COMPARISON OF ISO 27001:2005 TO 27001:2013
This is to show changes introduced in ISMS standard ISO 27001:2013 with respect to ISO 27001:2005
27001:2005 | 27001:2013 |
A.5 Information Security Policy | |
A.5.1 Management Directions for Information Security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. | |
A.5.1.1 Information security policy document | A.5.1.1 Policies for information security |
A.5.1.2 Review of the information security policy | A.5.1.2 Review of the policies for information security |
27001:2005 | 27001:2013 |
A.6 Organization of information security | |
A.6.1 Internal Organization Objective: To establish a management framework to initiate and control the implementation of information security within the organization. | |
A.6.1.3 Allocation of information security responsibilities | A.6.1.1 Information security roles and responsibilities |
A.8.1.1 Roles and responsibilities | |
A.6.1.6 Contact with authorities | A.6.1.2 Contact with authorities |
A.6.1.7 Contact with special interest groups | A.6.1.3 Contact with special interest groups |
A.6.1.4 Information security in project management | |
A.10.1.3 Segregation of duties | A.6.1.5 Segregation of duties |
27001:2005 | 27001:2013 |
A.6.2 Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices. | |
A.11.7.1 Mobile computing and communications | A.6.2.1 Mobile device policy |
A.11.7.2 Teleworking | A.6.2.2 Teleworking |
27001:2005 | 27001:2013 |
A.7 Human Resource Security | |
A.7.1 Prior to employment Objective: To ensure that employees, contractors and external party users understand their responsibilities and are suitable for the roles they are considered for. | |
A.8.1.2 Screening | A.7.1.1 Screening |
A.8.1.3 Terms and conditions of employment | A.7.1.2 Terms and conditions of employment |
27001:2005 | 27001:2013 |
A.7.2 During Employment Objective: To ensure that employees and external party users are aware of, and fulfill, their information security responsibilities. | |
A.8.2.1 Management responsibilities | A.7.2.1 Management responsibilities |
A.8.2.2 Information security awareness, education and training | A.7.2.2 Information security awareness, education and training |
A.8.2.3 Disciplinary process | A.7.2.3 Disciplinary process |
27001:2005 | 27001:2013 |
A.7.3 Termination and change of employment Objective: To protect the organization’s interests as part of the process of changing or terminating employment. | |
A.8.3.1 Termination responsibilities | A.7.3.1 Termination or change of employment responsibilities |
27001:2005 | 27001:2013 |
A.8 Asset Management | |
A.8.1 Responsibility for Assets Objective: To achieve and maintain appropriate protection of organization assets. | |
A.7.1.1 Inventory of assets | A.8.1.1 Inventory of assets |
A.7.1.2 Ownership of assets | A.8.1.2 Ownership of assets |
A.7.1.3 Acceptable use of assets | A.8.1.3 Acceptable use of assets |
27001:2005 | 27001:2013 |
A.8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. | |
A.7.2.1 Classification guidelines | A.8.2.1 Classification of information |
A.7.2.2 Information labeling and handling | A.8.2.2 Labeling of information |
A.7.2.3 Information Handling procedures | A.8.2.3 Handling of assets |
A.8.3.2 Return of assets | A.8.2.4 Return of assets |
27001:2005 | 27001:2013 |
A.8.3 Media Handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. | |
A.10.7.1 Management of removable media | A.8.3.1 Management of removable media |
A.10.7.2 Disposal of Media | A.8.3.2 Disposal of media |
A.10.8.3 Physical media in transit | A.8.3.3 Physical media transfer |
27001:2005 | 27001:2013 |
A.9 Logical Security / Access Control | |
A.9.1 Business requirements of access control Objective: To restrict access to information and information processing facilities. | |
A.11.1.1 Access control policy | A.9.1.1 Access control policy |
A.11.4.1 Policy on use of network services | A.9.1.2 Policy on the use of network services |
27001:2005 | 27001:2013 |
A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. | |
A.11.2.1 User registration | A.9.2.1 User registration and de-registration |
A.11.5.2 User identification and authentication | |
A.11.2.2 Privilege management | A.9.2.2 Privilege management |
A.11.2.3 User password management | A.9.2.3 Management of secret authentication information of users |
A.11.2.4 Review of user access rights | A.9.2.4 Review of user access rights |
A.8.3.3 Removal of access rights | A.9.2.5 Removal or adjustment of access rights |
27001:2005 | 27001:2013 |
A.9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information. | |
A.11.3.1 Password use | A.9.3.1 Use of secret authentication information |
A.9.4 System and application access control Objective: To prevent unauthorized access to systems and application | |
A.11.6.1 Information access restriction | A.9.4.1 Information access restriction |
A.11.5.1 Secure log-on procedures | A.9.4.2 Secure log-on procedures |
A.11.5.5 Session time-out | |
A.11.5.6 Limitation of connection time | |
A.11.5.3 Password management system | A.9.4.3 Password management system |
A.11.5.4 Use of system utilities | A.9.4.4 Use of privileged utility programs |
A.12.4.3 Access control to program source code | A.9.4.5 Access control to program source code |
27001:2005 | 27001:2013 |
A.10 Cryptography | |
A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information. | |
A.12.3.1 Policy on the use of cryptographic controls | A.10.1.1 Policy on the use of cryptographic controls |
A.12.3.2 Key management | A.10.1.2 Key management |
27001:2005 | 27001:2013 |
A.11 Physical and environmental security | |
A.11.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. | |
A.9.1.1 Physical security perimeter | A.11.1.1 Physical security perimeter |
A.9.1.2 Physical entry controls | A.11.1.2 Physical entry controls |
A.9.1.3 Securing offices, rooms and facilities | A.11.1.3 Securing office, room and facilities |
A.9.1.4 Protecting against external and environmental threats | A.11.1.4 Protecting against external end environmental threats |
A.9.1.5 Working in secure areas | A.11.1.5 Working in secure areas |
A.9.1.6 Public access, delivery and loading areas | A.11.1.6 Delivery and loading areas |
27001:2005 | 27001:2013 |
A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. | |
A.9.2.1 Equipment sitting and protection | A.11.2.1 Equipment siting and protection |
A.9.2.2 Supporting utilities | A.11.2.2 Supporting utilities |
A.9.2.3 Cabling security | A.11.2.3 Cabling security |
A.9.2.4 Equipment maintenance | A.11.2.4 Equipment maintenance |
A.9.2.7 Removal of property | A.11.2.5 Removal of assets |
A.9.2.5 Security of equipment off-premises | A.11.2.6 Security of equipment and assets off-premises |
A.9.2.6 Secure disposal or re-use of equipment | A.11.2.7 Security disposal or re-use of equipment |
A.11.3.2 Unattended user equipment | A.11.2.8 Unattended user equipment |
A.11.3.3 Clear desk and clear screen policy | A.11.2.9 Clear desk and clear screen policy |
27001:2005 | 27001:2013 |
A.12 Operations Security | |
A.12.1 Operational Procedures and Responsibilities Objective: To ensure the correct and secure operations of information processing facilities. | |
A.10.1.1 Documented operating procedures | A.12.1.1 Documented operating procedures |
A.10.1.2 Change management | A.12.1.2 Change management |
A.10.3.1 Capacity management | A.12.1.3 Capacity management |
A.10.1.4 Separation of development, test and operational facilities | A.12.1.4 Separation of development, test and operational environments |
27001:2005 | 27001:2013 |
A.12.2 Protection from Malware Objective: To ensure that information and information processing facilities are protected against malware. | |
A.10.4.1 Controls against malicious code | A.12.2.1 Controls against malware |
A.12.3 Back-up Objective: To protect against loss of data. | |
A.10.5.1 Information back-up | A.12.3.1 Information backup |
27001:2005 | 27001:2013 |
A.12.4 Logging and Monitoring To record events and generate evidence. Objective: | |
A.10.10.1 Audit logging | A.12.4.1 Event logging |
A.10.10.3 Protection of log information | A.12.4.2 Protection of log information |
A.10.10.3 Protection of log information | A.12.4.3 Administrator and operator logs |
A.10.10.4 Administrator and operator logs | |
A.10.10.6 Clock synchronization | A.12.4.4 Clock synchronization |
27001:2005 | 27001:2013 |
A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. | |
A.12.4.1 Control of operational software | A.12.5.1 Installation of software on operational systems |
A.12.6 Technical Vulnerability Management Objective: To prevent exploitation of technical vulnerabilities. | |
A.12.6.1 Control of technical vulnerabilities | A.12.6.1 Management of technical vulnerabilities |
A.12.6.2 Restrictions on software installation | |
A.12.7 Information Systems Audit Considerations Objective: To minimize the impact of audit activities on operational systems. | |
A.15.3.1 Information system audit controls | A.12.7.1 Information systems audit controls |
27001:2005 | 27001:2013 |
A.13 Communications Security | |
A.13.1 Network Security Management Objective: To ensure the protection of information in networks its supporting information processing facilities. | |
A.10.6.1 Network controls | A.13.1.1 Network controls |
A.10.6.2 Security of network services | A.13.1.2 Security of network services |
A.11.4.5 Segregation in Network | A.13.1.3 Segregation in networks |
27001:2005 | 27001:2013 |
A.13.2 Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity. | |
A.10.8.1 Information exchange policies and procedures | A.13.2.1 Information transfer policies and procedures |
A.10.8.2 Exchange agreements | A.13.2.2 Agreements on information transfer |
A.10.8.4 Electronic messaging | A.13.2.3 Electronic messaging |
A.6.1.5 Confidentiality agreements | A.13.2.4 Confidentiality or non-disclosure agreements |
27001:2005 | 27001:2013 |
A.14 System acquisition, development and maintenance | |
A.14.1 Security requirements of information systems Objective: To ensure that security is an integral part of information systems across the entire lifecycle. This includes in particular specific security requirement for information systems which provide services over public networks. | |
A.12.1.1 Security requirements analysis and specification | A.14.1.1 Security requirements analysis and specification |
A.10.9.1 Electronic commerce | A.14.1.2 Securing applications services on public networks |
A.10.9.3 Publically available information | |
A.10.9.2 Online-transactions | A.14.1.3 Protecting application services transactions |
27001:2005 | 27001:2013 |
A.14.2 Security in development and support processes Objective: To ensure that information security is designed and implemented whithin the development lifecycle of information systems. | |
A.14.2.1 Secure development policy | |
A.12.5.1 change control procedures | A.14.2.2 Change control procedures |
A.12.5.2 Technical review of applications after operating system changes | A.14.2.3 Technical review of applications after operating platform changes |
A.12.5.3 Restrictions on changes to software packages | A.14.2.4 Restrictions on changes to software packages |
A.14.2.5 System development procedures | |
A.14.2.6 Secure development environment | |
A.12.5.5 Outsourced software development | A.14.2.7 Outsourced development |
A.14.2.8 System security testing | |
A.10.3.2 System Acceptance | A.14.2.9 System acceptance testing |
A.14.3 Test data Objective: To ensure the protection of data used for testing. | |
A.12.4.2 Protection of system test data | A.14.3.1 Protection of test data |
27001:2005 | 27001:2013 |
A.15 Supplier relationships | |
A.15.1 Security in supplier relationship Objective: To ensure protection of the organization’s information that is accessible by suppliers. | |
A.6.2.3 Addressing security in third party agreements | A.15.1.1 Information security policy for supplier relationships |
A.6.2.3 Addressing security in third party agreements | A.15.1.2 Addressing security within supplier agreements |
A.15.1.3 ICT Supply chain | |
27001:2005 | 27001:2013 |
A.15.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. | |
A.10.2.2 Monitoring and review of third party services | A.15.2.1 Monitoring and review of supplier services |
A.10.2.3 Managing changes to third party services | A.15.2.2 Managing changes to supplier services |
27001:2005 | 27001:2013 |
A.16 Information Security Incident Management | |
A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. | |
A.13.2.1 Responsibilities and Procedures | A.16.1.1 Responsibilities and procedures |
A.13.1.1 Reporting information security events | A.16.1.2 Reporting information security events |
A.13.1.2 Reporting security weakness | A.16.1.3 Reporting information security weaknesses |
A.16.1.4 Assessment and decision of information security events | |
A.16.1.5 Response to information security incidents | |
A.13.2.2 Learning from information security incidents | A.16.1.6 Learning from information security incidents |
A.13.2.3 Collection of evidence | A.16.1.7 Collection of evidence |
27001:2005 | 27001:2013 |
A.17 Business Continuity | |
A.17.1 Information security aspects of business continuity management Objective: Information security continuity should be embedded in organization’s business continuity management (BCM) to ensure protection of information at any time and to anticipate adverse occurrences. | |
A.14.1.2 Business continuity and risk assessment | A.17.1.1 Planning information security continuity |
A.17.1.2 Implementing information security continuity | |
A.14.1.5 Testing, maintaining and re-assessing business continuity plans | A.17.1.3 Verify, review and evaluate information security continuity |
A.17.2 Redundancies Objective: to ensure availability of information processing facilities. | |
A.17.2.1 Availability of information processing facilities | |
27001:2005 | 27001:2013 |
A.18 Compliance | |
A.18.1 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures | |
A.6.1.8 Independent review of information security | A.18.1.1 Independent review of information security |
A.15.2.1 Compliance with security policies | A.18.1.2 Compliance with security policies and standards |
A.15.2.2 Technical compliance checking | A.18.1.3 Technical compliance inspection |
27001:2005 | 27001:2013 |
A.18.2 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. | |
A.15.1.1 Identification of applicable legislation | A.18.2.1 Identification of application legislation and contractual requirements |
A.15.1.2 Intellectual property rights (IPR) | A.18.2.2 Intellectual property rights (IPR) |
A.15.1.3 Protection of organizational records | A.18.2.3 Protection of documented information |
A.15.1.4 Data protection and privacy of personal information | A.18.2.4 Privacy and protection of personal information |
A.15.1.6 Regulation of cryptographic controls | A.18.2.5 Regulation of cryptographic controls |