Query pertinent to mapping controls of the revised standard to the old standard

Vinay,

I'm not sure to which mapping document you refer to, because we didn't publish such document.

In any case, 2013 revision control A.9.2.3 "Management of privileged access rights" maps to A.11.2.2 "Privilege management" control from 2005 revision.

2013 revision control A.9.2.4 "Management of secret authentication information of users" maps to A.11.2.3 "User password management" from 2005 revision.

Thank you Dejan!
That does clarify my understanding.

Also, if I may ask, is it a mandate to follow and implement each and every control in the 'implementation guidance' for a particular control objective/ clause?
Since they are more flexible or more stringent in some domains as compared to the old standard, will the certifying body weigh emphasis on the control objective being met or the several controls listed in the implementation guidance which assist to met the control objective?

Vinay,

ISO 27001 does not mention "implementation guidance" - are you perhaps referring to ISO 27002?

In any case, ISO 27002 is irrelevant to certification auditors. For ISO 27001, you have to select only those controls where there are risks or where there are some other requirements (like legal or regulatory) which require you to implement particular control.

To learn more about the risk assessment process and selecting the controls read this article: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/