27001:2005 control deleted in DIS Comment
A.6.1.1 Management commitment to information security Claimed that this is not a control but part of the ISO/IEC 27001 management commitment requirement
A.6.1.2 Information security coordination Claimed removed as this deals with the establishment of an ISMS and guidance is to be found in ISO/IEC 27003
A.6.1.4 Authorisation process for information processing facilities Appears no longer explicitly addressed, as it seems to be an aspect of A.6.1.1
A.6.2.1 Identification of risks related to external parties Claimed that this is not a control but part of the ISO/IEC 27001 risk assessment/risk treatment requirements.
A.6.2.2 Addressing security when dealing with customers Claimed that this is not a control but part of the ISO/IEC 27001 risk assessment/risk treatment requirements
A.10.2.1 Service delivery No reason given 
A.10.7.4 Security of system documentation Claimed that this control has been removed on the grounds that system documentation is just another form of asset that requires protection. Its removal therefore requires consideration during risk assessment of whether such documents, should they fall into the wrong hands, present a source of risk.
A.10.8.5 Business Information Systems Claimed removed on the grounds that the control really relates to the whole standard reflecting and trying to do it more or less in a single control doesn’t really work.
A.10.10.2 Monitoring system use Appears considered to be part of Event Logging (A.12.4.1)
A.10.10.5 Fault logging Now appears referenced in Event Logging (A.12.4.1)
A.11.4.2 User authentication for external connections Claimed covered by access control (A.9.1.1)
A.11.4.3 Equipment identification in networks Appears covered by A.13.1.3
A.11.4.4 Remote Diagnostic and configuration port protection Claimed that separate physical diagnostic ports are becoming rare and that protection is covered through access control (A.9.1.1) and segregation in networks control (A.13.1.3).
A.11.4.6 Network Connection control Claimed covered by A.13.1.3
A.11.4.7 Network routing control Claimed covered by A.13.1.3
A.11.6.2 Sensitive system isolation Deleted, as it is claimed that in an interconnected world such a control defeats the objective. However, we note that it may still apply in certain cases.
A.12.2.1 Input data validation It is claimed that since this control was introduced, technology has moved on, and input data validation is just one small aspect of protecting web interfaces from attacks such as SQL injection. There are some remarks in the "Other Information" section of A.14.2.5, but the general understanding appears now is that such techniques lie firmly in the domain of professional software developers and are therefore outside the scope of ISO/IEC 27002.
A.12.2.2 Control of internal processing See A.14.2.5 and the explanation above.
A.12.2.3 Message integrity This appears to be a duplication of material in A.13.2.1.
A.12.2.4 Output data validation See A.14.2.5 and the explanation above.
A.12.5.4 Information leakage It is claimed that this control was deleted because it only covered part of the problem associated with information leakage, and indeed there is coverage elsewhere. For example, the term "leakage" appears in A.8.3.2, A.11.2.1, A.12.6.2 and A.13.2.4 as guidance and other information. Note., however, we note that the term "covert channel" does not appear in the DIS. Adware viruses, some of which are known to leak information, would be addressed by A.12.2.1.
A.14.1.1 Including information security in the business continuity management process There used to be five "controls" and now there are three. Two these (planning/RA and testing) map well onto two of these originals. The other three originals perhaps merit being called controls even less than everything else in the 2005 version; "principles" would be a more apt description. From our experience, this control is often just mapped to the BCP as a whole and therefore this control could be mapped to A.17.1.2.
A.14.1.3 Developing and implementing continuity plans including formation security. For the reason cited above, this control could be mapped to A.17.1.2.
A.14.1.4 Business continuity planning framework For the reason cited above, this control could be mapped to A.17.1.2.
A.15.1.5 Prevention of misuse of information processing facilities This control corresponds to a UK law and could be a remnant of the original BS7799:1995 standard which was completely UK centric. Its omission is effectively covered by the new A.18.2.1 which requires all relevant laws to to identified. Thus, in the UK, this control is effectively dealt with by that control. Moreover, there is mention of "warning banners" in A.9.4.2.
A.15.3.2 Protection of information systems audit tools It is claimed that this control has been removed on the grounds that an audit tool is just another form of asset that requires protection. Its removal therefore requires consideration during risk assessment of whether such tools present a source of risk.