Management, compliance & auditing

Transition of ISO 27001: 2005 to ISO 27001: 2013

Steve Lynch
June 19, 2015 by
Steve Lynch

ISO 27001 is an international standard published by the International Standard Organization (ISO). This standard acts as a specification for an information security management system. ISMS is a set of policies and procedures that includes the steps and controls involved in a company's information risk management system. Many organizations might have a number of security controls, but without an efficient ISMS they remain unorganized and ineffective.

ISO 27001 was developed to provide a model for implementing establishing monitoring and improving an organizations security management system. It uses a risk-based approach. The standard includes a six step planning process as mentioned below:

  • Implement a security policy.
  • Define the scope of ISMS
  • Carry out Risk Assessment.
  • Manage the identified risk
  • Select the objectives and controls accordingly to implement.
  • Prepare a statement of applicability.
  • The latest version of 27001 standard was published in 2013 known as ISO/IEC 27001:2013. The first revision of the standard was published in 2005, which was developed based on the British Standards BS 7799-2. This standard can be implemented in any kind of organization irrespective of their size and ownership. Implementation of ISO takes three months for a small organization up to 1 year for big organization. It was written by the world's best experts, considering all possible vulnerabilities that an organization may face. ISO 27001 standards provides a certification to companies that has implemented information security with the standard. This is approved by an independent certification body. According to a survey, the number of companies that were certified has increased on a large scale over the past 5 years.

    The main aim of ISO 27001 is to protect the confidentiality and integrity of a company. This is done by finding out the issues and flaws that could possibly happen to the structure and acting accordingly to prevent it. That is, risk assessment and then risk mitigation.

    Fig: ISO 27001 Framework

    The controls that are to be implemented are in the form of policies and technical implementation like software and equipment. In most cases, the companies are in possession of these resources, but they are using them in a unsecured way. The main task while implementing the standard will be setting up the rules to prevent any kind of security breach inside the organization. The implementation not only requires equipment but they should be properly organized inside the system for higher efficiency.

    Benefits of ISO 27001

    A company can achieve four main business benefits with the implementation of this security standard

    • A Legal Solution: There are more and more laws and regulations related to information security. The implementation of ISO 27001 standard helps to resolve most of them. This standard gives a perfect methodology to comply with all of them.
    • Marketing Advantage: If you company is certified and your competitors do not, you may have advantage over the eyes of the customers. They will have better confidence in handing the work to a certified company than handing it to a non-certified one.
    • Lower Cost: The main aim of such standard id to prevent security breaches. Any attack to a company, large or small, costs money. Therefore, by preventing such kind of attacks will save a lot of money.
    • Better Organization: By the implementation of this standard, the companies are encouraged to write down their main process in every department, which saves a lot of time for the employees making it a better organization.
    • ISO 27001 Implementation

      The implementation of this standard consists of many things that should be taken care of. The following are the steps mentioned to attain a ISO 27001 certification:

      • Management Support: One of the major reason for the failure of ISO 27001 is the lack of management support. The team is not provided with sufficient funds or resources to work on the project. Without the help of management, a successful implementation of ISMS is not possible at all.
      • Organized work: Implementation of the standard is a complex issue involving various activities, many people lasting several months. So a proper planning of what is to be done, what not to be done, etc. should be determined to complete the work successfully. Many of the ISMS implementation overshoot time are because of its unorganized planning. Some companies under the impression of completing the implementation within three months fails to implement even after 6 months is completed due to the lack of systematic approach. Moreover scope of ISMS need to be clearly defined before starting the ISMS.
      • Define Risk Assessment Methodology: It is the most complex task in the whole process. The point is to define rules for identifying the assets, vulnerabilities, threats to define the level of risk. If this step is not properly carried out, we might face lot of problem in tackling the issues.
      • Risk treatment: This process might take for implementation. The assessed risk should be taken in account and policies should be selected accordingly to tackle the threats efficiently. The policies should be documented according to priority for ease of access.
      • Implement the controls and mandatory procedures: Certain policies might be difficult to merge with the existing policies and working condition. The employees will have to learns and adjust with the new rules, so the implementation should be done with rightful responsibility.
      • Training and awareness programs: Before implementing, it in full scale, the people associated should be given proper training and awareness on how the policies are scales and working procedures for a quick action. By this process, they will be able to work according to the situation.
      • Operate and Monitor ISMS: The activities should be recorded for effective management. Without a record, it is difficult to state and prove that some activity has been don or not. These recorded activities should be analyzed for suspicious activities. The record gives the detailed log of selected period. The results obtained should be compared with the objective to find out the effectiveness of the planning.
      • Internal Audits: Internal errors or mistakes caused by employee may affect the organization. Such types of mistakes are identified during internal audits. These types of errors should be identified and eliminated as soon as possible.

      Types of certification Program

      Two types of ISO 27001 certificates exist:

      • Organization: For an organization to be certified, they must implement the standards as per the rules. Then they have to go through a certification audit that is performed by a certification body. The certification audit consist of 3 main stages as follows :
        • Stage 1 Audit (Documentation Review): In this process, the auditors will review all the documentation.
        • Stage 2 Audit (Main Audit): The auditors will perform an onsite audit to check whether all the activities in the company match with the ISO 27001 and ISMS documentation.
        • Surveillance Visits: After the certification process, during its 3-year validity the auditors will check whether the company maintains its ISMS.
      • Individual: Individuals can attend the course and pass the exam in order to get the certificate. There are several courses in order to attain certificates. The most popular once are mentioned below :
        • ISO 27001 Lead Auditor Course: This course teaches how to perform certification audits. It's a 5-day course and is mostly intended for security auditors and consultants. An exam will be conducted at the end of the training and passing the exam will get you entitle with Auditor certificate.
        • ISO 27001 Lead Implementer Course: This 5 day course is mainly suggested for security practitioners. It teaches how to implement the standards.
        • ISO 27001 Internal Auditor Course: This is a basic course intended for beginners. It covers basics of the standards, and how to perform internal audits.

      It's very important to check whether everything is in place before certification. This step is not mandatory, but it's useful in finding any errors or mistakes if made. People associated with the process should check their part with respect to the documentation. This would help in confirming if each step made is correct or not before the certification. After receiving certification there will be two surveillance visit to check whether the policies are followed correctly. The certification is valid only for 3 years. After this period, the companies should be recertified to maintain their certification. Periodic internal audits should be carried to maintain the standard. During the initial certification, the auditor will check if the main contents are implanted as mentioned. Then the entire body is crosschecked with the documentation submitted to make sure that the company follows as per the standard. The main aim of such surveillance visits is to find out whether the company works in everyday operations as per the standards. The auditor will also check for weak spots during the certification audit that should be cleared accordingly.

      It has been found that various companies are still using the old ISO 27001:2005 certificate. The officials have informed that those certificates will be valid until October of this year. They are advised to revise their certification to ISO 27001:2013.

      Transition from ISO 27001:2005 to ISO 27001:2013

      ISO 27001 published in 2005 were again revised in 2013, which exists currently in the name ISO/IEC 27001:2013. The biggest difference between old and new standard is the structure. Old one had five main sections and new one published has seven. This is because the revised standard uses a new Annex SL template. ISO says that the future Management System Standards will use the same layout with the same basic requirement. Due to this feature, all the MSS will have same look and feel. A common structure is possible because concepts like planning, process, etc are common to all management systems. This will help organizations in implementing multiple standards due to the basic requirement. We can say that the new standard is more focused than the old one. The new standard has more clauses than the old one, but they are easy to work with. The clauses are as shown below:

      ISO 27001:2005

      ISO 27001:2013

      • Information security management system
      • Management Responsibility
      • Internal ISMS audits
      • Management review of the ISMS
      • ISMS Improvement

      • Context of the Organization
      • Leadership
      • Planning
      • Support
      • Operation
      • Performance evaluation
      • Improvement

      The old standard follows the PDCA (Plan-Do-Check-Act) model. However, the new one does not specify any particular process model. The organization with existing ISMS, it's not necessary to remove the PDCA model. Organizations that are newly adapting ISO 27001:2013 standard should identify an effective continual improvement process for their business.

      The 2005 standard has two forms of documentation: The Documents and Records. Documents include policies, procedures, process structure etc and records include work history, audit schedule. New standard does not make any distinction between documents and records. One of the new features added to the new standard is the one called context. It helps us to understand the needs of the company from every aspect, which could be used in designing effective ISMS.

      ISMS policies are sometimes written in dozens of pages. Later they are ignored while implementation due to the lengthy page numbers. A better way should be followed while writing the ISMS policies for companies. These should not be written just for certification sake, but they should be followed accordingly for better functioning of the company. Its is effective if we write down briefly and use this for managing security issues. Firstly, we should find the requirement of the company. Then a proper structure should be selected. Then the elements to be added to the structure should be added. After that, these elements should briefly explained and developed into a document, which could be referred for further use. Some of the main controls that have been added in 2013 to the ISO are mentioned below:

      • A.6.1.5 Information security in project management: This control states that no matter the type of project; information security should me made part of the project management. This could be implemented by a adding a security manager to the team, so that he could analyze the risk and provide apt security measures.
      • A.12.6.2 Restrictions on software installation: Software restriction has been made with is control. This means that the user cannot install random software on the company machines unless it has been checked or verified by the analyst. Malicious software could corrupt the system and crash the entire network down. There are processes like Software access management (SAM) in certain companies where a software that is requested for installation will be checked by the security analyst for any suspicious behavior. Assessor has to signoff the installation of third party tools to make sure that the software is free from malicious activities.
      • A.14.2.1 Secure development policy: This control checks weather security has been integrated in all phases of software development or not. In addition, the implemented policies should be documented for proper reference.
      • A.14.2.5 Secure system engineering principles: Implementation of principles and procedures for engineering secure systems has been made mandatory. The whole process should be documented, maintained, and applied on all projects.
      • A.14.2.6 Secure development environment: This control emphasizes on checking whether the risks have been properly assessed, which are related to individual system development and integration efforts, which covers the entire system development.
      • A.14.2.8 System security testing: This doesn't need much explanation.Software testing procedures are made compulsory in each step of development in this control. The software should be tested under various situations to determine the effectiveness of the system and to modify it if necessary.
      • A.15.1.1 Information security policy for supplier relationships: This control sets policy weather the supplier gets the access to organizations information based on the access control policy. This responsibility is normally followed by procurement officer.
      • A.15.1.3 Information and communication technology supply chain: This control checks whether the agreements with supplier include whether to discuss security risk related to the service and product supply chain.
      • A.16.1.4 Assessment of and decision on information security events: Checking if there is a procedure for analyzing security issues and classify them as security incidents. Information security incidents need to be properly practiced to ensure the smooth flow of incident management.


      All organizations are different in various ways. Not only due to security reasons but also for a better-organized management such standards should be implemented in companies no matter big or small. The certification process might seem a bit complicated at first, but once implemented it gets better. The revised versions of ISO 27001 standards have a far reaching effect Information Security. For a certified company to be revised, the best place to start is by analyzing the difference between the existing ISMS and the new standard. This would give an idea of what needs to be changed and added to the existing system. Finally, we can conclude that the new standard gives organization a perfect management framework for implementing and managing security.


      Steve Lynch
      Steve Lynch

      Steve has 9 yrs of experience in cyber security space. He worked as a cyber journalist to collect news from various geographic locations associated with cyber security. He has a great experience with linux and holds many technology certificates.