ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
New Security Controls
New Security Controls in 2013 revision that did not exist in 2005 revision
A.6.1.5 Information security in project management
14.2.1 Secure development policy
14.2.5 Secure system engineering principles
14.2.6 Secure development environment
14.2.8 System security testing
16.1.4 Assessment of and decision on information security events
17.2.1 Availability of information processing facilities
The updated ISO/IEC 27001:2013 standard is broken into ten main sections, or clauses.
These are:
Clause 1: Scope
Clause 2: Normative references
Clause 3: Terms and Definitions
Clause 4: Context of the organisation
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance Evaluation
Clause 10: Improvement