• (0)
    ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Blog

    Implement ISO 27001 according to current 2005 revision, or wait for new 2013 revision?


    Update 2013-09-25: ISO/IEC 27001:2013 was published on September 25, 2013.

    Currently, the most repeated question I hear from companies implementing ISO 27001 is: “I heard a new revision of ISO 27001 is soon to be published – what should we do? Should we wait for the new revision or implement the standard according to the currently valid revision from 2005?”

    My suggestion is: if you can finish it rather quickly, use the current 2005 revision; if you are just starting, go straight away with 2013 revision. Here’s why…

    Timing

    At the time of writing this post, the International Organization for Standardization has published on their website that the targeted publication date for the new revision of ISO 27001 is October 19, 2013 – it will be called ISO/IEC 27001:2013.

    Judging from experience, one cannot say for sure that the new revision of ISO 27001 will really be published in October; however, there is a high probability that this will happen. If not in October, then it will almost certainly be by the end of 2013.

    Companies already certified against the 2005 revision of the standard will have a transition period of 1 to 2 years to “upgrade” their Information Security Management System (ISMS) to the new 2013 revision – certification bodies will check if they are compliant during the regular surveillance visits, and this is normally not considered as re-certification. The length of this transition period is still not defined by the accreditation bodies.

    However, certification bodies will still be able to certify companies against the 2005 revision even after the new 2013 revision is published – this transition period will last between 6 and 12 months after the publication of the new revision. (The length of this transition period will also be defined later on.) During this period, the companies will have a choice whether to certify against the 2005 or 2013 revisions.

    ISO 27001 2005 vs. 2013 – The differences

    You can find more detailed explanation about the differences in these articles. (They speak about the draft versions, but the final versions will have almost no changes when compared with these drafts):

    But, if I can summarize these changes, my conclusions would be this:

    • Except for the changes in structure, there are no significant changes in the main part of the standard – when you read clauses 0 to 10 closely, the changes account for only about 10% of the requirements.
    • Changes in information security controls from Annex A are a bit more significant, but not enormously – the structure of the sections has changed; there are some new controls and some are gone. All in all, I would say that the change here is about 30% when compared to the 2005 revision.

    What to do now – go for the 2005 or 2013 revision?

    Knowing all this, I think this is the best course of action: (a) if you have already implemented part of your project according to the 2005 revision and are sure you can finish it within the next 6 months, then finish your implementation according to ISO 27001:2005 (and do it quickly); (b) if you are just starting your project, you should do it according to the new 2013 revision of the standard – by the time you are finished with the implementation, the new revision will certainly be published.

    Click here to register for a free webinar What’s new in ISO 27001 2013 revision: How to make a transition from ISO 27001 2005 revision.

    Advisera Dejan Kosutic
    Author
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.