The new versions of ISO/IEC 27001 and 27002 are now International Standards

What does this mean?

It means that the 2005 editions of ISO/IEC 27001 and ISO/IEC 27002 are obsolete and have been withdrawn.

All users of the old standards should upgrade to the 2013 editions. If you are certified to the 2005 edition of ISO/IEC 27001, your Certification Body will expect you to upgrade within two years from the date of publication (1st October 2013). Otherwise your certification will lapse. All new certifications are to ISO/IEC 27001:2013.

How has 27001 changed?

Perhaps the most obvious change upon seeing the new version for the first time is that the layout is quite different. There are no duplicate requirements and the text is less prescriptive, thereby giving organisations greater freedom to implement the requirements in a manner that is best suited to them. The following figure shows the relationship between the 2005 and 2013 versions of the standard. Click on a button (or hover over it) to read what we have to say about the changes.

How has 27002 changed?

There are now only 114 controls, as opposed to the original 133, and they are listed under 14 headings, rather than the original eleven. Many controls are unchanged from the 2005 version although the guidance text has been updated. Some controls have been deleted as they are no longer considered commonplace in a interconnected world. Others have been merged together as they were really different ways of saying the same thing, and there are some new controls too. Annex A of the new ISO/IEC 27001 naturally reflects ISO/IEC 27002:2013.

However, perhaps the most significant change is that the chapter on risk assessment and risk treatment has been removed.

The following sections show how the controls in the new standard map onto the ISO/IEC 27002:2005 controls and which ISO/IEC 27002:2005 controls have been deleted. In all cases, the guidance text has been reviewed and updated as necessary.

Mapping of controls in the new 27002 standard to the 2005 version

Open the table in a new window

ISO/IEC 27002:2005 controls that have been deleted

Open the table in a new window

Want to know more?

Buy the BSI book An introduction to ISO/IEC 27001:2013 by David Brewer, one of Gamma's co-founders.