Dejan Kosutic Update 2013-09-25: ISO/IEC 27001:2013 was published on September 25, 2013.
Currently, the most repeated question I hear from companies implementing ISO 27001 is: “I heard a new revision of ISO 27001 is soon to be published – what should we do? Should we wait for the new revision or implement the standard according to the currently valid revision from 2005?”
My suggestion is: if you can finish it rather quickly, use the current 2005 revision; if you are just starting, go straight away with 2013 revision. Here’s why…
Timing
At the time of writing this post, the International Organization for Standardization has published on their website that the targeted publication date for the new revision of ISO 27001 is October 19, 2013 – it will be called ISO/IEC 27001:2013.
Judging from experience, one cannot say for sure that the new revision of ISO 27001 will really be published in October; however, there is a high probability that this will happen. If not in October, then it will almost certainly be by the end of 2013.
Companies already certified against the 2005 revision of the standard will have a transition period of 1 to 2 years to “upgrade” their Information Security Management System (ISMS) to the new 2013 revision – certification bodies will check if they are compliant during the regular surveillance visits, and this is normally not considered as re-certification. The length of this transition period is still not defined by the accreditation bodies.
However, certification bodies will still be able to certify companies against the 2005 revision even after the new 2013 revision is published – this transition period will last between 6 and 12 months after the publication of the new revision. (The length of this transition period will also be defined later on.) During this period, the companies will have a choice whether to certify against the 2005 or 2013 revisions.
ISO 27001 2005 vs. 2013 – The differences
You can find more detailed explanation about the differences in these articles. (They speak about the draft versions, but the final versions will have almost no changes when compared with these drafts):
- A first look at the new ISO 27001:2013 – this post covers the changes in the main part of ISO 27001 (clauses 0 to 10)
- Main changes in the new ISO 27002:2013 – this post covers the changes in ISO 27002, which has exactly the same structure as controls specified in Annex A of ISO 27001
But, if I can summarize these changes, my conclusions would be this:
- Except for the changes in structure, there are no significant changes in the main part of the standard – when you read clauses 0 to 10 closely, the changes account for only about 10% of the requirements.
- Changes in information security controls from Annex A are a bit more significant, but not enormously – the structure of the sections has changed; there are some new controls and some are gone. All in all, I would say that the change here is about 30% when compared to the 2005 revision.
What to do now – go for the 2005 or 2013 revision?
Knowing all this, I think this is the best course of action: (a) if you have already implemented part of your project according to the 2005 revision and are sure you can finish it within the next 6 months, then finish your implementation according to ISO 27001:2005 (and do it quickly); (b) if you are just starting your project, you should do it according to the new 2013 revision of the standard – by the time you are finished with the implementation, the new revision will certainly be published.
Rhand Leal