Full details are in “An introduction to ISO/IEC 27001:2013” by David Brewer
Logon to your on-line IMS
Don’t have an IMS-Smart on-line IMS?
Learn more and register an evaluation copy.
  “IMS-Smart is indeed a product of the 21st Century”, as an ISO/IEC 27001/ISO 9001 assessor said at the conclusion of an initial audit in 2008

The new ISO management system standards


All new and revised management system standards must now conform to new ISO Directives concerning high level structure and identical core text. The idea is that requirements that ought to be the same for all management system standards (e.g. corrective action) ought to be identically worded – and now they are. Requirements that are peculiar to a particular discipline (e.g. quality) are incorporated in what is known as “discipline-specific text”. In producing its new directives,ISO has made a few other changes. These are summarised below together with a summary of the changes made to ISO/IEC 27001. Full details are in David Brewer’s new book: “Understanding the new ISO management system standards”. The new versions of ISO 9001 and ISO 14001 have just been published. These too conform to the new ISO directives, so they share the same structure and core management system requirements as ISO/IEC 27001.


The following figure shows the high level structure (blue text) together with the discipline-specific requirement headings for ISO/IEC 27001:2013.

A detailed explanation of the new standard is given in in David Brewer’s book: “An introduction to ISO/IEC 27001:2013”.

Other changes

In summary, other changes that you will find include:

  1. The concept of preventive action has disappeared. This this because the whole purpose of a management system is essentially preventive. As some organisations may already know, there is a close link between preventive action and risk assessment. It is therefore not surprising that in the new Directives, preventive action by assessment and treatment of risks and opportunities (Clauses 4.1, 6.1 and 8.1).
  2. The distinction between documents are records has been removed. They are now collectively referred to as documented information. However, depending on context, one can still see whether the standard is referring to a specification of future intent (i.e. a document) or a record of performance (i.e. a record).
  3. There is no mention of the Deming cycle or PCDA model. Arguably this has led to confusion on how to implement a management system standard (which is a specification for what a management system does, not how it is to be constructed) and there are other philosophies for continual improvement such as 6-sigma which an organisation might use to use.
  4. The requirements for performance evaluation are more developed.
  5. ISO has made a good attempt at only specify WHAT an organisation must do the achieve conformance not HOW it is to be done.

Changes to ISO/IEC 27001

In summary, other changes that you will find include:

  1. The risk assessment requirements are more general. This is because the new version of ISO/IEC 27001 has been aligned with ISO 31000:2009 (“Risk management — principles and guidelines”). As a consequence, organisations are no longer required to identify assets, threats and vulnerabilities in order to identify risks. Other methods can now be used.
  2. The SOA requirements are largely unchanged from the 2005 version, save that the new standard makes it clear that you do not “select” controls from Annex A. Instead you “determine” the controls you need as part of risk treatment and compare those controls with those in Annex A to ensure that no important control has been overlooked.
  3. There are 114 controls in Annex A.

Further details are to be found on the Gamma website.

BSI has published its transition guide and detailed mapping tables that show how the new ISO/IEC 27001 and
ISO/IEC 27002 standards relate to the old.