    Thanks. What’s your take, whether companies planning to embark on ISMS should wait for the release of the new standard?

  • Dejan Kosutic

    Fadzril, you can start implementing ISO 27001 using the new version of the standard which is already published on ISO website under the name of FDIS ISO/IEC 27001. This is a final draft version, and the final version that will be published on October 19 will differ very little.

  • Ravichandran Ramasamy

    Nicely said, Do you expect many changes in the final version? As we are in the process of implementing ISO 27001, kindly advise, is it right time or postpone till publication of new version?

  • Dejan Kosutic

    Ravichandran, I don’t expect many differences between this draft and the final version of the standard. If you are close to finishing the implementation, you could perhaps go for certification against the existing (old) revision. If you have just started your implementation, then it is better to implement the ISMS using the new revision of the standard.

  • Ravichandran Ramasamy

    Thanks a lot for your timely advice.

  • Shirish Lele

    Section 17 reads “Information security aspects of business continuity”
    Does this mean ISO27001:2013 is dropping the “business” continuity aspects in favour of ISO22301? (Considering that now ISO has a standard in BCM space. Something that they did not have in 2005).

  • Dejan Kosutic

    You are basically right. ISO 27001:2013 is not dropping the “business continuity” concept, but it reflects only on information security aspect of it.

  • Paul

    Hi we are currently looking at ISO27001:2005 would we be advised to align with ISO27001:2013 now or do you think we will be ok to still align with 2005 version.

  • Dejan Kosutic