New version of ISO IEC 27001 to better tackle IT security risks

ISO/IEC 27001, the popular information security management system standard, is being revised, with the new version to be published in October 2013.

ISO spoke to Edward Humphreys, Convener of the working group responsible for the development and maintenance of ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements, to find out how the revision is going to affect you, the standard user.

What are the major benefits of the new edition?

We have brought the new edition up to date, taking into account the experiences of users who have implemented, or sought certification to, ISO/IEC 27001:2005. The idea is to provide a more flexible, streamlined approach, which should lead to more effective risk management.

We have also made a number of improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today's risks, namely identity theft, risks related to mobile devices, and other online vulnerabilities.

Finally, the new ISO/IEC 27001 has been modified to fit the new high-level structure used in all management system standards, making its integration with other management systems an easy option.

What are the benefits of modifying the new ISO/IEC 27001 to fit the new high-level structure for management system standards?

Aligning ISO/IEC 27001 to the new structure will help organisations wanting to implement more than one management system at a time. The similarity in structure between the standards will save organisations money and time as they can adopt integrated policies and procedures. For example, an organisation might want to integrate its information security system (ISO/IEC 27001) with other management systems such as:

  • business continuity management (ISO 22301:2012 Societal security – Business continuity management systems – Requirements)
  • IT service management (ISO/IEC 20000-1:2011 Information technology – Service management – Part 1: Service management system requirements)
  • quality management (ISO 9001:2008 Quality management systems – Requirements).

What is the next step in the revision process?

The revision of the 2005 edition is now at the Final Draft International Standard stage. This will be completed in early September 2013, after which any typographical edits will be made ready for the expected launch in October 2013. At this point, the new edition of ISO/IEC 27001 will be available for purchase and the 2005 version withdrawn.

I am certified to ISO 27001:2005. What will this revision mean for me?

Organisations certified to the 2005 edition of the standard will need to upgrade their information security management system to comply with the requirements of the new edition of the standard. The transition period for upgrading has not yet been decided, but it is likely to be 2 years from when the new edition is published.

How much effort will it take to go from the old version to the new version?

Upgrading to the new edition of ISO/IEC 27001 should not prove particularly problematic. The transition period helps as it means the effort required can be part of a staged work programme, integrated into continual improvement activities, and planned surveillance audits.

Summarised from an ISO media release, 14 August 2013.

Related standard

  • ISO/IEC 27001 for Small businesses – Practical advice. To order, call 0800 782 632 during business hours or email

Note: You can order ISO standards from, or call 0800 782 632 during business hours, or email Members of Standards New Zealand receive a 20% discount on all NZS and AS/NZS standards, and a 10% discount on all international standards. Visit our membership page for more information.

Published in business and ICT.

You may be interested in these Standards: