ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


Infographic: New ISO 27001 2013 revision – What has changed?

'By 'Dejan Kosutic on October 08, 2013
  • curious

    In the history of information security standards section, there is an error – BS25999 should be BS7799.

  • William Slater


    Thank you! It’s an excellent and very valuable set of work.

    I will also promote this work at my website at

  • Rodrigo Fernandes

    Thanks for the great work!

  • John Laskey

    Dejan Thank you very much. It is very helpful to have a smart, visual prompt at hand when explaining such changes.

  • cesar farro

    Thanks for the quick and graphic explanation of the differences between the old and the new ISO, your contribution is important because we have not yet formal document ISO27001: 2013.

    Questions about SOA, I have understood that ISO 27001:2005 has 11 domains, 39 control objectives and 133 controls, now you talk about 18 domains and 114 controls?, Could you share information on this point?. new Anexo A?

    Additionally about the definition ISMS Scope which are the new points for definition and justification?

  • Dejan Kosutic

    Cesar, you can read about new Annex A here:

    Regarding scope, you do not have give justification for exclusions any more, nor do you have to list your technology; you do have to specify the interfaces and dependencies between activities performed within and out of the organization

  • Feral Lagios

    Thank you for the graphic presentation Dejan. Great work.
    I have started to make the changes to our ISMS in accordance to the new version and just as an addition to your presentation I would suggest adding the fact that the ISMS requirements sections 4-8 has now also increased to 4-10 with a great focus on risks and opportunites.

  • Karun Minocha

    Thanks a lot !!

    I have one query ? When can an organization go for ISO 27001:2013 Certification? e.g If an organization want to on 30 Nov, 2013, can they go for it..?

  • Tadas

    Thank you great Infographic.

    Although I think there are more changes than shown above. Waiting for your webinar about this topic

  • Dejan Kosutic

    Yes, you can go for the ISO 27001:2013 certification now; the question is if the certification body is ready.

  • thanks dejan

    Thanks a lot..dejan…2 question

    a) can an organization still go for ISO 27001:2005,let’s say certification date is in january’14

    b) can an organization maintain iso 27001:2005 version during their upcoming surveillance planned in mar’14

  • Dejan Kosutic

    The answer to both questions is yes – see this article for more detailed explanation:

  • Shirish Lele

    One question. The graphic says that organizations can certify against 27001:2005 by Sep 25, 2014. Is this re-certification on expiry of 3 year period or even fresh certification? Asking because ISO has withdrawn the old document and that kind of indicates that anybody preparing afresh MUST go for 27001:2013

  • Dejan Kosutic

    Shirish, companies that certify for the first time against ISO 27001 until September 25, 2014 can go for either 2005 revision as well as for 2013 revision. The fact that the 2005 revision was withdrawn from sales has nothing do to with it.

  • Sanjeev Agarwal

    One clarification: if an organization applies now and gets certified for ISO 27001: 2005 before 25th Sep 2014, will the certificate remain valid for next 03 years? Or the organization will have to transition to ISO 27001:2013 by 25th Sep 2015.

  • Dejan Kosutic

    Sanjeev, in any case a company with 2005 revision certificate must transition to ISO 27001:2013 until September 25, 2015.

  • Hari

    Certificate will be valid till September 25, 2015

  • Mahesh


    How ISMS 2013 is aligned with ISO 22000, where 22000 speaks about food and safety…

  • Dejan Kosutic

    Sorry, but I’m not familiar with ISO 22000 – it addresses food safety management, whereas I’m focused on information security

  • Richard Regalado

    Ah that’s easy. The secret formula of Coca Cola is an example of how ISO 27001 is applied to FSMS.

    Want more? The integrity of information on food labels i.e., nutritional value and expiration dates, etc.

    Last one: Make sure real time data is available on your food deliveries and stores. Else, you cannot pay your suppliers and soon you won’t have food to make or serve.

  • phoenixaim

    Hi Dejan,

    First of all, i want to thank you for the graphic presentation and your contribution in this field by sharing your thought and experience. Much appreciate your work .

    Secondly, Can you explain how can we or in what way we can specify the interfaces and dependencies between activities performed within and out of the organization???.. any templates would really help me a lot.



  • Dejan Kosutic

    Saurabh, logical interfaces are normally firewalls or other network devices, while physical interfaces are usually doors between the facilities that are within or outside of the scope. You can find a template here: