ISO 27001:2005 VS 27001:2013

COMPARISON OF ISO 27001:2005 TO 27001:2013

This is to show changes introduced in ISMS standard ISO 27001:2013 with respect to ISO 27001:2005

27001:2005	27001:2013
	A.5 Information Security Policy
A.5.1 Management Directions for Information Security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
A.5.1.1 Information security policy document	A.5.1.1 Policies for information security
A.5.1.2 Review of the information security policy	A.5.1.2 Review of the policies for information security

27001:2005	27001:2013
	A.6 Organization of information security
A.6.1 Internal Organization Objective: To establish a management framework to initiate and control the implementation of information security within the organization.
A.6.1.3 Allocation of information security responsibilities	A.6.1.1 Information security roles and responsibilities
A.8.1.1 Roles and responsibilities
A.6.1.6 Contact with authorities	A.6.1.2 Contact with authorities
A.6.1.7 Contact with special interest groups	A.6.1.3 Contact with special interest groups
	A.6.1.4 Information security in project management
A.10.1.3 Segregation of duties	A.6.1.5 Segregation of duties

27001:2005	27001:2013
A.6.2 Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices.
A.11.7.1 Mobile computing and communications	A.6.2.1 Mobile device policy
A.11.7.2 Teleworking	A.6.2.2 Teleworking

27001:2005	27001:2013
	A.7 Human Resource Security
A.7.1 Prior to employment Objective: To ensure that employees, contractors and external party users understand their responsibilities and are suitable for the roles they are considered for.
A.8.1.2 Screening	A.7.1.1 Screening
A.8.1.3 Terms and conditions of employment	A.7.1.2 Terms and conditions of employment

27001:2005	27001:2013
A.7.2 During Employment Objective: To ensure that employees and external party users are aware of, and fulfill, their information security responsibilities.
A.8.2.1 Management responsibilities	A.7.2.1 Management responsibilities
A.8.2.2 Information security awareness, education and training	A.7.2.2 Information security awareness, education and training
A.8.2.3 Disciplinary process	A.7.2.3 Disciplinary process

27001:2005	27001:2013
A.7.3 Termination and change of employment Objective: To protect the organization’s interests as part of the process of changing or terminating employment.
A.8.3.1 Termination responsibilities	A.7.3.1 Termination or change of employment responsibilities

27001:2005	27001:2013
	A.8 Asset Management
A.8.1 Responsibility for Assets Objective: To achieve and maintain appropriate protection of organization assets.
A.7.1.1 Inventory of assets	A.8.1.1 Inventory of assets
A.7.1.2 Ownership of assets	A.8.1.2 Ownership of assets
A.7.1.3 Acceptable use of assets	A.8.1.3 Acceptable use of assets

27001:2005	27001:2013
A.8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
A.7.2.1 Classification guidelines	A.8.2.1 Classification of information
A.7.2.2 Information labeling and handling	A.8.2.2 Labeling of information
A.7.2.3 Information Handling procedures	A.8.2.3 Handling of assets
A.8.3.2 Return of assets	A.8.2.4 Return of assets

27001:2005	27001:2013
A.8.3 Media Handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
A.10.7.1 Management of removable media	A.8.3.1 Management of removable media
A.10.7.2 Disposal of Media	A.8.3.2 Disposal of media
A.10.8.3 Physical media in transit	A.8.3.3 Physical media transfer

27001:2005	27001:2013
	A.9 Logical Security / Access Control
A.9.1 Business requirements of access control Objective: To restrict access to information and information processing facilities.
A.11.1.1 Access control policy	A.9.1.1 Access control policy
A.11.4.1 Policy on use of network services	A.9.1.2 Policy on the use of network services

27001:2005	27001:2013
A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
A.11.2.1 User registration	A.9.2.1 User registration and de-registration
A.11.5.2 User identification and authentication
A.11.2.2 Privilege management	A.9.2.2 Privilege management
A.11.2.3 User password management	A.9.2.3 Management of secret authentication information of users
A.11.2.4 Review of user access rights	A.9.2.4 Review of user access rights
A.8.3.3 Removal of access rights	A.9.2.5 Removal or adjustment of access rights

27001:2005	27001:2013
A.9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information.
A.11.3.1 Password use	A.9.3.1 Use of secret authentication information
A.9.4 System and application access control Objective: To prevent unauthorized access to systems and application
A.11.6.1 Information access restriction	A.9.4.1 Information access restriction
A.11.5.1 Secure log-on procedures	A.9.4.2 Secure log-on procedures
A.11.5.5 Session time-out
A.11.5.6 Limitation of connection time
A.11.5.3 Password management system	A.9.4.3 Password management system
A.11.5.4 Use of system utilities	A.9.4.4 Use of privileged utility programs
A.12.4.3 Access control to program source code	A.9.4.5 Access control to program source code

27001:2005	27001:2013
	A.10 Cryptography
A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information.
A.12.3.1 Policy on the use of cryptographic controls	A.10.1.1 Policy on the use of cryptographic controls
A.12.3.2 Key management	A.10.1.2 Key management

27001:2005	27001:2013
	A.11 Physical and environmental security
A.11.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.
A.9.1.1 Physical security perimeter	A.11.1.1 Physical security perimeter
A.9.1.2 Physical entry controls	A.11.1.2 Physical entry controls
A.9.1.3 Securing offices, rooms and facilities	A.11.1.3 Securing office, room and facilities
A.9.1.4 Protecting against external and environmental threats	A.11.1.4 Protecting against external end environmental threats
A.9.1.5 Working in secure areas	A.11.1.5 Working in secure areas
A.9.1.6 Public access, delivery and loading areas	A.11.1.6 Delivery and loading areas

27001:2005	27001:2013
A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
A.9.2.1 Equipment sitting and protection	A.11.2.1 Equipment siting and protection
A.9.2.2 Supporting utilities	A.11.2.2 Supporting utilities
A.9.2.3 Cabling security	A.11.2.3 Cabling security
A.9.2.4 Equipment maintenance	A.11.2.4 Equipment maintenance
A.9.2.7 Removal of property	A.11.2.5 Removal of assets
A.9.2.5 Security of equipment off-premises	A.11.2.6 Security of equipment and assets off-premises
A.9.2.6 Secure disposal or re-use of equipment	A.11.2.7 Security disposal or re-use of equipment
A.11.3.2 Unattended user equipment	A.11.2.8 Unattended user equipment
A.11.3.3 Clear desk and clear screen policy	A.11.2.9 Clear desk and clear screen policy

27001:2005	27001:2013
	A.12 Operations Security
A.12.1 Operational Procedures and Responsibilities Objective: To ensure the correct and secure operations of information processing facilities.
A.10.1.1 Documented operating procedures	A.12.1.1 Documented operating procedures
A.10.1.2 Change management	A.12.1.2 Change management
A.10.3.1 Capacity management	A.12.1.3 Capacity management
A.10.1.4 Separation of development, test and operational facilities	A.12.1.4 Separation of development, test and operational environments

27001:2005	27001:2013
A.12.2 Protection from Malware Objective: To ensure that information and information processing facilities are protected against malware.
A.10.4.1 Controls against malicious code	A.12.2.1 Controls against malware
A.12.3 Back-up Objective: To protect against loss of data.
A.10.5.1 Information back-up	A.12.3.1 Information backup

27001:2005	27001:2013
A.12.4 Logging and Monitoring To record events and generate evidence. Objective:
A.10.10.1 Audit logging	A.12.4.1 Event logging
A.10.10.3 Protection of log information	A.12.4.2 Protection of log information
A.10.10.3 Protection of log information	A.12.4.3 Administrator and operator logs
A.10.10.4 Administrator and operator logs
A.10.10.6 Clock synchronization	A.12.4.4 Clock synchronization

27001:2005	27001:2013
A.12.5 Control of operational software Objective: To ensure the integrity of operational systems.
A.12.4.1 Control of operational software	A.12.5.1 Installation of software on operational systems
A.12.6 Technical Vulnerability Management Objective: To prevent exploitation of technical vulnerabilities.
A.12.6.1 Control of technical vulnerabilities	A.12.6.1 Management of technical vulnerabilities
	A.12.6.2 Restrictions on software installation
A.12.7 Information Systems Audit Considerations Objective: To minimize the impact of audit activities on operational systems.
A.15.3.1 Information system audit controls	A.12.7.1 Information systems audit controls

27001:2005	27001:2013
	A.13 Communications Security
A.13.1 Network Security Management Objective: To ensure the protection of information in networks its supporting information processing facilities.
A.10.6.1 Network controls	A.13.1.1 Network controls
A.10.6.2 Security of network services	A.13.1.2 Security of network services
A.11.4.5 Segregation in Network	A.13.1.3 Segregation in networks

27001:2005	27001:2013
A.13.2 Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity.
A.10.8.1 Information exchange policies and procedures	A.13.2.1 Information transfer policies and procedures
A.10.8.2 Exchange agreements	A.13.2.2 Agreements on information transfer
A.10.8.4 Electronic messaging	A.13.2.3 Electronic messaging
A.6.1.5 Confidentiality agreements	A.13.2.4 Confidentiality or non-disclosure agreements

27001:2005	27001:2013
	A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems Objective: To ensure that security is an integral part of information systems across the entire lifecycle. This includes in particular specific security requirement for information systems which provide services over public networks.
A.12.1.1 Security requirements analysis and specification	A.14.1.1 Security requirements analysis and specification
A.10.9.1 Electronic commerce	A.14.1.2 Securing applications services on public networks
A.10.9.3 Publically available information
A.10.9.2 Online-transactions	A.14.1.3 Protecting application services transactions

27001:2005	27001:2013
A.14.2 Security in development and support processes Objective: To ensure that information security is designed and implemented whithin the development lifecycle of information systems.
	A.14.2.1 Secure development policy
A.12.5.1 change control procedures	A.14.2.2 Change control procedures
A.12.5.2 Technical review of applications after operating system changes	A.14.2.3 Technical review of applications after operating platform changes
A.12.5.3 Restrictions on changes to software packages	A.14.2.4 Restrictions on changes to software packages
	A.14.2.5 System development procedures
	A.14.2.6 Secure development environment
A.12.5.5 Outsourced software development	A.14.2.7 Outsourced development
	A.14.2.8 System security testing
A.10.3.2 System Acceptance	A.14.2.9 System acceptance testing
A.14.3 Test data Objective: To ensure the protection of data used for testing.
A.12.4.2 Protection of system test data	A.14.3.1 Protection of test data

27001:2005	27001:2013
	A.15 Supplier relationships
A.15.1 Security in supplier relationship Objective: To ensure protection of the organization’s information that is accessible by suppliers.
A.6.2.3 Addressing security in third party agreements	A.15.1.1 Information security policy for supplier relationships
A.6.2.3 Addressing security in third party agreements	A.15.1.2 Addressing security within supplier agreements
	A.15.1.3 ICT Supply chain

27001:2005	27001:2013
A.15.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
A.10.2.2 Monitoring and review of third party services	A.15.2.1 Monitoring and review of supplier services
A.10.2.3 Managing changes to third party services	A.15.2.2 Managing changes to supplier services

27001:2005	27001:2013
	A.16 Information Security Incident Management
A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
A.13.2.1 Responsibilities and Procedures	A.16.1.1 Responsibilities and procedures
A.13.1.1 Reporting information security events	A.16.1.2 Reporting information security events
A.13.1.2 Reporting security weakness	A.16.1.3 Reporting information security weaknesses
	A.16.1.4 Assessment and decision of information security events
	A.16.1.5 Response to information security incidents
A.13.2.2 Learning from information security incidents	A.16.1.6 Learning from information security incidents
A.13.2.3 Collection of evidence	A.16.1.7 Collection of evidence

27001:2005	27001:2013
	A.17 Business Continuity
A.17.1 Information security aspects of business continuity management Objective: Information security continuity should be embedded in organization’s business continuity management (BCM) to ensure protection of information at any time and to anticipate adverse occurrences.
A.14.1.2 Business continuity and risk assessment	A.17.1.1 Planning information security continuity
	A.17.1.2 Implementing information security continuity
A.14.1.5 Testing, maintaining and re-assessing business continuity plans	A.17.1.3 Verify, review and evaluate information security continuity
A.17.2 Redundancies Objective: to ensure availability of information processing facilities.
	A.17.2.1 Availability of information processing facilities

27001:2005	27001:2013
	A.18 Compliance
A.18.1 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures
A.6.1.8 Independent review of information security	A.18.1.1 Independent review of information security
A.15.2.1 Compliance with security policies	A.18.1.2 Compliance with security policies and standards
A.15.2.2 Technical compliance checking	A.18.1.3 Technical compliance inspection

27001:2005	27001:2013
A.18.2 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
A.15.1.1 Identification of applicable legislation	A.18.2.1 Identification of application legislation and contractual requirements
A.15.1.2 Intellectual property rights (IPR)	A.18.2.2 Intellectual property rights (IPR)
A.15.1.3 Protection of organizational records	A.18.2.3 Protection of documented information
A.15.1.4 Data protection and privacy of personal information	A.18.2.4 Privacy and protection of personal information
A.15.1.6 Regulation of cryptographic controls	A.18.2.5 Regulation of cryptographic controls