Take the ISO 27001 course exam and get the
EU GDPR course exam for free

ISO 27001 & ISO 22301 Blog

Implement ISO 27001 according to current 2005 revision, or wait for new 2013 revision?

Update 2013-09-25: ISO/IEC 27001:2013 was published on September 25, 2013.

Currently, the most repeated question I hear from companies implementing ISO 27001 is: “I heard a new revision of ISO 27001 is soon to be published – what should we do? Should we wait for the new revision or implement the standard according to the currently valid revision from 2005?”

My suggestion is: if you can finish it rather quickly, use the current 2005 revision; if you are just starting, go straight away with 2013 revision. Here’s why…


At the time of writing this post, the International Organization for Standardization has published on their website that the targeted publication date for the new revision of ISO 27001 is October 19, 2013 – it will be called ISO/IEC 27001:2013.

Judging from experience, one cannot say for sure that the new revision of ISO 27001 will really be published in October; however, there is a high probability that this will happen. If not in October, then it will almost certainly be by the end of 2013.

Companies already certified against the 2005 revision of the standard will have a transition period of 1 to 2 years to “upgrade” their Information Security Management System (ISMS) to the new 2013 revision – certification bodies will check if they are compliant during the regular surveillance visits, and this is normally not considered as re-certification. The length of this transition period is still not defined by the accreditation bodies.

However, certification bodies will still be able to certify companies against the 2005 revision even after the new 2013 revision is published – this transition period will last between 6 and 12 months after the publication of the new revision. (The length of this transition period will also be defined later on.) During this period, the companies will have a choice whether to certify against the 2005 or 2013 revisions.

ISO 27001 2005 vs. 2013 – The differences

You can find more detailed explanation about the differences in these articles. (They speak about the draft versions, but the final versions will have almost no changes when compared with these drafts):

But, if I can summarize these changes, my conclusions would be this:

  • Except for the changes in structure, there are no significant changes in the main part of the standard – when you read clauses 0 to 10 closely, the changes account for only about 10% of the requirements.
  • Changes in information security controls from Annex A are a bit more significant, but not enormously – the structure of the sections has changed; there are some new controls and some are gone. All in all, I would say that the change here is about 30% when compared to the 2005 revision.

What to do now – go for the 2005 or 2013 revision?

Knowing all this, I think this is the best course of action: (a) if you have already implemented part of your project according to the 2005 revision and are sure you can finish it within the next 6 months, then finish your implementation according to ISO 27001:2005 (and do it quickly); (b) if you are just starting your project, you should do it according to the new 2013 revision of the standard – by the time you are finished with the implementation, the new revision will certainly be published.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity/information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients.

As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.
Connect with Dejan: