Changes in ISO 27001

I will admit, I am fairly new to the non-technical side of IT (Infosec/compliance) and so there is/has certainly been a learning curve. Right now I am just trying to compare the 2005 and 2013 versions of 27001/27002 to see which clauses and controls have been changed (that are incorporated into our own standards) - more specifically how they have changed and how that affects my environment. I am trying to put together a findings and recommendations report and struggling. I work in a University on a very small team. Of course I've gone through your site and Googled, which has helped some, though do you know of any other resources that compare the two versions and break down the changes a little more in-depth and maybe how they affect the rest of the surrounding content? (if that makes sense?!)
 

Answer:

Welcome to the non-technical side of IT, your technical knowledge is very important for ISO 27001. I am sorry, but we do not have a specific resource that compare in detail both standards, but one of the more important changes in ISO 2 7001:2013 is related with the risk management: In ISO 27001:2005 you need an asset based methodology, but in ISO 27001:2013 it is not necessary (the methodology for the risk management can be based on assets, or process, or other), so the new version is more flexible in the key point of the standard (risk management). To know more in detail the changes in the risk assessment, please read this article “What has changed in risk assessment in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Another important change is related with the security controls of the ISO 27002 (and Annex A of ISO 27001), so this article can be also interesting for you “Main changes in the new ISO 27002” : https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/
Regarding your question “how they affect the rest of the surrounding content?”, I am not sure what you mean but some changes can affect to an ISO 27001:2005 implementation, because there are some things that now are not mandatory (for example, ISO 27001:2013 has not preventive actions, so it is not necessary and you can remove them if you have implemented ISO 27001:2005)
Finally, this free webinar can help you to know in detail the main changes, and also can help you to do the transition “How to make the transition from ISO 27001 2005 to 2013 revision” : https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/ And also this article “How to make a transition from ISO 27001 2005 revision to 2013 revision” : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ (At the end of this article, you can find a link to the free white paper “Twelve-step transition process from ISO 27001 2005 revision to 2013”, which you can find in our free downloads section : https://advisera.com/27001academy/free-downloads/).
And also see this article "Infographic: New ISO 27001 revision - What has changed?" : https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/

Antonio - Thank you so much for your quick and thorough response. I will digest the information provided and check out the resources you point to, but even on the out-set, this looks like it will be very helpful. With that said, I may well follow-up with more questions!

Thanks,

Michael.

Hi again Antonio. I am going to break down your response one piece at a time (to make it easier for both of us!).

I have been reading up some more and honestly I am a little confused with the shift in Risk Management between the revision. You say that it is one of the "more important changes", though the article you linked to downplays it as "not very significant".

On one hand it seems like the 2013 is telling you/me that you should use ISO 27005 for this aspect now (with the removal of section 4 from 2005) and on the other it there is mention of flexibility around methodology and risk treatment, etc. like it is still very much part of ISO 27002.

Assume I do not look to ISO 27005 for a dedicated RM plan, then the preventative action that is lost in 2013 renders it a lesser standard by itself for that subject, no? I figure I am missing something significant, though cannot really fill the gaps.

Any further insight would be appreciated/

Thanks!

As I already mentioned one of the more important changes in ISO 27001:2013 is related with the risk management, but it doesn't mean that the change is relevant in the implementation of the new version of the standard. In other words, if you have an ISO 27001 implemented with an asset-based methodology (according to ISO 27001:2005), with the ISO 27001:2013 you can maintain it, but the new version not requires you to maintain it, so you can change it and for example you can have a process-based methodology.

Regarding with ISO 27005, really ISO 27001:2013 refers to ISO 31000, which has the same structure that ISO 27005, but it is for any type of risk, not only for risks related to information security.

Regarding your last question, I am not sure if I have understood it, but you can see the risk assessment & treatment as a serie of preventive actions to avoid (prevent) risks. So, now in ISO 27001:2013 there are no explicit preventive actions, but with the risk management you can prevent risks.

Finally, this article about ISO 31000 and ISO 27001 can be interesting for you "ISO 31000 and ISO 27001 - How are they related?" : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/