Full details are in “An introduction to ISO/IEC 27001:2013” by David Brewer

  “IMS-Smart On-Line is indeed a product of the 21st Century”, as an ISO/IEC 27001/ISO 9001 assessor said at the conclusion of an initial audit in 2008

The new ISO management system standards


All new and revised management system standards must now conform to new ISO Directives concerning high level structure and identical core text. The idea is that requirements that ought to be the same for all management system standards (e.g. corrective action) ought to be identically worded – and now they are. Requirements that are peculiar to a particular discipline (e.g. quality) are incorporated in what is known as “discipline-specific text”. In producing its new directives,ISO has made a few other changes. These are summarised below together with a summary of the changes made to ISO/IEC 27001. Full details are in David Brewer’s books: “Understanding the new ISO management system standards”. The new versions of ISO 9001 and ISO 14001 have just been published. These too conform to the new ISO directives, so they share the same structure and core management system requirements as ISO/IEC 27001.


The following figure shows the high level structure (blue text) together with the discipline-specific requirement headings for ISO/IEC 27001:2013.

A detailed explanation of the new standard is given in in David Brewer’s book: “An introduction to ISO/IEC 27001:2013” 3rd Edition

Other changes

In summary, other changes that you will find include:

  1. The concept of preventive action has disappeared. This this because the whole purpose of a management system is essentially preventive. As some organisations may already know, there is a close link between preventive action and risk assessment. It is therefore not surprising that in the new Directives, preventive action by assessment and treatment of risks and opportunities (Clauses 4.1, 6.1 and 8.1).
  2. The distinction between documents are records has been removed. They are now collectively referred to as documented information. However, depending on context, one can still see whether the standard is referring to a specification of future intent (i.e. a document) or a record of performance (i.e. a record).
  3. There is no mention of the Deming cycle or PCDA model. Arguably this has led to confusion on how to implement a management system standard (which is a specification for what a management system does, not how it is to be constructed) and there are other philosophies for continual improvement such as 6-sigma which an organisation might use to use.
  4. The requirements for performance evaluation are more developed.
  5. ISO has made a good attempt at only specify WHAT an organisation must do the achieve conformance not HOW it is to be done.

Changes to ISO/IEC 27001

In summary, other changes that you will find include:

  1. The risk assessment requirements are more general. This is because the new version of ISO/IEC 27001 has been aligned with ISO 31000:2009 (“Risk management — principles and guidelines”). As a consequence, organisations are no longer required to identify assets, threats and vulnerabilities in order to identify risks. Other methods can now be used.
  2. The SOA requirements are deceptively similar to the 2005 version, but in the new standard you “determine” the controls that you need as part of risk treatment and merely compare them those in Annex A to ensure that no important control has been overlooked. It cannot be overstressed that the controls in ISO/IEC 27001:2013, Annex A are not requirements of the standard. The requirement is the comparison.
  3. There are 114 controls in Annex A.

Further details are to be found on the Gamma website.

BSI has published its transition guide and detailed mapping tables that show how the new ISO/IEC 27001 and ISO/IEC 27002 standards relate to the old.


New developments

  1. ISO/IEC 27001 has been confirmed (i.e. it will not be revised). It will not be reconsidered for periodic revision until 2022.
  2. However, ISO/IEC 27002, the source of Annex A, is under revision with an expected publication date of 2021/22 It is currently at Draft International Standard status.
  3. The high level structure and identical core text (Annex SL of the ISO Directives, and the blue text in the above figure) has been revised, albeit the proposed changes are minor.
  4. A new edition of ISO 31000 was published in 2018.
  5. ISO/IEC 27701:2019 is a new standard that augments and refines the requirements of ISO/IEC 27001 and the guidance of ISO/IEC 27002 for privacy.