ISO 27001:2013 Standard FAQs

IT Governance consultants can advise you on the nature of the changes to ISO 27001 and what to do to prepare for certification audits.

For example, the ISO 27001:2013 standard puts more emphasis on measuring and evaluating how well an organisation's ISMS is performing. There is also a new section that emphasises the consideration to be given to outsourcing, reflecting the fact that many organisations rely on third parties to provide some aspects of their service or product.

We can help you to find the best way to address these and other changes, whether you are already an experienced ISO 27001 project manager, or just starting the scoping process for your first ISMS.

What are the main changes that you need to take account of?

• The revised standard has been written using the new high-level structure, which is common to all new management systems standards. This will make integration straightforward when implementing more than one management system.
• Terminology has been changed and some definitions have been removed or relocated.
• Risk assessment requirements have been aligned with ISO 31000, moving away from mandating an asset-based approach.
• Management commitment requirements have a focus on 'leadership'.
• The requirement for preventive action has changed.
• The control selection process has changed, offering the benefit of greater flexibility.
• Controls in Annex A have been modified. Some specific controls have been added, offering a greater focus on areas such as security in project management and through supplier relationships.
• There is a greater emphasis on setting objectives, monitoring performance, and metrics.

Click on the links below for detailed answers to the questions we are most often asked.

• Why has the ISO 27001:2005 standard been withdrawn and a new standard published?

  The short answer is that international standards are revised periodically to keep them up to date. ISO 27001 was first published in 2005 and since then a lot has changed in the world of information technology, so the ISO technical committee reviewed ISO 27001:2005 to ensure it appropriately supported the information security systems of the current era. The international committee met in April 2013 to discuss the feedback received from national standards bodies, including BSI. Comments were reviewed and changes agreed. As a result, the ISO 27001:2013 standard was published on 25 September 2013.

• Does this mean that we can no longer get independent assessment and secure ISO 27001:2005 accredited certification for our ISMS?

  Your certification body may assess your ISMS at the CSV visits against the requirements of ISO 27001:2005 until it requires you to transition to the new standard (ISO 27001:2013). Conformity to ISO 27001:2013 is required by 1 October 2015 globally, when all transitions must be completed.

• Can our organisation be issued with an ISO 27001:2013 certificate now, or do we have to wait for further developments?

  Achieving UKAS-accredited certification to the ISO 27001:2013 standard is dependent on your certification body being recognised by an accreditation body (UKAS in the UK) as capable of carrying out ISO 27001:2013 certifications. Until this checking process has been satisfactorily completed, the certification body will be unable to issue an accredited ISO 27001:2013 certificate. All certification bodies are expected to transition to ISO 27001:2013 by the end of April 2015.

• What about surveillance visits: will we have to be assessed against the ISO 27001:2013 standard?

  Your surveillance visit assessments will continue to be carried out against the 2005 version of the ISO27001 standard until your certification body has transitioned to the ISO 27001:2013 standard. After that time, however, your organisation is more likely to be assessed against ISO 27001:2013 during CAV/surveillance visits – please check in advance with the certification body concerned.

  IMPORTANT: If you are in any doubt about the best course of action for your particular circumstances, we advise you to contact IT Governance on + 44 845 070 1750 or email your query today.

• Where can I get hold of the new ISO 27001:2013 standard?

  You can purchase your own copies of the new standards from IT Governance here:

  • ISO/IEC 27001:2013 (ISO27001 ISO 27001) ISMS Requirements
  • ISO/IEC 27002:2013 (ISO27002 ISO 27002) Code of Practice for InfoSec Controls

  You can also download our free green papers on information security & ISO 27001:

  • NEW! ISO 27001: 2013 Reference Sheet download »
  • NEW! ISO 27001: 2013 Technical guidance for transitioning from ISO27001:2005 download »
  • NEW! Preparing for ISO 27001:2013 download »
• What are the benefits of ISO 27001:2013 certification?

  Adopting an ISMS and gaining accredited certification enables you to:

  • Comply with business, legal, contractual and regulatory requirements.
  • Adopt a risk-based approach that informs senior-level decision-making.
  • Win new business opportunities/retain your existing customer base.
  • Differentiate your organisation in the market by being standards-compliant.
  • Avoid large financial losses – both regulatory fines and contractual penalties.
  • Remove the need to complete detailed security questionnaires.
  • Safeguard your/your client’s valuable intellectual property rights.
  • Build trust and confidence that encourages your business partners and customers to entrust confidential data with your company (i.e. beyond self-declaration).
  • Motivate leaders to maintain focus and impetus on management systems.
  • Support a continuous process of improvement throughout the organisation.
  • Reduce/remove the need for second-party audits and their associated overheads.
• What can IT Governance do to help us gain ISO 27001:2013 certification as quickly as possible?

  IT Governance is able to provide you with the resources, support, guidance and advice to prepare for ISO 27001:2013 certification. Your organisation will then be in a position to be independently assessed by a recognised certification body (e.g. BSI, DNV, NQA, Alcumus ISOQAR, Certification International, Bureau Veritas etc). With project support provided by our expert consultants, you can implement ISO 27001:2013 in less time, and for much less money than it would cost to go it alone. We can show you how to minimise the workload without sacrificing operational effectiveness. What’s more, we don’t attempt to do the job for you as some consultancy practices aim to; we deliberately transfer the knowledge that you need at each and every stage in adoption. Furthermore, you can hire us for either the whole job or any part of the process. For example, we can help you to:

  • Carry out a health check led by our experts – see our ISO 27001:2013 Health Check service page.
  • Define strategy for achieving ISO27001.
  • Perform a detailed risk assessment.
  • Develop ISMS documentation (high level and/or low-level, as required).
  • Roll out ISMS and associated controls.
  • Determine training and awareness needs.
  • Prepare for internal, Stage 1 and Stage 2 (certification) audits.
  • Achieve accredited certification.
  • Maintain your ISMS (surveillance cycle).
• We know a great many professional services firms that offer consultancy in compliance. What makes IT Governance different, and why should we use your services to implement ISO 27001:2013?

  Ask our clients! More than 150 organisations have used IT Governance expert consultants to achieve ISO 27001 certification, and many board managers and project leaders praise our expert approach and services. Hundreds more have sought our advice and support when introducing ISO 27001. Our cost-effective service offers you:

  • A free initial assessment and/or low-cost IT Governance Health Check so that you can assess where you are (after all, you may already meet many of the requirements) and identify how you can progress with us to success.
  • Transparent pricing that enables you to control all your costs of achieving certification.
  • Transfer of knowledge and skill to you and your people so that you can continue meeting compliance targets after the initial implementation period ends.
  • Documented information about your training programmes and the relevant skill levels/qualifications attained by members of staff and contractors, providing evidence of competence on the basis of appropriate education, training, or experience. (Clause 7.2: Competence, ISO 27001:2013 standard.)
  • Comprehensive and integrated ISO 27001 resources including: experienced consultants; risk management expertise; technical information security expertise; trainers and training courses; books and tools; recruitment and support.
  • This means to link your ISO 27001 information security framework with your COBIT^®, ISO 20000, ITIL^®, PCI DSS and other management frameworks, as well as with your other information regulatory compliance obligations.
  • A simple, no-quibble, 100% guarantee of successful certification , which removes all worry!
  • An implementation approach and methodology that is pragmatic, proven and straightforward - we wrote the book on how to do it).
  • In-house training and public training courses led by our international experts to help you make rapid progress and develop the skills to run your ISMS.
  • An information security management system (ISMS) tailored to suit your requirements, is cost-effective to operate, and meets ISO 27001's requirements.

Please email us or telephone 00 800 48 484 484 today to speak to one of our consultancy team and arrange your ISO 27001:2013 Health Check or get a quote for our consultancy services.