ISO 27001:2013 Draft – Differences From The Earlier Standard – Part I

The new draft of ISO 27001 standard has been made more objective, logical in flow and precise, eliminating the elaborated and/or indirect contextual statements.

As expected, the new ISO 27001 will be compliant with Annex SL of ISO/IEC Directives, in order to be aligned with all the other management standards. So, here are the main clauses that we will see in all the management standards:

  • 0 Introduction
  • 1 Scope
  • 2 Normative references
  • 3 Terms and definitions
  • 4 Context of the organization
  • 5 Leadership
  • 6 Planning
  • 7 Support
  • 8 Operation
  • 9 Performance evaluation
  • 10 Improvement


Change Number


ISO27001:2013 (Draft)


1 0.2 Process Approach Eliminated from this new standard PDCA Model was an explicit section in the older version unlike the newer one, which adopts this model all throughout the mandatory clauses, but does not occupy a separate and dedicated section in the standard.
2 1. Scope1.1 General

1.2 Applications

These sub-sections are eliminated from this new standard Sub Sections 1.1 General and 1.2 Application of older version are now merged into one section 1. Scope.The set of mandatory clauses in the old standard were from 4 to 8, which is now changed to 4 to 10 in the new version.
3 4. Information security management system 4. Context of the organization ISMS is renamed as Context of the Organization
4 4.1. General Requirements 4.1. General Requirements The Old standard talks about Documented ISMS, whereas the New one strongly focuses on understanding the context of business.Also, a reference to ISO31000 – the Risk Management standard is added.
5 4.2 Establishing and managing the ISMS 4.2. Understanding the needs and expectations of interested parties The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.
This is definitely an excellent way of defining key inputs into the ISMS.
6 4.2.1 a) to j) Establish the ISMS 6.1. Actions to address risks and opportunities Risk assessment and treatment
Assets, vulnerabilities and threats are not the basis of risk assessment anymore!
It is only required to identify the risks associated with the confidentiality, integrity and availability – although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified;
However, I assume that the assets-vulnerabilities-threats methodology will remain as a best practice for a long time.
The concept of determining the level of risk based on consequences and likelihood remains the same.
Further, Risk Assessment Methodology does not need to be documented, although the risk assessment process need to be defined in advance; the concept of asset owner is gone, too – a new term is used: “risk owners” – so the responsibility is pushed to a higher level.
7 4.3 Documentation Requirements Documented information (No Dedicated Sub-Section)4.3. Determining the scope of the information security management system The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.
The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is eliminated – however, the requirement for documenting the output from those processes remains in the new standard.
Therefore, we don’t need to write all these procedures, but we are required to maintain all the records when managing documents, performing internal audits, and executing corrective actions.
Also, the clause from the old standard where all the required documents are listed (4.3.1) is removed – now there is no central list of required documents.
8 New Clause 4.4. Information security management system
9 5. Management responsibility 5. Leadership
10 5.1. Management Commitment 5.1. Leadership and commitment Unlike the older version, the newer version talks only about the need of Leadership and Management’s Commitment.
Policy related clauses are moved to a separate sub-section.
11 5.2. Resource Management 5.2. Policy This is a dedicated sub-section for the backbone document of ISMS; i.e. the IS Policy
  5.3. Organizational roles, responsibilities and authorities New addition.
An individual sub-section in the newer version.
12 6. Internal ISMS audits 6. Planning PDCA not explained explicitly but embedded into the mandatory clauses in the newer version, with the mapping as under: P-6; D-7 & 8; C-9; A-10
It completely talks about, Risks, Opportunities, Information Security Risk Assessment and Treatment, unlike the older one which only focused on the ISMS mandated Internal Audits.
13 7. Management Review of the ISMS 9.3. Management Review7. Support

  • 7.1 Resources
  • 7.2 Competence
  • 7.3 Awareness
  • 7.4 Communication
  • 7.5 Documented Information
Unlike the older version, in this newer version, Management Review has been made a sub-section, of the Performance Evaluation Clause.
7. New clause in the new standard
7.4. This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an “IT thing” or “security thing” – the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection.
Hence this dedicated emphasis on Communication can be seen as a good change.
14 8. ISMS Improvement 8. Operations10.2 of the newer version The Elaborated DO phase in the new version.Contains Risk Assessment Requirements

However, the older version talked about CAPA, and continual improvement, the “ACT” phase

15 None 9. Performance Evaluation The separate “CHECK” Phase, talking about, measurement, monitoring, analysis and evaluation along with Internal Audits and Management Reviews
16 None 10. Improvement Talks about NCs, Corrective Actions and Continual Improvement.No Explicit mention of Preventive Actions.



Excellent summary !. – where are you working at the moment ?

Thank you for this summary.

I am studying ISO27001:2005 to implement it in my company. Should I wait for the new standard to be released ?
Or can I keep working on the old version and adapt my work when the new version is out ?

Thank you.

Hello Jeff,

Thanks for your query !
As this new version “ISO27001 : 2013” has been approved and published as the FDIS (Final Draft International Standard), with a tentative release date somewhere around 2013 end; you can start with the implementation.

ISMS, skeleton structure remains intact in the new draft as well, and as you have yourself mentioned you can adapt your old existing version of the system to the newer one, post 2013 end, as and when the new draft is officially released.

– Thanks
Network Intelligence India Pvt. Ltd.

Thanks for that nice summary. A primer to begin transition

Great summary. IS there going to be a second part?

Good Job! What will be in second part?

Nice, easy and usefull. And the second part …?

The second part would give in depth details about the changes in controls and control objectives.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.