ISO 27001:2005 vs ISO 27001:2013

1.     CAR

·         There are some new CAR requirements, but it is just similar as what we are doing now for 2005 which confuse me.

              i.    To react to nonconformities and take action, as applicable, to control and correct the nonconformity and deal with the consequences. 

              ii.    To determine whether similar nonconformities exist, or could potentially occur.

2.     Preventive action

·         It is removed from 2005 and replaced by issues. Issues will be dealt with in Risk Assessment which confuse me?

3.     Risk Assessment,

·         Risk Owner and Risk Assessment Acceptance Criteria are not covered in 2005. Maybe you can help to provide some templates and examples for that?

4.     9.1 Monitoring, measurement, analysis and evaluation.

·         Is it the same as ISMS Objective? To evaluate whether we achieve the objective? Or it means we may have a more detailed measurement method?

Answers:

Point 1: There is no important changes, but now in the 2013 revision is not necessary to have a document for the corrective actions, only is mandatory to have records about the results of corrective actions.

Point 2: Exactly, in the ISO 27001:2013 (and other ISOs, for example ISO 22301) does not exists a clause for the preventive actions, but we can consider the risk assessment & treatment as a global preventive action.

Point 3: Sure, we have an interesting article about the risk owners that you can read here (remember that the asset owner is kept in the standard) “Risk owners vs. Asset owners in ISO 27001:2013”: https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/. About the Risk acceptance, please read this “Risk appetite and its influence over ISO 27001 implementation” : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/. Also can be interesting for you our methodology of risk assessment, please check it out (you can see a free version if you click on “Free Demo” tab) : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

Point 4: The clause 9.1 is related to the measurement method, and you can use this to measure the achievement of the information security objectives, but it is defined as requisite in the clause 6.2 ‘Information security objective and planning to achieve them’. So, it is the difference: 6.2 is for the definition of the objectives, and 9.1 is for the measurement of them.

Finally, in this article you can find more information about how to make a transition from ISO 27001:2005 to 2013 revision, please check it out “How to make a transition from ISO 27001 2005 revision to 2013 revision": https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/.