What to expect from ISO 27001 : 2013


As with all ISO Standards, ISO 27001 has recently undergone a revision and been re-published. The changes made should help to make this standard fit better alongside other management standards such as ISO 9001 and ISO 20000 with the adoption of the Annex SL approach.

The official title of the new standard is “Information technology— Security techniques — Information security management systems — Requirements” and as part of this recent revision annexes B and C of 27001:2005 have been removed.

ISO 27001 : 2013 puts more emphasis on measuring and evaluating how well an Organisation’s Information Security Management System is performing than ISO 27001:2005 did and a section on outsourcing has been introduced to address the fact that many Organisations rely on third parties to provide aspects of their IT services.

The ISO 27001 requirements for management commitment previously found in ISO 27001: 2005 have also been overhauled and are now mainly contained within the Leadership clause. The terms and definitions previously found in ISO 27001: 2005 have additionally been removed with ISO 27000:2012 now referenced as the source of terms and conditions.

There is an increased focus on setting objectives, assessing performance and metrics, and much of the terminology within the standard has been updated with new concepts, such as:

  • Issues, risks and opportunities replacing preventive action
  • Interested parties replacing stakeholders
  • Documented information replacing documents and records
  • Risk owner replacing asset owner
  • Identification of assets, threats and vulnerabilities no longer being a prerequisite for the identification of information security risks
  • The effectiveness of the risk treatment plan now regarded as being more important than the effectiveness of ISO 27001 controls
  • Controls now determined during the process of risk treatment, rather than selected from Annex A
  • Information security objectives now set at relevant functions and levels
  • Performance evaluation covering the measurement of ISMS and risk treatment plan effectiveness

The latest revision gives more attention to the Organisational context of information security, with changes made to the way that risk assessment is carried out, leaving behind the former Plan-Do-Check-Act cycle that ISO 27001:2005 followed.

Within ISO 27001: 2013 there are now a total of 114 controls in 14 groups, instead of 133 controls in 11 groups; with the latest controls reflecting changes in modern technology and its impact on Organisations.


Overall ISO 27001:2013 is a substantially different and improved standard to ISO 27001:2005. To find out more about the ISO 27001 standard, the recent changes that have been made or to gain this certification call QMS today on 0845 86 26 246 or email us at [email protected].

Sign up to get the latest in your inbox

    • Email address

About the author

  • Name:

    Michelle Whitehouse

  • Company:

    Brand and Content Marketing Manager

  • Bio:

    Michelle joined Citation ISO Certification in 2012. Having held several different roles across the business, she uses the insight and experience gained to shape and drive the brand and content marketing strategy. Managing a small team; she ensures that the customer is at the forefront of everything we do. Delivering event programmes and communication strategies that pack value into the overarching experience for both new and existing customers, Michelle is an innovative thinker that believes in offering services that add real value to people’s lives. With a background in sales, digital marketing, content strategy and marketing communications, Michelle takes an in-depth, hands-on approach to her role within the business and is passionate about developing the relationship that exists between the brand and customers through a combination of technology and communication.


QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only