Differences between ISO 27001:2005 and ISO 27001:2013

There are few differences if organizations are looking towards upgrading to ISMS 27001:2013 version. * The Risk Assessment is provided with a new dimension wherein Risk based approach for Information Security Processes are taken into consideration. * Although directly the Asset based risk approach is not totally ignored the standard still requires that all the inventory of assets is kept and maintained up to date * the other differences is seen in the Annexure controls. SOme controls are merged, some are deleted and some are updated. Now its seen as 114 controls. The Below are added Controls in ISO 27001:2013 version: A.6.1.5Information security in project management A.9.2.2User access provisioning A.12.6.2Restrictions on software installations A.14.2.1Secure development policy A.14.2.5Secure system engineering principles A.14.2.6Secure development environment A.14.2.8System security testing A.15.1.3Information and communication technology supply chain The above controls is not limited to only NDA or Confidentiality Agreements. The auditors may also wish to see how the supply chain is involved in defining and ensuring the vendors, sub contractors, contractors, outsourced vendors, external consultants have their boundary defined and work within that specifications in terms of information security. For eg., in many companies consultants are hired or outsourced and they virtually become your own employees and have access to pretty much everything around them. So it is very difficult to make a real boundary and you never know the information exposed to them can be used for different purposes. So the above control exercises more Governance Mechanisms to put a framework as to "What is allowed" and "what is not allowed", what can be seen and "what cannot be seen/viewed". A.16.1.4Assessment of and decision on information security events A.17.1.2Implementing information security continuity A.17.2.1Availability of information processing facilities Total controls added = 11 Below are the Controls Deleted in ISO 27001:2013 (From earlier Version ISO 27001:2005) SecControl A.6.1.1Management Commitment to information security A.6.1.2Information security Co-ordination A.6.1.4Authorization process for Information Processing facilities A.6.2.2Addressing security when dealing with customers A.10.2.1Service Delivery A.10.4.2Controls against Mobile code A.10.7.3Information handling procedures A.10.7.4Security of system documentation A.10.8.5Business Information systems A.10.10.2Monitoring system use A,11.4.2User authentication for external connections A,11.4.3Equipment identification in networks A,11.4.4Remote diagnostic and configuration port protection A,11.4.6Network connection control A,11.4.7Network Routing control A.11.5.5Session Time-out A.11.5.6Limitation of connection time A.11.6.2Sensitive system isolation A.12.2.1Input data validation A.12.2.2Control of internal processing A.12.2.3Message integrity A.12.2.4Output data validation A.12.5.4Information Leakage A.14.1.2Business continuity and Risk Assessment A.14.1.3Developing and implementing continuity plans including information security A.14.1.4Business continuity planning framework A.15.1.5Prevention of misuse of information processing facilities A.15.3.2Protection of information system audit tools Total controls deleted = 28 Below are merged controls (ISO 27001:2013 and ISO 27001:2005) Controls of ISO 27001:2005 merged to a single control in ISO 27001:2013 ISO 27001:2005ISO 27001:2013 "A..6.1.3 A.8.1.1""Allocation of information security Responsibilities Roles and responsibilities"A.6.1.1Information security roles and responsibilities "A.11.2.1 A.11.5.2""User Registration User identification and authentication"A.9.2.1User registration and de-registration "A.10.10.1 A.10.10.5""Audit logging Fault logging"A.12.4.1Event logging "A.10.9.1 A.10.9.3""Electronic Commerce Publicly available information"A.14.1.2Securing application services on public networks