Differences about risk treatment between 27001 2005 and 27001 2013
Answer:
Regarding the risk treatment, there are no big differences (although in relation with treatment options in the 2013 revision, you are free to consider any option that you find appropriate -not only apply controls, accept risks, avoid or transfer them-), but regarding the risk assessment there are some important changes, for example you need to identify risk owners for each risk, you do not need to use the assets-threatsvulnerabilities methodology to identify risks, etc.
This article can be interesting for you What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/
Comment as guest or Sign in
Jan 13, 2016